SQL Server must automatically audit account modification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41306	SQL2-00-001900	SV-53788r3_rule		Medium

Description
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Description

Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-47875r4_chk )
Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Check Text ( C-47875r4_chk )

Check to see that all required events are being audited.
From the query prompt:
SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0);
All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.

Determine the trace(s) being used for the auditing requirement.
In the following, replace # with a trace ID being used for the auditing requirements.
From the query prompt:
SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
The following required event IDs should be listed:
14, 15, 18, 20,
102, 103, 104, 105, 106, 107, 108, 109, 110,
111, 112, 113, 115, 116, 117, 118,
128, 129, 130,
131, 132, 133, 134, 135,
152, 153,
170, 171, 172, 173, 175, 176, 177, 178.
If any of the audit event IDs required above is not listed, this is a finding.

Notes:
1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner.
2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account.
3. It is acceptable to trace additional event IDs. This is the minimum list.
4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.)
Use the following query to obtain a list of all event IDs, and their meaning:
SELECT * FROM sys.trace_events;
5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements.
6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix Text (F-46697r3_fix)
-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:\' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:\'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:\' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

Fix Text (F-46697r3_fix)

-- Run this script to create and start an audit trace that audits required events.

-- Note: Replace 'D:\' with the path and file name to your audit file.
-- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

-- The database server must be restarted for the trace to take effect.

USE master;
GO

BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH;
GO

CREATE PROCEDURE fso_audit AS
-- Create a Queue
DECLARE @rc INT;
DECLARE @TraceID INT;
DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4)
DECLARE @tracefile NVARCHAR(128) = 'D:\';
-- Trace file location and beginning of file name (SQL Server adds a suffix)
DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes
DECLARE @stoptime datetime = null; -- do not stop
DECLARE @filecount INT = 10; -- Number of trace files in the rollover set
EXEC @rc = SP_TRACE_CREATE
@TraceID output,
@options,
@tracefile,
@maxfilesize,
@stoptime,
@filecount
;
IF (@rc != 0) GOTO Error;

-- Set the events:
DECLARE @on BIT = 1;

-- Logins are audited based on SQL Server instance
-- setting Audit Level stored in registry
-- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel
-- Audit Login
-- Occurs when a user successfully logs in to SQL Server.
EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData
EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName
-- Audit Logout
-- Occurs when a user logs out of SQL Server.
EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration
EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime
EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName
-- Audit Server Starts and Stops
-- Occurs when the SQL Server service state is modified.
EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName
-- Audit Login Failed
-- Indicates that a login attempt to SQL Server from a client failed.
EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData
EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error
EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName
-- Audit Statement GDR Event
-- Occurs every time a GRANT, DENY, REVOKE for a statement
-- permission is issued by any user in SQL Server.
EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData
EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType
EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName
EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName
-- Audit Object GDR Event
-- Occurs every time a GRANT, DENY, REVOKE for an object
-- permission is issued by any user in SQL Server.
EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData
EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType
EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions
EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName
EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName
-- Audit AddLogin Event
-- Occurs when a SQL Server login is added or removed;
-- for sp_addlogin and sp_droplogin.
EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName
EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName
-- Audit Login GDR Event
-- Occurs when a Windows login right is added or removed;
-- for sp_grantlogin, sp_revokelogin, and sp_denylogin.
EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName
EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName
-- Audit Login Change Property Event
-- Occurs when a property of a login, except passwords,
-- is modified; for sp_defaultdb and sp_defaultlanguage.
EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on;
-- Audit Login Change Password Event
-- Occurs when a SQL Server login password is changed.
-- Passwords are not recorded.
EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on;
-- Audit Add Login to Server Role Event
-- Occurs when a login is added or removed from a fixed server role;
-- for sp_addsrvrolemember, and sp_dropsrvrolemember.
EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on;
-- Audit Add DB User Event
-- Occurs when a login is added or removed as a database user
-- (Windows or SQL Server) to a database; for sp_grantdbaccess,
-- sp_revokedbaccess, sp_adduser, and sp_dropuser.
EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on;
-- Audit Add Member to DB Role Event
-- Occurs when a login is added or removed as a database user
-- (fixed or user-defined) to a database; for sp_addrolemember,
-- sp_droprolemember, and sp_changegroup.
EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on;
-- Audit Add Role Event
-- Occurs when a login is added or removed as a database user to a
-- database; for sp_addrole and sp_droprole.
EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on;
-- Audit App Role Change Password Event
-- Occurs when a password of an application role is changed.
EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on;
-- Audit Statement Permission Event
-- Occurs when a statement permission (such as CREATE TABLE) is used.
EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on;
-- Audit Backup/Restore Event
-- Occurs when a BACKUP or RESTORE command is issued.
EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on;
-- Audit DBCC Event
-- Occurs when DBCC commands are issued.
EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on;
-- Audit Change Audit Event
-- Occurs when audit trace modifications are made.
EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on;
-- Audit Object Derived Permission Event
-- Occurs when a CREATE, ALTER, and DROP object commands are issued.
EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on;
-- Audit Database Management Event
-- Occurs when a CREATE, ALTER, or DROP statement executes on
-- database objects, such as schemas.
EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on;
-- Audit Database Object Management Event
-- Occurs when a CREATE, ALTER, or DROP statement executes on
-- database objects, such as schemas.
EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on;
-- Audit Database Principal Management Event
-- Occurs when principals, such as users, are created, altered, or
-- dropped from a database.
EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on;
-- Audit Schema Object Management Event
-- Occurs when server objects are created, altered, or dropped.
EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on;
-- Audit Server Principal Impersonation Event
-- Occurs when there is an impersonation within server scope, such
-- as EXECUTE AS LOGIN.
EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on;
-- Audit Database Principal Impersonation Event
-- Occurs when an impersonation occurs within the database scope,
-- such as EXECUTE AS USER or SETUSER.
EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on;
-- Audit Server Object Take Ownership Event
-- Occurs when the owner is changed for objects in server scope.
EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on;
-- Audit Database Object Take Ownership Event
-- Occurs when a change of owner for objects within database scope
-- occurs.
EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on;
-- Audit Change Database Owner
-- Occurs when ALTER AUTHORIZATION is used to change the owner of a
-- database and permissions are checked to do that.
EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on;
-- Audit Schema Object Take Ownership Event
-- Occurs when ALTER AUTHORIZATION is used to assign an owner to an
-- object and permissions are checked to do that.
EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on;
-- Audit Server Scope GDR Event
-- Indicates that a grant, deny, or revoke event for permissions in
-- server scope occurred, such as creating a login.
EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on;
-- Audit Server Object GDR Event
-- Indicates that a grant, deny, or revoke event for a schema object,
-- such as a table or function, occurred.
EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on;
-- Audit Database Object GDR Event
-- Indicates that a grant, deny, or revoke event for database
-- objects, such as assemblies and schemas, occurred.
EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on;
-- Audit Server Operation Event
-- Occurs when Security Audit operations such as altering settings,
-- resources, external access, or authorization are used.
EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on;
-- Audit Server Alter Trace Event
-- Occurs when a statement checks for the ALTER TRACE permission.
EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on;
-- Audit Server Object Management Event
-- Occurs when server objects are created, altered, or dropped.
EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on;
-- Audit Server Principal Management Event
-- Occurs when server principals are created, altered, or dropped.
EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on;
-- Audit Database Operation Event
-- Occurs when database operations occur, such as checkpoint or
-- subscribe query notification.
EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on;
EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on;

-- Set the trace status to start.
EXEC SP_TRACE_SETSTATUS @TraceID, 1;

-- Display trace ID for future reference.
SELECT @TraceID AS TraceID;

GOTO Finish;
Error:
SELECT @rc AS ErrorCode;
Finish:
GO

EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true';
GO

-- Note: Replace 'D:\' with the path and file name to your audit file.
-- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.