674 CHAPTER 53 SQL Server Audit, change tracking, and change data capture ALTER SERVER AUDIT ServerAudit WITH ( STATE = ON ); GO USE [HR]; GO CREATE DATABASE AUDIT SPECIFICATION HRAudit FOR SERVER AUDIT ServerAudit ADD ( SELECT, INSERT, UPDATE, DELETE ON dbo.Employees BY [public] ) WITH ( STATE = ON ); GO When reviewing audit information (whether in a file, or in the event log), there is a variety of information available to you, including the time of the action, the session_id (SPID) of the user that performed the action, the database, server and object that was the target of the action, and whether or not the action succeeded For a full listing of the columns written to an audit row, see the Books Online topic, “SQL Server Audit Records,” located at http://msdn.microsoft.com/en-us/library/ cc280545.aspx I was disappointed to see that host name and/or IP address of the session_id is not recorded This can be important information in some instances, and is difficult to determine after the session has disconnected from the server For example, if SQL Authentication is enabled, and the sa (or another sysadmin) password is commonly known, then anyone can connect that way via their own machine, and be relatively untraceable Another important note here is that the type of action (for example, SELECT or ALTER) is recorded, but in the case of SELECT or DML queries, none of the data involved is included For example, if you run the statement in listing 3, the event log entry will look like listing (I’ve left out some of the columns) Listing Updating the Employees table UPDATE dbo.Employees SET Salary = Salary * 1.8 WHERE EmployeeID = 5; Listing Event log entry for the UPDATE command in listing Log Name: Application User: N/A Event ID: 33205 Audit event: event_time:2008-10-05 18:14:31.3784745 action_id: UP session_id: 56 session_server_principal_name: sa server_instance_name: SENTINEL\SQL2008 database_name: HR schema_name: dbo object_name: Employees statement: UPDATE [dbo].[Employees] set [Salary] = [Salary]*@1 [EmployeeID]=@2 WHERE Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross How does SQL Server 2008 solve these problems? 675 (Note that you may also see other events in the event log corresponding to the auditing activity itself.) Because the literal values in the statement are replaced by parameter placeholders, and because the previous version of the data is not included, it is going to be difficult to find the entries where salaries were increased Also, the information in the event log entry does not include the host name and/or IP address of the computer that issued the statement So, if you are using SQL Authentication and your developers share a single login, it will be difficult with auditing alone to figure out who performed this update You can work your way around this by adding the SUCCESSFUL_LOGIN_GROUP to the Server Audit Specification, as shown in listing Listing Creating a Server Audit with the SUCCESSFUL_LOGIN_GROUP USE [master]; GO CREATE SERVER AUDIT SPECIFICATION CaptureLogins FOR SERVER AUDIT ServerAudit ADD ( SUCCESSFUL_LOGIN_GROUP ) WITH ( STATE = ON ); GO Once you this, you will have login records in the log or file that you can correlate with session_id and event_time to the relevant database audit activity The successful login entry will have (in addition to session_id and other data observed above) host name information in the following form, under the Additional information field: Additional information: local machine / host name / IP If you are using Windows Authentication, on the other hand, then this seems like a reasonable way to capture exactly who executed the statement (without having to correlate to login events), but not necessarily what values they passed in Take the case where you find that Employee 5’s salary has been increased from $100,000 to $250,000 Three such events appear in the Application Log, from three different users, with the exact same UPDATE statement The first could have updated the salary to $250,000, and the other two could have left it that way (by explicitly defining $250,000 in their UPDATE statement, even though it did not ultimately change the data in the table) Or, the increment could have been performed by the second or third person, or each person could have increased the salary by $50,000 There are millions of other possible permutations, and this is a simple case Imagine trying to unravel this mystery on a busy system with thousands of simultaneous users all affecting the same table Before moving on to the next section, if you have created the sample code above, you can remove it using the code in listing Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 676 CHAPTER 53 Listing SQL Server Audit, change tracking, and change data capture Cleaning up the audit specification USE [HR]; GO IF EXISTS ( SELECT FROM sys.database_audit_specifications WHERE name = 'HRAudit' ) BEGIN ALTER DATABASE AUDIT SPECIFICATION HRAudit WITH (STATE = OFF); DROP DATABASE AUDIT SPECIFICATION HRAudit; END GO USE [master]; GO IF EXISTS ( SELECT FROM sys.server_audit_specifications WHERE name = 'CaptureLogins' ) BEGIN ALTER SERVER AUDIT SPECIFICATION 'CaptureLogins' WITH (STATE = OFF); DROP SERVER AUDIT SPECIFICATION 'CaptureLogins'; END GO IF EXISTS ( SELECT FROM sys.server_audits WHERE name = 'ServerAudit' ) BEGIN ALTER SERVER AUDIT ServerAudit WITH (STATE = OFF); DROP SERVER AUDIT ServerAudit; END GO Change tracking Change tracking is a feature that adds the ability to determine, at a glance, which rows in a table have changed in a specified period of time This can be useful for synchronizing data between the primary database and a middle-tier data cache, and for allowing semi-connected applications to detect conflicts when updates have been made on both sides Change tracking is meant to allow you to identify the rows that changed, but does not keep any information about the values that were changed (for example, Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross How does SQL Server 2008 solve these problems? 677 a previous version of the row) Change tracking occurs synchronously, so there is some overhead to the process In general, the overhead is equivalent to the maintenance costs of adding an additional nonclustered index to the table The process assumes that you can always get the current version of the row directly from the table, and that you only care about knowing whether or not a row has changed (Change tracking is described more in-depth in Books Online, starting at the topic, “Change Tracking,” at http://msdn.microsoft.com/en-us/library/ cc280462.aspx.) To set up change tracking on a table, the table must have a primary key, and you must first enable the feature at the database level (Books Online also suggests that the database must be at least at a compatibility level of 90, and that snapshot isolation is enabled.) Using the HR database and the dbo.Employees table created in the previous section, you can enable change tracking as shown in listing Listing Enabling change tracking ALTER DATABASE HR SET ALLOW_SNAPSHOT_ISOLATION ON; ALTER DATABASE HR SET CHANGE_TRACKING = ON (CHANGE_RETENTION = DAYS, AUTO_CLEANUP = ON); GO USE HR; GO ALTER TABLE dbo.Employees ENABLE CHANGE_TRACKING WITH (TRACK_COLUMNS_UPDATED = OFF); GO At the database level, the option CHANGE_RETENTION indicates how long you keep information about rows that have changed If the applications last checked for changed data before that period started, then they will need to proceed as if the entire table is brand new (so a caching application, for example, will need to reload the entire table and start from scratch) AUTO_CLEANUP is the option that specifies whether this periodic purging should take place, and it can be disabled for troubleshooting purposes Although this sounds like something that requires SQL Server Agent, it is handled by an internal background task It will work on all editions of SQL Server, including Express Edition, with or without SQL Server Agent enabled At the table level, the TRACK_COLUMNS_UPDATED option is used to specify whether the system should store information about which columns were changed, or store the fact that the row was changed The former can be useful for an application that tries to synchronize or cache data from a table that contains both an INT column and a LOB column (for example, VARCHAR(MAX)) Instead of pulling an identical copy of the LOB column for a row that changed, it can ignore that column and keep its local copy if it knows that it was not a part of any update that has happened since it was last loaded Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 678 CHAPTER 53 SQL Server Audit, change tracking, and change data capture Once change tracking is enabled, what an application can is connect to the database, and determine the current baseline version of the table This is a BIGINT value that is returned by calling the new function CHANGE_TRACKING_CURRENT_ VERSION() (this represents the most recent committed transaction) Once the application knows this value, it can load all of the data from the table, and then can check for further updates later using the CHANGETABLE() function This function will return a set of data representing any rows that have changed in the specified table since the baseline version retrieved above The following is all in T-SQL, but you can envision how an application would use the same logic Open two new query windows in Management Studio, connected to the HR database, and run the code in listing Listing Determining (and updating) the baseline version of a table SET TRANSACTION ISOLATION LEVEL SNAPSHOT; Check the current baseline: SELECT Baseline = CHANGE_TRACKING_CURRENT_VERSION(); Load the current version of the table: SELECT EmployeeID, FirstName, LastName, Salary FROM dbo.Employees; Now, switch to the second query window, and make some updates to the table: UPDATE dbo.Employees SET LastName = 'Kinison' WHERE EmployeeID = 2; DELETE dbo.Employees WHERE EmployeeID = 5; INSERT dbo.Employees ( EmployeeID, FirstName, LastName, Salary ) SELECT 6, 'Kirby', 'Quigley', 62500; Listing shows the code to retrieve the changes made to the Employees table Replace with the result from the baseline query in listing Listing Retrieving changes to the Employees table SELECT NewBaseLine = CHANGE_TRACKING_CURRENT_VERSION(), cv = SYS_CHANGE_VERSION, ccv = SYS_CHANGE_CREATION_VERSION, op = SYS_CHANGE_OPERATION, EmployeeID FROM CHANGETABLE(CHANGES dbo.Employees, ) AS ChT; The results should look something like this: NewBaseLine 3 cv ccv NULL NULL op U D I EmployeeID Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross How does SQL Server 2008 solve these problems? 679 Now, the application can use this output to determine which of the following it needs to do: ƒ Reload the data from the row for EmployeeID 2, because it has been updated since the last time it was loaded ƒ Load the new row for EmployeeID 6, because it has been created since the table was last loaded ƒ Remove the row for EmployeeID from its local cache, because it has been deleted ƒ Record the new baseline value (3) as it will need to use this as the version to check against the next time it polls for changes Note that change tracking does not record any information about the user who made the change It only records the fact that a row changed But as with SQL Server Audit, there are ways around this limitation SQL Server 2008 supports new syntax to allow change tracking to add some contextual information to the DML statement, allowing that data to be stored along with other details of the change This was intended to provide an application the ability to differentiate between its own updates from those of other applications, but you can use it for whatever other devious purposes you can dream up For example, as shown in listing 10, you can easily add information such as host name and user name using an INSTEAD OF UPDATE TRIGGER, by utilizing the new WITH CHANGE_TRACKING_CONTEXT() construct, in order to store information about users performing updates to your table Listing 10 Using WITH CHANGE_TRACKING_CONTEXT() in an INSTEAD OF trigger CREATE TRIGGER dbo.AppendEmployeeUpdates ON dbo.Employees INSTEAD OF UPDATE AS BEGIN SET NOCOUNT ON; DECLARE @i VARBINARY(128); SET @i = CONVERT ( VARBINARY(128), SUSER_SNAME() + '|' + HOST_NAME() ); WITH CHANGE_TRACKING_CONTEXT (@i) UPDATE e SET e.FirstName = i.FirstName, e.LastName = i.LastName, e.Salary = i.Salary FROM dbo.Employees e INNER JOIN inserted i ON e.EmployeeID = i.EmployeeID; END GO Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 680 CHAPTER 53 SQL Server Audit, change tracking, and change data capture In this case, because you are not tracking individual column updates, you don’t have to worry about only updating those columns that have changed If you implement a solution where individual columns matter, you might want more complex logic such that the trigger only touches the base table columns that should now contain different values And for an even more bulletproof trigger, you would also want to handle the case where the primary key might change (even though, in theory, this should never happen) You could this in a stored procedure instead, if you can prevent direct updates to the table itself, and enforce all access via stored procedures That is possible in some environments, but not all Once the trigger is in place, you can run the following UPDATE statement: UPDATE dbo.Employees SET LastName = 'Malone' WHERE EmployeeID = 2; And now when you call the CHANGETABLE function, as shown in listing 11, you can add a new column that will return that contextual information (assuming the existing baseline was after the above statements) Listing 11 Calling the CHANGETABLE function SELECT NewBaseLine = CHANGE_TRACKING_CURRENT_VERSION(), [user|host] = CONVERT(NVARCHAR(128), SYS_CHANGE_CONTEXT), cv = SYS_CHANGE_VERSION, ccv = SYS_CHANGE_CREATION_VERSION, op = SYS_CHANGE_OPERATION, EmployeeID FROM CHANGETABLE(CHANGES dbo.Employees, 3) AS ChT; results: NewBaseLine user|host cv SENTINEL\Aaron|SENTINEL 11 ccv NULL op EmployeeID U Arguably, you could also use the trigger to store the old and new values off in a table somewhere for deferred analysis But that would require you to manually create tables to capture all of that information, and come up with your own cleanup mechanism And, without spoiling any surprises, you would be duplicating the functionality of another feature added in SQL Server 2008 Before proceeding, you can disable change tracking on the HR database and the dbo.Employees table using the code in listing 12 Listing 12 Disabling change tracking USE [HR]; GO ALTER TABLE dbo.Employees DISABLE CHANGE_TRACKING; ALTER DATABASE HR SET CHANGE_TRACKING = OFF; Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross How does SQL Server 2008 solve these problems? 681 Change data capture Change data capture (CDC) is similar to change tracking in that it captures information about changes to data But the information it captures (and how) is significantly different Instead of capturing the primary key for each row that has changed, it records the data that has changed, for all columns, or for the subset of columns you specify It records all of the data for INSERTs and DELETEs, and in the case of UPDATEs, it records both the before and after image of the row And it does this by periodically retrieving data from the SQL transaction log, so the activity does not interfere directly with your OLTP processes It does require that SQL Server Agent is enabled and running The primary motivation for including CDC in SQL Server 2008 was to facilitate an easier process for extract, transform, and load (ETL) applications Making all of the changed data available separately allows the application to pull only the updated data, without having to go to the base tables for the data (or to verify timestamp columns or perform expensive joins to determine deltas) You can investigate CDC in much more depth starting with the Books Online topic, “Overview of Change Data Capture,” located at http://msdn.microsoft.com/en-us/library/cc627397.aspx To set up CDC, you must be running Enterprise or Developer Edition, and you must enable it at the database level first, and then for each table you want to capture Note that unlike SQL Server Audit and change tracking, CDC features are enabled and disabled via system stored procedure calls Using the same HR database and dbo.Employees table as in previous sections, listing 13 shows the commands necessary to start capturing data changes Listing 13 Enabling a database and table for change tracking USE HR; GO EXEC sys.sp_cdc_enable_db; GO EXEC sys.sp_cdc_enable_table @source_schema = N'dbo', @source_name = N'Employees', @supports_net_changes = 1, @role_name = NULL; GO The first two parameters to the enable_table stored procedure are self-explanatory, but the last two are not The @supports_net_changes parameter dictates whether the changed data can be retrieved as a data set that includes one row per key value, summarizing all of the changes that took place in the indicated timeframe (in this way, it works similarly to change tracking, but you will also see the data in each column in addition to the primary key value) Note that to support net changes, the source table must have a primary key or a unique index defined You will still be able to investigate each individual change, but if you look at the net, this will allow you to perform one DML statement on the target instead of multiple, in the case where your extract, Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 682 CHAPTER 53 SQL Server Audit, change tracking, and change data capture transform, and load (ETL) program is replicating changes to another system The @role_name parameter is used to specify who can access the changed data table This can be a fixed server role, a database role, or left as NULL (in which case, sysadmin and db_owner have full access, and other users inherit their permissions from the base table) The sys.sp_cdc_enable_table stored procedure has five other optional parameters One is called @captured_column_list, which allows you to capture only changes to a specific subset of the columns For example, you may not want to capture VARCHAR(MAX) or VARBINARY(MAX) contents, when all that has changed is a BIT column The other is @filegroup_name, which lets you place the captured data on a filegroup other than PRIMARY/DEFAULT The other three are @capture_instance, which allows you to specify a name for your CDC instance (because you can have multiple captures on the same table); @index_name, allowing you to specify an unique index instead of the primary key; and @allow_partition_switch, which lets you dictate whether partition switches are allowed against the source table The @capture_instance parameter can be particularly useful in preventing the system from trying to create conflicting names for the capture instance table For example, if you have a table called dbo_foo.bar and another table called dbo.foo_bar, enabling both for CDC, without specifying a value for @capture_instance, will fail This is because CDC tries to name both capture tables “dbo_foo_bar.” Although this is a fairly contrived case, if in doubt, use the @capture_instance parameter to ensure you have unique names To retrieve information about data changes to a table, you use the new CDC functions cdc.fn_cdc_get_all_changes_ and, if you have enabled net changes, cdc.fn_cdc_get_net_changes_ These procedures require from and to parameters, but they are not based on time; instead you must determine the range of log sequence numbers (LSNs) that you wish to query To obtain this information, you can use the function sys.fn_cdc_map_time_to_lsn Now that CDC is enabled for the dbo.Employees table (make sure once again that SQL Server Agent is running), you can make some changes to the data, and see how you (or your applications) might query for the individual or net changes Run the DML statements in listing 14 Listing 14 Inserting data into the Employees table SELECT CURRENT_TIMESTAMP; INSERT dbo.Employees ( EmployeeID, FirstName, LastName, Salary ) SELECT 7, 'Howard', Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross How does SQL Server 2008 solve these problems? 683 'Jones', 80000; UPDATE dbo.Employees SET LastName = 'Donaldson' WHERE EmployeeID = 3; UPDATE dbo.Employees SET Salary = Salary * WHERE EmployeeID = 4; DELETE dbo.Employees WHERE EmployeeID = 6; UPDATE dbo.Employees SET LastName = 'Stern' WHERE EmployeeID = 7; UPDATE dbo.Employees SET LastName = 'Malone' WHERE EmployeeID = 3; Be sure to copy the result from the very first line in the query You will need this to determine the range of LSNs you will need to pull from the CDC table Now you can run the query in listing 15 Listing 15 Query against (and results from) a change data capture function DECLARE @start @end @lsn_A @lsn_B DATETIME, DATETIME, BINARY(10), BINARY(10); SELECT @start @end = @lsn_A @lsn_B = '', CURRENT_TIMESTAMP, = sys.fn_cdc_map_time_to_lsn('smallest greater than', @start), = sys.fn_cdc_map_time_to_lsn('largest less than', @end); SELECT operation = CASE $operation WHEN THEN 'D' WHEN THEN 'I' WHEN THEN 'U' ELSE NULL END, EmployeeID, FirstName, LastName, Salary FROM cdc.fn_cdc_get_all_changes_dbo_Employees(@lsn_A, @lsn_B, 'all'); result: Operation EmployeeID I U U D U U FirstName LastName Howard Jones Don Donaldson Teemu Selanne Kirby Quigley Howard Stern Don Malone Salary 80000.00 125000.00 227000.00 62500.00 80000.00 125000.00 This result set does not include the before images of rows affected by UPDATE statements, because it is intended to be used to make a target data source look like the source Hopefully you can see here that it would be easy to reconstruct all of the DML statements, in order to apply the same changes to another table that looked identical to this one before you made changes If you change the final SELECT to use the get_net_changes function instead, as shown in listing 16, you can see that the set is compressed Only the values necessary to make the target table look like the source (with one row per key) are included Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross ... ''CaptureLogins''; END GO IF EXISTS ( SELECT FROM sys .server_ audits WHERE name = ''ServerAudit'' ) BEGIN ALTER SERVER AUDIT ServerAudit WITH (STATE = OFF); DROP SERVER AUDIT ServerAudit; END GO Change tracking Change... something that requires SQL Server Agent, it is handled by an internal background task It will work on all editions of SQL Server, including Express Edition, with or without SQL Server Agent enabled... decide whether to use SQL Server Audit, change tracking, or CDC Table Comparing SQL Server Audit, change tracking, and change data capture Criteria Capture DML statements SQL Server Audit Change