SQL server Audit Failure to Security log

Prati 21 Reputation points
2021-02-19T17:48:28.927+00:00

2021-02-19 12:01:54.750 spid137 Audit: Server Audit: 65542, Initialized and Assigned State: START_FAILED
2021-02-19 12:01:54.750 spid137 Audit: Server Audit: 65542, State changed from: START_FAILED to: RUNTIME_FAILED

2021-02-19 12:01:54.750 spid137 Error: 33204, Severity: 17, State: 1.
2021-02-19 12:01:54.750 spid137 SQL Server Audit could not write to the security log.
2021-02-19 12:01:54.750 spid137 Audit: Server Audit: 65542, Initialized and Assigned State: RUNTIME_FAILED

I am getting above error when setting up a database audit on a Always on database on SQL server 2017 ( CU 17) .
All the permissions as mentioned in the article exist .
https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/write-sql-server-audit-events-to-the-security-log?view=sql-server-ver15

Also , another server level audit is able to write to the security log . But this one is generating a RUNTIME_FAILED message.

Is there anything else that is missing ?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,067 questions
{count} votes

Accepted answer
  1. Cris Zhan-MSFT 6,611 Reputation points
    2021-02-22T02:52:38.743+00:00

    Hi,

    can you try the Workaround in this kb article. Change the following registry key from 0 to 1, to enable writing to the SQL Server Security log by multiple Server Audit Events:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQL$<InstanceName>$Audit\EventSourceFlags

    Also have a look on this blog.
    http://sqltouch.blogspot.com/2020/10/sql-server-audit-could-not-write-to.html

    Important: Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend that you back up any valued data on the computer.


0 additional answers

Sort by: Most helpful