kAudit

Appearance

Enable SQL Server Audit

kAudit reads SQL Server's native audit output — .sqlaudit files written to disk by SQL Server's built-in audit engine. You need to enable a Server Audit and a Database Audit Specification before the kAudit Agent can collect events.

Quick check — is auditing already enabled?

Run this on your SQL Server to see if audit files are already being produced:

sql
SELECT TOP 5
    event_time,
    action_id,
    database_name,
    statement
FROM sys.fn_get_audit_file('C:\Audit\*.sqlaudit', DEFAULT, DEFAULT)
ORDER BY event_time DESC;
  • Returns rows — SQL Server Audit is working. Note the file path and proceed to Configure Audit Files.
  • Returns no rows or throws an error — follow the setup steps below.

Step 1 — Create a Server Audit

Connect to your SQL Server in SSMS or Azure Data Studio and run:

sql
USE master;
GO

CREATE SERVER AUDIT [kAudit_ServerAudit]
TO FILE (
    FILEPATH = 'C:\Audit\',       -- Folder must exist and be writable
    MAXSIZE  = 50 MB,
    MAX_ROLLOVER_FILES = 10,
    RESERVE_DISK_SPACE = OFF
)
WITH (ON_FAILURE = CONTINUE);
GO

ALTER SERVER AUDIT [kAudit_ServerAudit] WITH (STATE = ON);
GO

Choose your audit path

The FILEPATH must point to a folder that:

  • Already exists on the SQL Server host
  • Is writable by the SQL Server service account
  • Has sufficient disk space for audit file rollover (at least 10× MAXSIZE recommended)

Step 2 — Create a Database Audit Specification

For each database you want to monitor, run:

sql
USE [YourDatabase];
GO

CREATE DATABASE AUDIT SPECIFICATION [kAudit_DatabaseAuditSpec]
FOR SERVER AUDIT [kAudit_ServerAudit]
ADD (SELECT   ON DATABASE::[YourDatabase] BY [public]),
ADD (INSERT   ON DATABASE::[YourDatabase] BY [public]),
ADD (UPDATE   ON DATABASE::[YourDatabase] BY [public]),
ADD (DELETE   ON DATABASE::[YourDatabase] BY [public]),
ADD (EXECUTE  ON DATABASE::[YourDatabase] BY [public]),
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_ACCESS_GROUP);
GO

ALTER DATABASE AUDIT SPECIFICATION [kAudit_DatabaseAuditSpec]
    WITH (STATE = ON);
GO

Replace [YourDatabase] with the name of the database you want to audit.

Repeat this block for each additional database.

Step 3 — Verify audit output

Wait a few seconds for SQL Server to generate at least one audit event (any query against the database will do), then re-run the validation query:

sql
SELECT TOP 20
    event_time,
    action_id,
    succeeded,
    server_principal_name,
    database_name,
    object_name,
    statement
FROM sys.fn_get_audit_file('C:\Audit\*.sqlaudit', DEFAULT, DEFAULT)
ORDER BY event_time DESC;

You should see rows. If you do, SQL Server Audit is configured correctly.

Next step

Configure Audit Files → — set rollover behavior, folder permissions, and validate the path for the kAudit Agent

SQL Audit Monitoring, made simple.

Copyright © 2024–2026 Kovoco. All rights reserved.