Understanding the audit tables

The system audit tables can be accessed only by a System Security Officer, who can read the tables by executing SQL commands. The only commands that are allowed on the system audit tables are select and truncate.

Table 11-4 describes the columns in all audit tables.

Table 11-4: Columns in each audit table

Column name

Datatype

Description

event

smallint

Type of event being audited. See Table 11-6.

eventmod

smallint

More information about the event being audited. Indicates whether or not the event in question passed permission checks. Possible values are:

  • 0 = no modifier for this event

  • 1 = the event passed permission checking

  • 2 = the event failed permission checking

spid

smallint

ID of the process that caused the audit record to be written.

eventtime

datetime

Date and time that the audited event occurred.

sequence

smallint

Sequence number of the record within a single event. Some events require more than one audit record.

suid

smallint

Server login ID of the user who performed the audited event.

dbid

int null

Database ID in which the audited event occurred, or in which the object, stored procedure, or trigger resides, depending on the type of event.

objid

int null

ID of the accessed object, stored procedure, or trigger.

xactid

binary(6) null

ID of the transaction containing the audited event. For a multi-database transaction, this is the transaction ID from the database where the transaction originated.

loginname

varchar(30) null

Login name corresponding to the suid.

dbname

varchar(30) null

Database name corresponding to the dbid.

objname

varchar(30) null

Object name corresponding to the objid.

objowner

varchar(30) null

Name of the owner of objid.

extrainfo

varchar(255) null

Additional information about the audited event. This column contains a sequence of items separated by semicolons. For details, see “Reading the extrainfo column”.