Audit Activity
The Audit Activity page is the primary view in the kAudit portal. It shows every SQL Server audit event captured by the agent — DML statements, logins, administrative actions, schema changes — in a searchable, filterable grid.
What you'll see
A summary bar at the top shows totals for the current query window:
| Indicator | Meaning |
|---|---|
| Total Events | All audit events in the selected time range |
| Successful | Events where the SQL action completed successfully |
| Failed | Events where the action was denied or caused an error |
| Databases | Number of distinct databases with activity |
| Principals | Number of distinct SQL logins with activity |
| Latest | Timestamp of the most recent event |
Filtering activity
Use the filter form to narrow the event stream:
| Filter | Description |
|---|---|
| Date range | Limit results to a specific time window |
| Database | Filter to a single database |
| Principal | Filter by SQL login name |
| Action type | e.g., SELECT, INSERT, DELETE, DDL, LOGIN |
| Keyword search | Search across object names and statements |
| Tenant | (If you have multiple tenants) switch context |
Click Apply to run the query. Click Refresh to re-run the current query against the latest data.
Reading the event grid
Each row is one audit event. The columns you'll see most often:
| Column | Description |
|---|---|
| Timestamp | When the event occurred (converted to your local time) |
| Action | The SQL action type (SL = SELECT, IN = INSERT, etc.) |
| Status | ✅ Success or ❌ Failure |
| Principal | The SQL Server login that performed the action |
| Object | The database object accessed or modified |
| Database | The database the event occurred on |
| Application | The client application name (if captured) |
| Host | The client host machine name (if captured) |
Click any row to expand it and see the full event detail, including the full statement text if captured.
Understanding action codes
SQL Server uses short codes for audit action types. Common ones:
| Code | Action |
|---|---|
SL | SELECT |
IN | INSERT |
UP | UPDATE |
DL | DELETE |
EX | EXECUTE |
CR | CREATE |
AL | ALTER |
DR | DROP |
LO | LOGIN |
LF | LOGIN FAILED |
Failed events
Events with a Failed status represent SQL Server access denials or errors. A high volume of failed logins from the same principal or host can indicate a misconfiguration or unauthorized access attempt.
Data latency
Audit events typically appear in the portal within 30–60 seconds of occurring on the SQL Server. This is controlled by the agent's polling interval. If you aren't seeing recent events:
- Check the agent heartbeat card in the bottom-left of the portal — it shows the last time the agent connected
- Confirm the agent service is running on the SQL Server host
- Confirm SQL Server Audit is enabled and writing
.sqlauditfiles