Configure Audit Files
Once SQL Server Audit is writing .sqlaudit files to disk, you need to ensure the kAudit Agent can reliably read them. This page covers path configuration, rollover settings, folder permissions, and how to point the agent at the right location.
Audit file path reference
The path you provide to the kAudit Agent must match the FILEPATH set in your CREATE SERVER AUDIT statement, with a glob pattern for the file extension:
SQL Server Audit FILEPATH | Agent AuditFilePath |
|---|---|
C:\Audit\ | C:\Audit\*.sqlaudit |
D:\SQLAudit\prod\ | D:\SQLAudit\prod\*.sqlaudit |
/var/opt/mssql/audit/ | /var/opt/mssql/audit/*.sqlaudit |
Rollover settings
SQL Server rotates audit files automatically based on your CREATE SERVER AUDIT settings:
TO FILE (
FILEPATH = 'C:\Audit\',
MAXSIZE = 50 MB, -- Rotate when file reaches this size
MAX_ROLLOVER_FILES = 10, -- Keep at most 10 rotated files
RESERVE_DISK_SPACE = OFF
)Recommended settings:
| Setting | Recommended | Notes |
|---|---|---|
MAXSIZE | 50–100 MB | Larger files reduce rotation frequency but slow startup reads |
MAX_ROLLOVER_FILES | 10–20 | Ensure enough history for the agent to catch up after downtime |
RESERVE_DISK_SPACE | OFF | Reduces pre-allocated disk usage |
Don't set MAX_ROLLOVER_FILES too low
If the agent is offline for a period (maintenance, update, etc.), SQL Server may roll over files before the agent reads them. Set MAX_ROLLOVER_FILES high enough to retain at least 24–48 hours of audit history based on your expected event volume.
Folder permissions
The agent reads files as the Windows service account — by default NT SERVICE\kAuditEventHubPublisher.
Grant Read permission on the audit folder:
# Grant read access to the default service account
$acl = Get-Acl "C:\Audit"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"NT SERVICE\kAuditEventHubPublisher",
"Read",
"ContainerInherit, ObjectInherit",
"None",
"Allow"
)
$acl.SetAccessRule($rule)
Set-Acl "C:\Audit" $aclIf you're using a custom service account, substitute the appropriate account name.
Also ensure the SQL Server service account has Write access to the same folder (it usually does by default if you set FILEPATH through SSMS).
Validate the path from the agent host
Before running the installer, confirm the agent can see the audit files:
# Run on the SQL Server host as the service account or Administrator
Get-ChildItem "C:\Audit\*.sqlaudit" | Select-Object Name, Length, LastWriteTimeExpected: a list of .sqlaudit files. If the folder is empty, wait for SQL Server to generate audit activity or check that the Server Audit is enabled with STATE = ON.
Audit file naming
SQL Server names audit files with a timestamp suffix:
kAudit_ServerAudit_20260502_143022_0_1234567890.sqlauditThe agent uses a cursor to track its position across file rollovers — you don't need to manage file names manually.
Agent config reference
The AuditFilePath in your agent config should use the glob pattern:
"AuditSource": {
"Type": "DirectFile",
"DirectFile": {
"AuditFilePath": "C:\\Audit\\*.sqlaudit"
}
}Note: In JSON, backslashes must be doubled (\\).