Database Connector

SQL Server Connector

Connect DB Audit to your Microsoft SQL Server databases for comprehensive activity monitoring, T-SQL query auditing, and compliance reporting. Zero performance impact with our lightweight collector.

Native Deep Integration

Zero Agent Architecture

No software to install on your database servers

Extended Events

Leverages built-in SQL Server instrumentation

<1% Performance Impact

Lightweight read-only collection

What You Can Monitor

Real-Time Query Monitoring

Capture every T-SQL query executed against your SQL Server database with microsecond precision timestamps.

User Activity Tracking

Track all user sessions, login attempts, privilege escalations, and role membership changes.

Schema Change Detection

Detect and alert on DDL operations including CREATE, ALTER, DROP, and permission changes.

Data Access Patterns

Analyze query patterns to identify unusual data access or potential data exfiltration.

Requirements

SQL Server Version 2016 or higher (2019+ recommended)
Network Access TCP port 1433 (or custom port)
Authentication SQL Authentication or Windows/AD Authentication
Required Privileges VIEW SERVER STATE, VIEW ANY DEFINITION

Configuration Reference

Basic Connection

Field Type Required Description
name string Yes A unique name to identify this connection
host string Yes SQL Server hostname or IP address
port number Yes SQL Server port
database_name string Yes Name of the database to connect to
username string Yes SQL login or domain username
password password Yes Login password (stored encrypted)

Security & Authentication

Field Type Default Description
encrypt boolean true Enable TLS encryption for connections
trust_server_certificate boolean false Trust self-signed certificates
windows_auth boolean false Use Windows/AD authentication instead of SQL auth
domain string - Active Directory domain for Windows auth

Log Collection

Field Type Default Description
log_collection_type select native_audit Method for collecting audit logs
use_extended_events boolean true Use Extended Events for query capture
polling_interval number 5 Seconds between log collection polls
batch_size number 100 Maximum events per batch

Log Collection Methods

DB Audit supports multiple methods for collecting audit logs from SQL Server.

Native Audit (Extended Events)

Recommended

Direct integration with SQL Server Extended Events and SQL Server Audit for comprehensive tracking.

Real-time event capture
Full T-SQL statement tracking
Low overhead ring buffer
Works with all editions

Azure Monitor

Collect audit logs from Azure Monitor for Azure SQL Database and Managed Instance.

No database configuration required
Works with Azure SQL
Centralized log management
Integration with Log Analytics
1

Create Audit Login

Create a dedicated read-only login for DB Audit. This login only needs access to system views and audit data—never grant write permissions. 

-- Create a dedicated audit login with minimal privileges
CREATE LOGIN dbaudit_reader WITH PASSWORD = 'YourSecurePassword123!';

-- Create user in master database for server-level access
USE master;
CREATE USER dbaudit_reader FOR LOGIN dbaudit_reader;

-- Grant server-level permissions for monitoring
GRANT VIEW SERVER STATE TO dbaudit_reader;
GRANT VIEW ANY DEFINITION TO dbaudit_reader;

-- For each database you want to audit:
USE your_database;
CREATE USER dbaudit_reader FOR LOGIN dbaudit_reader;
GRANT VIEW DATABASE STATE TO dbaudit_reader;
GRANT SELECT ON sys.fn_get_audit_file TO dbaudit_reader;
Security Best Practice

Use a strong, unique password that meets your SQL Server password policy. Store credentials in environment variables or Azure Key Vault. Never commit credentials to version control.

2

Enable SQL Server Audit (Optional)

For comprehensive audit logging, enable SQL Server Audit. This provides detailed tracking of login events, permission changes, and data access. 

-- Create a server audit specification
CREATE SERVER AUDIT DBauditServerAudit
TO FILE (FILEPATH = 'C:\SQLAudit\', MAXSIZE = 100 MB, MAX_ROLLOVER_FILES = 10)
WITH (ON_FAILURE = CONTINUE);

-- Enable the server audit
ALTER SERVER AUDIT DBauditServerAudit WITH (STATE = ON);

-- Create server audit specification for login tracking
CREATE SERVER AUDIT SPECIFICATION DBauditServerSpec
FOR SERVER AUDIT DBauditServerAudit
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP)
WITH (STATE = ON);

-- Create database audit specification for data access
USE your_database;
CREATE DATABASE AUDIT SPECIFICATION DBauditDatabaseSpec
FOR SERVER AUDIT DBauditServerAudit
ADD (SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo BY public)
WITH (STATE = ON);
Note

SQL Server Audit is available in Enterprise, Developer, and Evaluation editions. For Standard edition, use Extended Events instead.

3

Configure Extended Events

Extended Events provides lightweight, high-performance query tracking available in all SQL Server editions. DB Audit can consume Extended Events data for real-time monitoring.

Ring Buffer
In-memory target
File Target
Persistent storage
Both
Real-time + history
Recommended
-- Create Extended Events session for comprehensive query tracking
CREATE EVENT SESSION [DBaudit_QueryCapture] ON SERVER
ADD EVENT sqlserver.sql_statement_completed (
    ACTION (
        sqlserver.client_app_name,
        sqlserver.client_hostname,
        sqlserver.database_name,
        sqlserver.username,
        sqlserver.session_id
    )
    WHERE ([duration] > 0)
),
ADD EVENT sqlserver.rpc_completed (
    ACTION (
        sqlserver.client_app_name,
        sqlserver.client_hostname,
        sqlserver.database_name,
        sqlserver.username,
        sqlserver.session_id
    )
)
ADD TARGET package0.ring_buffer (SET max_memory = 4096)
WITH (
    MAX_MEMORY = 4096 KB,
    EVENT_RETENTION_MODE = ALLOW_SINGLE_EVENT_LOSS,
    MAX_DISPATCH_LATENCY = 30 SECONDS,
    STARTUP_STATE = ON
);

-- Start the session
ALTER EVENT SESSION [DBaudit_QueryCapture] ON SERVER STATE = START;
4

Configure DB Audit Collector

Add your SQL Server connection to the DB Audit configuration file. Store sensitive credentials in environment variables or a secrets manager. 

databases:
  - name: production-sqlserver
    type: sqlserver
    host: db.example.com
    port: 1433
    database: your_database
    username: dbaudit_reader
    password: ${SQLSERVER_PASSWORD}

    # Connection settings
    encrypt: true
    trust_server_certificate: false
    connect_timeout: 30

    # For Windows Authentication (optional)
    # windows_auth: true
    # domain: YOUR_DOMAIN

    # Monitoring options
    options:
      track_queries: true
      track_connections: true
      track_ddl: true
      track_dml: true
      track_errors: true
      use_extended_events: true
      sample_rate: 1.0  # 100% of queries
5

Test Connection

Verify your configuration before deploying. The collector includes built-in connection testing. 

-- Test connection with sqlcmd
sqlcmd -S db.example.com -U dbaudit_reader -P 'YourPassword' -Q "SELECT @@VERSION"

-- Test with encrypted connection
sqlcmd -S db.example.com -U dbaudit_reader -P 'YourPassword' -N -C -Q "SELECT @@VERSION"

-- Verify permissions
SELECT * FROM fn_my_permissions(NULL, 'SERVER');

-- Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yaml

Azure SQL Database Support

DB Audit fully supports Azure SQL Database and Azure SQL Managed Instance with the same connector.

Azure SQL Database

Use Azure AD authentication and enable Azure SQL Auditing for comprehensive logging to Azure Storage or Log Analytics.

Managed Instance

Full SQL Server feature parity including Extended Events and SQL Server Audit with output to Azure Blob Storage.

AWS RDS SQL Server & CloudWatch

Managed SQL Server with S3 Audit & CloudWatch Integration

Amazon RDS for SQL Server supports SQL Server Audit with audit files written to S3, plus CloudWatch Logs for agent and error logs. This section covers how to configure auditing on RDS SQL Server and connect it to DB Audit.

Important: S3 Audit File Storage

RDS SQL Server writes audit files to D:\rdsdbdata\SQLAudit\ and can automatically upload them to an S3 bucket. CloudWatch Logs receives agent and error logs, but SQL Server Audit data goes to S3. You must configure an option group with the SQLSERVER_AUDIT option to enable this feature.

RDS SQL Server Log Types

Log Type Destination Log Group/Location Description
SQL Audit S3 Bucket s3://bucket/instance-id/ SQL Server Audit files (.sqlaudit) (Recommended)
agent CloudWatch /aws/rds/instance/<id>/agent SQL Server Agent job logs
error CloudWatch /aws/rds/instance/<id>/error SQL Server error log (login failures, errors)

1. Create Option Group with SQLSERVER_AUDIT

Create a custom option group and add the SQLSERVER_AUDIT option with an S3 bucket for audit file storage. 

# Create option group with SQLSERVER_AUDIT option
aws rds create-option-group \
  --option-group-name sqlserver-audit-options \
  --engine-name sqlserver-ee \
  --major-engine-version 15.00 \
  --option-group-description "SQL Server option group with audit enabled"

# Add SQLSERVER_AUDIT option with S3 bucket for audit files
aws rds add-option-to-option-group \
  --option-group-name sqlserver-audit-options \
  --options "OptionName=SQLSERVER_AUDIT,OptionSettings=[{Name=S3_BUCKET_ARN,Value=arn:aws:s3:::my-sqlserver-audit-bucket},{Name=IAM_ROLE_ARN,Value=arn:aws:iam::123456789012:role/rds-sqlserver-audit-role}]"

# Apply option group to your instance
aws rds modify-db-instance \
  --db-instance-identifier my-sqlserver-instance \
  --option-group-name sqlserver-audit-options \
  --apply-immediately

2. Configure S3 Bucket for Audit Files

Create an S3 bucket and configure permissions for RDS to write audit files. 

# Create S3 bucket for audit files
aws s3 mb s3://my-sqlserver-audit-bucket --region us-east-1

# Create bucket policy to allow RDS access
cat > bucket-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowRDSAuditWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "rds.amazonaws.com"
      },
      "Action": [
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-sqlserver-audit-bucket",
        "arn:aws:s3:::my-sqlserver-audit-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:rds:us-east-1:123456789012:db:*"
        }
      }
    }
  ]
}
EOF

aws s3api put-bucket-policy \
  --bucket my-sqlserver-audit-bucket \
  --policy file://bucket-policy.json

# Create IAM role for RDS to write to S3
aws iam create-role \
  --role-name rds-sqlserver-audit-role \
  --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"rds.amazonaws.com"},"Action":"sts:AssumeRole"}]}'

3. Enable CloudWatch Logs Export

Configure your RDS instance to publish agent and error logs to CloudWatch Logs. 

# Enable CloudWatch Logs export for agent and error logs
aws rds modify-db-instance \
  --db-instance-identifier my-sqlserver-instance \
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["agent","error"]}'

# Create a new instance with CloudWatch logging enabled
aws rds create-db-instance \
  --db-instance-identifier my-sqlserver-instance \
  --db-instance-class db.m5.large \
  --engine sqlserver-ee \
  --engine-version 15.00.4365.2.v1 \
  --master-username admin \
  --manage-master-user-password \
  --allocated-storage 100 \
  --option-group-name sqlserver-audit-options \
  --cloudwatch-logs-export-configuration '["agent","error"]'

# Disable log export (if needed)
aws rds modify-db-instance \
  --db-instance-identifier my-sqlserver-instance \
  --cloudwatch-logs-export-configuration '{"DisableLogTypes":["agent","error"]}'

CloudWatch Log Group Structure

Agent logs: /aws/rds/instance/<instance-id>/agent

Error logs: /aws/rds/instance/<instance-id>/error

4. Create Server Audit Specifications

Use the RDS stored procedure to enable server audit, then create audit specifications to capture the activities you need to monitor. 

-- Create server audit using RDS stored procedure
-- RDS SQL Server writes audit files to D:\rdsdbdata\SQLAudit\
EXEC msdb.dbo.rds_enable_server_audit @audit_name = 'DBauditServerAudit';

-- Create server audit specification for login tracking
CREATE SERVER AUDIT SPECIFICATION DBauditServerSpec
FOR SERVER AUDIT DBauditServerAudit
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (DATABASE_PERMISSION_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP)
WITH (STATE = ON);

-- Create database audit specification for data access
USE your_database;
CREATE DATABASE AUDIT SPECIFICATION DBauditDatabaseSpec
FOR SERVER AUDIT DBauditServerAudit
ADD (SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo BY public)
WITH (STATE = ON);

-- Verify audit configuration
SELECT * FROM sys.server_audits;
SELECT * FROM sys.server_audit_specifications;
RDS-Specific Procedure

Unlike self-managed SQL Server, RDS requires using msdb.dbo.rds_enable_server_audit to create the server audit. You cannot directly use CREATE SERVER AUDIT.

5. Configure IAM Permissions

Grant DB Audit permission to read CloudWatch Logs and S3 audit files. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudWatchLogsAccess",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/rds/instance/*/agent:*",
        "arn:aws:logs:*:*:log-group:/aws/rds/instance/*/error:*"
      ]
    },
    {
      "Sid": "S3AuditBucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-sqlserver-audit-bucket",
        "arn:aws:s3:::my-sqlserver-audit-bucket/*"
      ]
    },
    {
      "Sid": "RDSDescribeAccess",
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBLogFiles",
        "rds:DownloadDBLogFilePortion"
      ],
      "Resource": "*"
    }
  ]
}
Use IAM Roles

If running DB Audit on EC2 or ECS, attach an IAM role instead of using access keys. This is more secure and handles credential rotation automatically.

6. Configure DB Audit for RDS SQL Server

Configure DB Audit to collect audit files from S3 and logs from CloudWatch. 

# DB Audit configuration for RDS SQL Server
databases:
  - name: production-rds-sqlserver
    type: sqlserver

    # RDS endpoint
    host: my-sqlserver-instance.xxxx.us-east-1.rds.amazonaws.com
    port: 1433
    database: your_database
    username: dbaudit_reader
    password: ${RDS_SQLSERVER_PASSWORD}

    # SSL is enabled by default for RDS
    encrypt: true
    trust_server_certificate: false

    options:
      # Use S3 as the audit log source
      log_source: s3

      # S3 configuration for audit files
      s3:
        bucket: my-sqlserver-audit-bucket
        prefix: my-sqlserver-instance/
        region: us-east-1

        # AWS credentials (use IAM role if running on EC2/ECS)
        # access_key_id: ${AWS_ACCESS_KEY_ID}
        # secret_access_key: ${AWS_SECRET_ACCESS_KEY}

        # Or use IAM role (recommended)
        use_iam_role: true

      # CloudWatch configuration for agent/error logs
      cloudwatch:
        region: us-east-1
        log_groups:
          - /aws/rds/instance/my-sqlserver-instance/agent
          - /aws/rds/instance/my-sqlserver-instance/error
        use_iam_role: true

      # Polling interval
      polling_interval: 30

7. Query Logs in CloudWatch

Use CloudWatch Logs Insights to analyze agent and error logs directly in the AWS Console. 

# View agent logs in CloudWatch Logs Insights
# Log group: /aws/rds/instance/<instance-id>/agent

# Query for SQL Server Agent job events
fields @timestamp, @message
| filter @message like /Job|Step|Schedule/
| sort @timestamp desc
| limit 100

# View error logs
# Log group: /aws/rds/instance/<instance-id>/error

# Query for failed login attempts
fields @timestamp, @message
| filter @message like /Login failed|Error: 18456/
| sort @timestamp desc
| limit 100

# Query for severity errors
fields @timestamp, @message
| filter @message like /Severity: [1-2][0-9]/
| sort @timestamp desc
| limit 100

# Query S3 audit files with Athena (optional)
# Audit files in: s3://my-sqlserver-audit-bucket/<instance-id>/

RDS SQL Server Audit Retention

RDS Instance Storage

Audit files in D:\rdsdbdata\SQLAudit\ are uploaded to S3 and then deleted from the instance.

S3 Bucket

Configure S3 lifecycle rules for retention. Audit files are stored indefinitely unless you set an expiration policy.

CloudWatch Logs

Configure retention in CloudWatch (1 day to 10 years). Set based on your compliance requirements.

Compliance Support

DB Audit's SQL Server connector helps you meet audit requirements for major compliance frameworks.

SOC 2
Access logging
HIPAA
PHI access audit
PCI DSS
Cardholder data
GDPR
Data access rights

Troubleshooting

Connection refused

Verify SQL Server is listening on TCP/IP (check SQL Server Configuration Manager). Ensure the firewall allows connections on port 1433 and SQL Browser service is running if using named instances.

Login failed for user

Verify the login exists and has the correct password. Check that SQL Server authentication is enabled in server properties. For Windows auth, ensure the service account has proper domain access.

SSL/TLS certificate error

For self-signed certificates, set trust_server_certificate: true in your configuration. For production, install a trusted certificate on SQL Server.

VIEW SERVER STATE permission denied

Connect as a sysadmin and grant VIEW SERVER STATE to your audit login. On Azure SQL Database, you may need VIEW DATABASE STATE instead.

Next Steps

Configure Alerts & Rules
View All Database Connectors
Quick Start Guide

Ready to Audit Your SQL Server Database?

Start monitoring your SQL Server databases in minutes. No agents to install on your database servers.

Start Free Trial Contact Sales