Recently I spent months of my lift working on STIG and CIS compliance at my job and one of those tasks was setting up SQL Audit for STIG. Now, that might seem like a trivial task after all don’t you just have to create an audit and audit specification and let it run. If only it were that easy, some of the specifications can have a significant performance impact on your system depending on the type of activity happening and if you happened to lucky enough to have a monitoring software setup your will be logging even more data that doesn’t make sense to log. In addition, on my system we are using SQL replication and that activity due to volume doesn’t make sense to log. So, let’s walk through my setup and how I got there, the how I got there being the most important part so you can figure out how to use filters to setup a SQL audit that does that kill your performance.
Read on for the audit specification and server audit scripts, as well as some details on how to read from server audits.