Audit Action Groups

SQL Server groups auditable actions into convenient categories called Audit Action Groups. You can enable action groups for auditing on a specific database or across the entire server. Action groups cover all auditable actions except a few Transact-SQL commands called audit actions.

Some action groups comprise only server level operations (e.g. create database, drop server role) and so are only available in server audit specifications. Other action groups are applicable at the database level but can be included in a server audit specification so that those actions are audited on all databases - even new ones created the future. This is indicated in the Database and Server columns below.

With SQL Server 2012 and 2016, Microsoft introduced some new audit action groups also indicated in the table below. Also some action groups that were formerly server-level only, became available at the database level and are indicated by the footnote.

LOGbinder provides a free tool to help you implement audit policy through a step-by-step interface: SQL Audit Policy Wizard.

Action Group Database Server SQL 2012 SQL 2016
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP •*    
AUDIT_CHANGE_GROUP •*    
BACKUP_RESTORE_GROUP •*    
BROKER_LOGIN_GROUP      
DATABASE_CHANGE_GROUP   •**
Database-level Audit Actions      
DATABASE_LOGOUT_GROUP  
DATABASE_MIRRORING_LOGIN_GROUP      
DATABASE_OBJECT_ACCESS_GROUP    
DATABASE_OBJECT_CHANGE_GROUP   •**
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP    
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP    
DATABASE_OPERATION_GROUP    
DATABASE_OWNERSHIP_CHANGE_GROUP    
DATABASE_PERMISSION_CHANGE_GROUP    
DATABASE_PRINCIPAL_CHANGE_GROUP    
DATABASE_PRINCIPAL_IMPERSONATION_GROUP    
DATABASE_ROLE_MEMBER_CHANGE_GROUP    
DBCC_GROUP •*    
FAILED_DATABASE_AUTHENTICATION_GROUP  
FAILED_LOGIN_GROUP      
FULL_TEXT_GROUP      
LOGIN_CHANGE_PASSWORD_GROUP      
LOGOUT_GROUP      
SCHEMA_OBJECT_ACCESS_GROUP    
SCHEMA_OBJECT_CHANGE_GROUP    
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP    
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP    
SERVER_OBJECT_CHANGE_GROUP      
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP      
SERVER_OBJECT_PERMISSION_CHANGE_GROUP      
SERVER_OPERATION_GROUP     •**
SERVER_PERMISSION_CHANGE_GROUP      
SERVER_PRINCIPAL_CHANGE_GROUP      
SERVER_PRINCIPAL_IMPERSONATION_GROUP      
SERVER_ROLE_MEMBER_CHANGE_GROUP      
SERVER_STATE_CHANGE_GROUP      
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP  
SUCCESSFUL_LOGIN_GROUP      
TRACE_CHANGE_GROUP      
TRANSACTION_GROUP     •***
USER_CHANGE_PASSWORD_GROUP  
USER_DEFINED_AUDIT_GROUP  

* Available on database audit specifications as of SQL Server 2012
** Some events in this action group are available as of SQL Server 2016
*** Available on server audit specifications as of SQL Server 2016

 

Upcoming Webinars
    Additional Resources