How do filter Action column on SQL Database Audit Specification?

Question

How do filter Action column on SQL Database Audit Specification?

Urbel 605

Hi Expert,

How to exclude Column [Action ID] with record 'SELECT','EXECUTE' & 'VIEW' action?

I've filtered [Action ID] using conversion to INT type to getting ID of the action(Select,Execute,View)

but it still not worked ..

any suggestion?

great thanks for all respond

warm regards,

UrBel

Urbel 605 Reputation points

2026-06-19T07:08:28.5966667+00:00

Hi,

I mean filtered on Audit Properties...
Urbel 605 Reputation points

2026-06-19T07:15:53.15+00:00

Hi,

I mean filtered on Audit Properties..

[action_id]<>(12345678) AND ...

(12345678) refer to SELECT action

i think it require integer value on Audit Properties

regards,

UrBel
Erland Sommarskog 134.7K Reputation points MVP Volunteer Moderator

2026-06-19T08:12:51.6166667+00:00

Can you tell what you are trying to achieve? That is, what do you want to audit? And what do you want to exclude? This AuditID? is this a column in your table/view? Are you setting up a server or database audit?
Urbel 605 Reputation points

2026-06-19T09:27:34.87+00:00

Hi Erland,

I just want to exclude SELECT and EXECUTE action on my Database\Server Audit Specification, so Only INSERT,DELETE,UPDATE action I need to be logged & displayed on View Audit log as well

I've set filter for excluding SELECT & EXECUTE action on my Database\Server Audit Specification Properties but action of SELECT & EXECUTE event still be logged & displayed on View Audit Log menu

regards,

Urbel

1 answer

Your answer

Urbel 605 Reputation points

2026-06-19T07:08:28.5966667+00:00

Hi,

I mean filtered on Audit Properties...
Urbel 605 Reputation points

2026-06-19T07:15:53.15+00:00

Hi,

I mean filtered on Audit Properties..

[action_id]<>(12345678) AND ...

(12345678) refer to SELECT action

i think it require integer value on Audit Properties

regards,

UrBel
Erland Sommarskog 134.7K Reputation points MVP Volunteer Moderator

2026-06-19T08:12:51.6166667+00:00

Can you tell what you are trying to achieve? That is, what do you want to audit? And what do you want to exclude? This AuditID? is this a column in your table/view? Are you setting up a server or database audit?
Urbel 605 Reputation points

2026-06-19T09:27:34.87+00:00

Hi Erland,

I just want to exclude SELECT and EXECUTE action on my Database\Server Audit Specification, so Only INSERT,DELETE,UPDATE action I need to be logged & displayed on View Audit log as well

I've set filter for excluding SELECT & EXECUTE action on my Database\Server Audit Specification Properties but action of SELECT & EXECUTE event still be logged & displayed on View Audit Log menu

regards,

Urbel

Answer 1

In SQL Server Audit, the action_id column in the audit log is a varchar(4), not an int. To filter out specific actions such as SELECT, EXECUTE, and VIEW in a database audit specification, use the audit action names and their corresponding action_id values from sys.dm_audit_actions, and filter on the character action_id (not by converting it to int).

General approach:

Find the action_id values for the actions to exclude:

   SELECT action_id, name
   FROM sys.dm_audit_actions
   WHERE name IN ('SELECT', 'EXECUTE', 'VIEW DEFINITION');

Use those action_id values in the audit predicate or in queries against the audit log, for example:

   SELECT *
   FROM sys.fn_get_audit_file('your_audit_path', NULL, NULL)
   WHERE action_id NOT IN ('SLCT', 'EX', 'VWDF');  -- sample IDs; use actual values from step 1

Key points:

action_id in the audit log and in sys.dm_audit_actions is varchar(4) and should be compared as text.
Use sys.dm_audit_actions to map between the human-readable action name (SELECT, EXECUTE, VIEW DEFINITION, etc.) and the action_id used in audit records.
Do not convert action_id to int for filtering; that breaks the match and causes the filter to fail.

References:

Share via

How do filter Action column on SQL Database Audit Specification?

1 answer

Your answer