The extrainfo column contains a sequence of data separated by semicolons. The data is organized in the following categories.
Position |
Category |
Description |
|---|---|---|
1 |
Roles |
A list of active roles, separated by blanks. |
2 |
Keywords or Options |
The name of the keyword or option that was used for the event. For example, for the alter table command, the add column or drop constraint options might have been used. If multiple keywords or options are listed, they are separated by commas. |
3 |
Previous value |
If the event resulted in the update of a value, this item contains the value prior to the update. |
4 |
Current value |
If the event resulted in the update of a value, this item contains the new value. |
5 |
Other information |
Additional security-relevant information that is recorded for the event. |
6 |
Proxy information |
The original login name if the event occurred while a set proxy was in effect. |
7 |
Principal name |
The principal name from the underlying security mechanism if the user’s login is the secure default login, and the user logged in to Adaptive Server via unified login. The value of this item is NULL if the secure default login is not being used. |
This example shows an extrainfo column entry for the event of changing an auditing configuration parameter.
sso_role;suspend audit when device full;1;0;;ralph;
This entry indicates that a system security officer changed suspend audit when device full from 1 to 0. There is no “other information” for this entry. The sixth category indicates that the user “ralph” was operating with a proxy login. No principal name is provided.
The other fields in the audit record give other pertinent information. For example, the record contains the server user ID (suid) and the login name (loginname).
Table 10-5 lists the values that appear in the event column, arranged by sp_audit option. The “Information in extrainfo” column describes information that might appear in the extrainfo column of an audit table, based on the categories described in Table 10-4.
Audit option |
Command or access to be audited |
event |
Information in extrainfo |
|---|---|---|---|
(Automatically audited event not controlled by an option) |
Enabling auditing with: sp_configure auditing |
73 |
— |
(Automatically audited event not controlled by an option) |
Disabling auditing with: sp_configure auditing |
74 |
— |
Unlocking Administrator’s account |
Disabling auditing with: sp_configure auditing |
74 |
— |
adhoc |
User-defined audit record |
1 |
extrainfo is filled by the text parameter of sp_addauditrecord |
alter |
alter database |
2 |
Subcommand keywords:
|
alter...modify owner name_in_db |
124 |
Subcommand keywords:
|
|
alter...modify owner login_name |
124 |
Subcommand keywords: Do not apply to user-defined datatypes: For objects: login_name preserve permissions if the option is specified. |
|
alter table |
3 |
Subcommand keywords:
If one or more encrypted columns are added, extrainfo contains the following, where keyname is the fully qualified name of the key: add/drop/modify column column1/keyname1, [,column2/keyname2] |
|
bcp |
bcp in |
4 |
— |
bind |
sp_bindefault |
6 |
Other information: Name of the default |
sp_bindmsg |
7 |
Other information: Message ID |
|
sp_bindrule |
8 |
Other information: Name of the rule |
|
all, create |
create database |
9 |
Keywords or options: inmemory |
cmdtext |
All commands |
92 |
Full text of command, as sent by the client |
create |
create database |
9 |
— |
create default |
14 |
— |
|
create procedure |
11 |
— |
|
create rule |
13 |
— |
|
create table |
10 |
For encrypted columns, extrainfo contains column names and keynames. EK column1/keyname1[,column2 keyname2] where EK is a prefix indicating that subsequent information refers to encryption keys and keyname is the fully qualified name of the key. |
|
create trigger |
12 |
— |
|
create view |
16 |
— |
|
create index |
104 |
Other information: Name of the index |
|
create function |
97 |
— |
|
sp_addmessage |
15 |
Other information: Message number |
|
dbaccess |
Any access to the database by any user |
17 |
Keywords or options:
|
dbcc |
dbcc all keywords |
81 |
Keywords or options: Any of the dbcc keywords such as checkstorage and the options for that keyword. |
delete |
delete from a table |
18 |
Keywords or options: delete |
delete from a view |
19 |
Keywords or options: delete |
|
disk |
disk init |
20 |
Keywords or options: disk init Other information: Name of the disk |
disk mirror |
23 |
Keywords or options: disk mirror Other information: Name of the disk |
|
disk refit |
21 |
Keywords or options: disk refit Other information: Name of the disk |
|
disk reinit |
22 |
Keywords or options: disk reinit Other information: Name of the disk |
|
disk release |
87 |
Keywords or options: disk release Other information: Name of the disk |
|
disk remirror |
25 |
Keywords or options: disk remirror Other information: Name of the disk |
|
disk unmirror |
24 |
Keywords or options: disk unmirror Other information: Name of the disk |
|
disk resize |
100 |
Keywords or options: disk resize Other information: Name of the disk |
|
drop |
drop database |
26 |
— |
drop default |
31 |
— |
|
drop procedure |
28 |
— |
|
drop table |
27 |
— |
|
drop trigger |
29 |
— |
|
drop rule |
30 |
— |
|
drop view |
33 |
— |
|
drop index |
105 |
Other information: Index name |
|
drop function |
98 |
— |
|
sp_dropmessage |
32 |
Other information: Message number |
|
dump |
dump database |
34 |
— |
dump transaction |
35 |
— |
|
encryption_key |
sp_encryption |
106 |
If password is set the first time:
If the password is subsequently changed:
|
create encryption key |
107 |
Keywords contain: algorithm name-bitlength/IV [random|NULL]/pad [random |NULL] user/system For example: |
|
alter encryption key |
108 |
default/not default |
|
drop encryption key |
109 |
||
AEK modify encryption |
118 |
modify encryption
with user passwd
| for user username
{with login passwd
| with user passwd
| with keyvalue}
[for recovery
Note that keyvalue is displayed only for replication of alter encryption key modify encryption. For example, when user “stephen” modifies his key copy, the following information is saved: MODIFY ENCRYPTION for user stephen WITH USER PASSWD |
|
AEK add encryption |
119 |
add encryption for user user_name for login association | recovery|with keyvalue] Note that keyvalue is displayed only for replication of alter encryption key add encryption. |
|
alter encryption key drop encryption |
120 |
drop encryption [for recovery | for user user_name See the Encrypted Columns Users Guide. |
|
alter encryption key modify owner |
121 |
modify owner [new owner user_name] See the Encrypted Columns Users Guide. |
|
alter encryption key recover key |
122 |
recovery key [with key_value] with keyvalue is only used during replication of alter encryption key See the Encrypted Columns Users Guide. |
|
errorlog |
errorlog or errorlog_admin function |
127 |
The parameters passed to errorlog_admin are logged to identify the subcommand: errorlog_admin (param1, param2,...). |
errors |
Fatal error |
36 |
Other information: Error number.Severity.State |
Non-fatal error |
37 |
Other information: Error number.Severity.State |
|
exec_procedure |
Execution of a procedure |
38 |
Other information: All input parameters |
exec_trigger |
Execution of a trigger |
39 |
— |
func_obj_access, func_dbaccess |
Accesses to objects and databases via Transact-SQL functions. (Auditing must be enabled for the sa_role to audit functions). |
86 |
— |
grant |
grant |
40 |
Contains the full command text if available. Otherwise, contains the grantee and command type. |
insert |
insert into a table |
41 |
Keywords or option:
|
insert into a view |
42 |
Keywords or options: insert |
|
install |
install |
93 |
— |
load |
load database |
43 |
— |
load transaction |
44 |
— |
|
login |
Any login to the server |
45 |
Other information:
|
login_locked |
Login locked due to exceeding the configured number of failed login attempts |
112 |
|
logout |
Any logouts from the server |
46 |
Other information: Host name |
mount |
mount database |
101 |
— |
password |
sp_passwordpolicy and all its actions except list. |
115 |
Parameters for sp_passwordpolicy |
quiesce |
quiesce database |
96 |
— |
reference |
Creation of references to tables |
91 |
Keywords or options: reference Other information: Name of the referencing table |
remove |
remove java |
94 |
— |
revoke |
revoke |
47 |
Contains the full command text if available. Otherwise, contains the grantee and command type. |
rpc |
Remote procedure call from another server |
48 |
Keywords or options: Name of client program Other information: Server name, host name of the machine from which the RPC was executed. |
Remote procedure call to another server |
49 |
Keywords or options: Procedure name |
|
role locked |
Role setting/unsetting |
133 |
Role name and lock reason:
|
security |
connect to (CIS only) |
90 |
Keywords or options: connect to |
online database |
83 |
— |
|
proc_role function (executed from within a system procedure) |
80 |
Other information: Required roles |
|
Regeneration of a password by an sso |
76 |
Keywords or options: Setting SSO password Other information: Login name |
|
Role toggling |
55 |
Previous value: on or off Current value: on or off Other information: Name of the role being set |
|
Server start |
50 |
Other information:
|
|
sp_webservices |
111 |
Keywords or options: deploy if deploying a web service. deploy_all if deploying all web services |
|
sp_webservices |
111 |
Keywords or options: undeploy if undeploying a web service. undeploy_all if undeploying all web services |
|
Server shutdown |
51 |
Keywords or options: shutdown |
|
set proxy or set session authorization |
88 |
Previous value: Previous suid Current value: New suid |
|
sp_configure |
82 |
Keywords or options: SETCONFIG Other information:
|
|
sp_ssladmin administration enabled |
99 |
Keywords contains SSL_ADMIN addcert, if adding a certification. |
|
Audit table access |
61 |
— |
|
create login, drop login |
103 |
Keywords or options: create login, drop login |
|
create, drop, alter, grant, or revoke role |
85 |
Keywords or options: create, drop, alter, grant, or revoke role |
|
built-in functions |
86 |
Keywords or options: Name of function |
|
Security command or access to be audited, specifically, starting Adaptive Server with -u option to unlock the administrator’s account.. |
95 |
Other information contains 'Unlocking admin account' |
|
Changes to the LDAP state changes |
123 |
Keywords or options: Primary URL state and secondary URL state
Additional information indicates whether the state change happened automatically or because of a manually entered command. |
|
The regeneration of asymmetric keypairs for network password encryption by the system or sp_passwordpolicy |
117 |
Information in extrainfo |
|
select |
select from a table |
62 |
Keywords or options:
|
select from a view |
63 |
Keywords or options:
|
|
setuser |
setuser |
84 |
Other information: Name of the user being set |
table_access |
delete |
18 |
Keywords or options: delete |
insert |
41 |
Keywords or options: insert |
|
select |
62 |
Keywords or options:
|
|
update |
70 |
Keywords or options:
|
|
truncate |
truncate table |
64 |
— |
transfer_table |
transfer table |
136 |
transfer table |
unbind |
sp_unbindefault |
67 |
— |
sp_unbindmsg |
69 |
— |
|
sp_unbindrule |
68 |
— |
|
unmount |
unmount database |
102 |
— |
create manifest file |
116 |
Information in extrainfo |
|
update |
update to a table |
70 |
Keywords or options:
|
update to a view |
71 |
Keywords or options:
|
|
view_access |
delete |
19 |
Keywords or options: delete |
insert |
42 |
Keywords or options: insert |
|
select |
63 |
Keywords or options:
|
|
update |
71 |
Keywords or options:
|
Table 10-6 lists the values that appear in the event column, arranged by the audit event.
Audit event ID |
Command name |
Audit event ID |
Command name |
|---|---|---|---|
1 |
ad hoc audit record |
62 |
select table |
2 |
alter database |
68 |
unbind rule |
3 |
alter table |
69 |
unbind message |
4 |
bcp in |
70 |
update table |
5 |
Reserved |
71 |
update view |
6 |
bind default |
72 |
Reserved |
7 |
bind message |
73 |
auditing enabled |
8 |
bind rule |
74 |
auditing disabled |
9 |
create database |
75 |
Reserved |
10 |
create table |
76 |
SSO changed password |
11 |
create procedure |
77 |
Reserved |
12 |
create trigger |
78 |
Reserved |
13 |
create rule |
79 |
Reserved |
14 |
create default |
80 |
role check performed |
15 |
create message |
81 |
dbcc |
16 |
create view |
82 |
config |
17 |
access to database |
83 |
online database |
18 |
delete table |
84 |
setuser command |
19 |
delete view |
85 |
create role, drop role, alter role, grant role, or revoke role |
20 |
disk init |
86 |
built-in function |
21 |
disk refit |
87 |
Disk release |
22 |
disk reinit |
88 |
set SSA command |
23 |
disk mirror |
89 |
kill or terminate command |
24 |
disk unmirror |
90 |
connect |
25 |
disk remirror |
91 |
reference |
26 |
drop database |
92 |
command text |
27 |
drop table |
93 |
JCS install command |
28 |
drop procedure |
94 |
JCS remove command |
29 |
drop trigger |
95 |
Unlock admin account |
30 |
drop rule |
96 |
quiesce database |
31 |
drop default |
97 |
create SQLJ function |
32 |
drop message |
98 |
drop SQLJ function |
33 |
drop view |
99 |
SSL administration |
34 |
dump database |
100 |
disk resize |
35 |
dump transaction |
101 |
mount database |
36 |
Fatal error |
102 |
unmount database |
37 |
Non-fatal error |
103 |
create login |
38 |
execution of stored procedure |
104 |
create index |
39 |
Execution of trigger |
105 |
drop index |
40 |
grant |
106 |
sp_encryption (encrypted column administration) |
41 |
insert table |
107 |
create encryption key |
42 |
insert view |
108 |
Alter Encryption Key as/not default |
43 |
load database |
109 |
drop encryption key |
44 |
load transaction |
110 111 |
deploy user-defined web services undeploy user defined web services |
45 |
login |
112 |
login has been locked |
46 |
logout |
113 |
quiesce hold security |
47 |
revoke |
114 |
quiesce release |
48 |
rpc in |
115 |
Password administration |
49 |
rpc out |
116 |
create manifest file |
50 |
server boot |
117 |
regenerate keypair |
51 |
server shutdown |
118 |
alter encryptin key modify encryption |
52 |
Reserved |
119 |
alter encryption key add encryption |
53 |
Reserved |
120 |
alter encryption key drop encryption |
54 |
Reserved |
121 |
alter encryption key modify owner |
55 |
role toggling |
122 |
alter encryption key for key recovery |
56 |
Reserved |
123 |
LDAP state changes |
57 |
Reserved |
124 |
alter...modify owner |
58 |
Reserved |
127 |
Errorlog administration |
59 |
Reserved |
136 |
transfer table |
60 |
Reserved |
136 |
transfer table |
61 |
access to audit table |
137 |
create login profile |
62 |
select from table |
138 |
alter login |
63 |
select from view |
139 |
drop login |
64 |
truncate table |
140 |
alter login profile |
65 |
Reserved |
141 |
drop login profile |
66 |
Reserved |
142 |
Reserved |
67 |
unbind default |
143 |
alter thread pool |
