Best Practice: which database should I use when creating an audit table for a SQL SERVER LOGON TRIGGER

Abrams, Dan 86 Reputation points
2020-12-16T19:03:09.453+00:00

Hi All,

I have a requirement to create a LOGON TRIGGER to monitor logins for auditing purposes. The requirement is to create a table and capture all known logins. I am using SQL Server 2017, enterprise edition.

I'm curious which database I should use to store this information. If login attempts are made before my user database is online, how does the trigger behave?

My trigger is designed to only monitor sys.dm_exec_sessions.is_user_process = 1 processes, and capture certain identifying information. At the moment, I am storing the results in a table I created in master.

All inserts/updates are wrapped inside of TRY/CATCH logic

Which database should I use to create the audit table?

Thank you!

--Dan

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,756 questions
Transact-SQL
Transact-SQL
A Microsoft extension to the ANSI SQL language that includes procedural programming, local variables, and various support functions.
4,554 questions
Accepted answer
  1. Erland Sommarskog 101.4K Reputation points MVP
    2020-12-16T22:12:27.577+00:00

    If you would log to a different database than master, and that database has not yet become available, logins will fail.

    To deal with the permissions issue, you should create a special login for the login trigger: 

    CREATE LOGIN LoginTriggerUser WITH PASSWORD = 'WhateverYouSeeFancy'
ALTER LOGIN LoginTriggerUser DISABLE
GRANT INSERT ON AuditTable TO LoginTriggerUser

    Then you create the trigger with the EXECUTE AS clause: 

    CREATE TRIGGER logintri ON ALL SERVER WITH EXECUTE AS 'LoginTriggerUser' FOR LOGON AS

    To get the name of the user logging in, you need to use the function original_login(). SYSTEM_USER and similar function will return LoginTriggerUser.

    I also have some text about logon triggers here: http://www.sommarskog.se/grantperm.html#serverlevelobjects (although here logging is done to a separate database).

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Guoxiong 8,126 Reputation points
    2020-12-16T20:43:11.127+00:00

    I would suggest to create the audit table in the master database since it always exists if the SQL server is online.

    0 comments
  2. Abrams, Dan 86 Reputation points
    2020-12-16T21:44:49.843+00:00

    Hi GuoxiongYuan-7218,

    Thank you for your response. This is what I was thinking as well.

    One other question: For some users, my trigger is properly logging the information to the table, but not for all users. In some cases, it is preventing them from logging into SQL Server! (This is still a development project!).

    What privs do I need to assign to my users, target table, and trigger in order to get this to work. Prior to installing the trigger, all users were able to connect to the server successfully.

    Thank you!

    --Dan

    0 comments
  3. Abrams, Dan 86 Reputation points
    2020-12-16T22:34:53.11+00:00

    Thank you Erland,

    I am also finding that because I am reference sys.dm_exec_sessions and sys.dm_exec_connections I am running into VIEW SERVER STATE permission problems.

    If I implement your example, should I assign "VIEW SERVER STATE" permission to 'LoginTriggerUser'?

    Thanks again!

    --Dan

  4. Abrams, Dan 86 Reputation points
    2020-12-16T22:52:41.147+00:00

    Thank you very much Erland!

    This is exactly what I was looking for!

    --Dan

    0 comments