SqlThreatDetection_Audit: SQL Server audit cannot write to the security log

Abimbola Adeniran 21 Reputation points
2024-01-20T07:11:53.9333333+00:00

Hello all,

I am seeing the subject issue for “SqlThreatDetection_Audit” SQL Server audit on SQL Server instances running SQL Server 2016 and older (2014,2012 etc) in my client environment. They didn’t use to have these issues before until servers rebooted a few days ago and I have tried all the steps found online including this fix from Microsoft support article: https://support.microsoft.com/en-us/topic/kb4052136-fix-sql-server-audit-events-don-t-write-to-the-security-log-d9708450-6981-2fab-4e58-5f09d561110e

but it didn’t resolve the issue. We keep getting this error 33208 & 33204 in the SQL and windows event logs:

Error: 33208, Severity: 17, State: 1. SQL Server Audit failed to access the security log. Make sure that the SQL service account has the required permissions to access the security log.

Error: 33204, Severity: 17, State: 1. SQL Server Audit could not write to the security log

I confirm that:

The service account is an AD account and I have confirmed it’s an admin on the server with perms (has necessary privileges to write to security log) on the security fold in windows registry, the key flag changed to 1, Local security policy changed to grant audit access to the service account and allowing success/failure auditing. I have also granted sysadmin to the service account as a server principal on SQL server with the required server level and database level perms.

Not sure what else is required here. Please help urgently.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,321 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,749 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ZoeHui-MSFT 30,881 Reputation points
    2024-01-22T06:35:27.47+00:00

    Hi @Abimbola Adeniran,

    Note: Server Audits have to be restarted for the new registry setting to take effect.

    Please ensure that you have re-start.

    You may also check this blog for a try.

    If these all do not work and you encountering urgent issue.

    I'd like to suggest you may open a ticket to Microsoft support and the engineers will help to resolve the issue as soon as possible.

    Services Hub (microsoft.com)

    Regards,

    Zoe Hui


    If the answer is helpful, please click "Accept Answer" and upvote it.