We started with SQL Extended events.
The SQL logs are now stored in Windows Application logs, but there are several issues with managing these logs in SEM.
1. There are wayyyyy more logs coming in than when we used to get with MSSQL Auditor. This is because with MSSQL Auditor we were able to select the types of events and fields in Profiler that we wanted to be captured.
With SQL Extended Events, it seems like you can't easily do that, and we're overloaded with tons of system noise like: DB health, always on dashboard, native sql queries etc...
2. The MSSQL application log needs to be fixed in order to properly report the fields that it can gather and then add few more critical ones that need to be picked.
The field from Windows events like: database_name, application_name, client_ip, object_name needs to be captured and shown on SEM UI. They're currently not.
ServiceName field should have: application_name
DetectionIP field should have: client_ip
database_name should be stored either in ExtraneousInfo or another field where you can filter easily.
3. It would help if these events would be classified as ObjectAudit events instead of Service Info.
That is because then we can easily create custom reports with the LEM Reports application, due to Object Audit templates readily available.
Below are all the (*anonymized) raw fields that get generated by SQL extended event and stored in Windows Event, but then some of them fail to be collected by SEM.
Ideally the fields in bold should be captured by SEM
Audit event: audit_schema_version:1
event_time:2019-06-03 13:43:31
sequence_number:1
action_id:SL
succeeded:true
is_column_permission:true
session_id:123
server_principal_id:123
database_principal_id:123
target_server_principal_id:123
target_database_principal_id:123
object_id:123123123123
user_defined_event_id:123
transaction_id:123
class_type:U
duration_milliseconds:0
response_rows:123
affected_rows:123
client_ip:123.123.123.123
permission_bitmask:123123123123123123123123123
sequence_group_id:123A-123B-123C-123D-123E-123F
session_server_principal_name:domain\user.name
server_principal_name:domain\user.name
server_principal_sid:q7834tuifhbsdrwetyhghsldk
database_principal_name:sample
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:SQL-SERVER
database_name:dbname
schema_name:xxxx
object_name:xxxxxxx
statement:select xxxxx from xxxxxxxxx
additional_information:
user_defined_information:
application_name:SQL Management Application
Another thing is if default preceeding text be removed from (connector) and then to be shown clean in SEM UI.
Example:
Instead of having this in SEM
statement:select xxxxx from xxxxxxxxx
We should only have
select xxxxx from xxxxxxxxx
I hope this helps, as the support staff suggested I also post this here