The extrainfo column contains a sequence of data separated by semicolons. The data is organized in the following categories.
Position |
Category |
Description |
|---|---|---|
1 |
Roles |
A list of active roles, separated by blanks. |
2 |
Keywords or Options |
The name of the keyword or option that was used for the event. For example, for the alter table command, the add column or drop constraint options might have been used. If multiple keywords or options are listed, they are separated by commas. |
3 |
Previous value |
If the event resulted in the update of a value, this item contains the value prior to the update. |
4 |
Current value |
If the event resulted in the update of a value, this item contains the new value. |
5 |
Other information |
Additional security-relevant information that is recorded for the event. |
6 |
Proxy information |
The original login name if the event occurred while a set proxy was in effect. |
7 |
Principal name |
The principal name from the underlying security mechanism if the user’s login is the secure default login, and the user logged in to Adaptive Server via unified login. The value of this item is NULL if the secure default login is not being used. |
This example shows an extrainfo column entry for the event of changing an auditing configuration parameter.
sso_role;suspend audit when device full;1;0;;ralph;
This entry indicates that a system security officer changed suspend audit when device full from 1 to 0. There is no “other information” for this entry. The sixth category indicates that the user “ralph” was operating with a proxy login. No principal name is provided.
The other fields in the audit record give other pertinent information. For example, the record contains the server user ID (suid) and the login name (loginname).
Table 18-5 lists the values that appear in the event column, arranged by sp_audit option. The “Information in extrainfo” column describes information that might appear in the extrainfo column of an audit table, based on the categories described in Table 18-4.
Audit option |
Command or access to be audited |
event |
Information in extrainfo |
|---|---|---|---|
(Automatically audited event not controlled by an option) |
Enabling auditing with: sp_configure auditing |
73 |
— |
(Automatically audited event not controlled by an option) |
Disabling auditing with: sp_configure auditing |
74 |
— |
Unlocking Administrator’s account |
Disabling auditing with: sp_configure auditing |
74 |
— |
adhoc |
User-defined audit record |
1 |
extrainfo is filled by the text parameter of sp_addauditrecord |
alter |
alter database |
2 |
Subcommand keywords:
|
alter table |
3 |
Subcommand keywords:
If one or more encrypted columns are added, extrainfo contains: add/drop/modify column column1/keyname1, [,column2/keyname2] where keyname is the fully qualified name of the key. |
|
bcp |
bcp in |
4 |
— |
bind |
sp_bindefault |
6 |
Other information: Name of the default |
sp_bindmsg |
7 |
Other information: Message ID |
|
sp_bindrule |
8 |
Other information: Name of the rule |
|
all, create |
create database |
9 |
Keywords or options: inmemory |
cmdtext |
All commands |
92 |
Full text of command, as sent by the client |
create |
create database |
9 |
— |
create default |
14 |
— |
|
create procedure |
11 |
— |
|
create rule |
13 |
— |
|
create table |
10 |
For encrypted columns, extrainfo contains column names and keynames. EK column1/keyname1[,column2 keyname2] where EK is a prefix indicating that subsequent information refers to encryption keys and keyname is the fully qualified name of the key. |
|
create trigger |
12 |
— |
|
create view |
16 |
— |
|
create index |
104 |
Other information: Name of the index |
|
create function |
97 |
— |
|
sp_addmessage |
15 |
Other information: Message number |
|
dbaccess |
Any access to the database by any user |
17 |
Keywords or options:
|
dbcc |
dbcc all keywords |
81 |
Keywords or options: Any of the dbcc keywords such as checkstorage and the options for that keyword. |
delete |
delete from a table |
18 |
Keywords or options: delete |
delete from a view |
19 |
Keywords or options: delete |
|
disk |
disk init |
20 |
Keywords or options: disk init Other information: Name of the disk |
disk mirror |
23 |
Keywords or options: disk mirror Other information: Name of the disk |
|
disk refit |
21 |
Keywords or options: disk refit Other information: Name of the disk |
|
disk reinit |
22 |
Keywords or options: disk reinit Other information: Name of the disk |
|
disk release |
87 |
Keywords or options: disk release Other information: Name of the disk |
|
disk remirror |
25 |
Keywords or options: disk remirror Other information: Name of the disk |
|
disk unmirror |
24 |
Keywords or options: disk unmirror Other information: Name of the disk |
|
disk resize |
100 |
Keywords or options: disk resize Other information: Name of the disk |
|
drop |
drop database |
26 |
— |
drop default |
31 |
— |
|
drop procedure |
28 |
— |
|
drop table |
27 |
— |
|
drop trigger |
29 |
— |
|
drop rule |
30 |
— |
|
drop view |
33 |
— |
|
drop index |
105 |
Other information: Index name |
|
drop function |
98 |
— |
|
sp_dropmessage |
32 |
Other information: Message number |
|
dump |
dump database |
34 |
— |
dump transaction |
35 |
— |
|
encryption_key |
sp_encryption |
106 |
If password is set the first time:
If the password is subsequently changed:
|
create encryption key |
107 |
Keywords contain: algorithm name-bitlength/IV [random|NULL]/pad [random |NULL] user/system For example: |
|
alter encryption key |
108 |
default/not default |
|
drop encryption key |
109 |
||
AEK modify encryption |
118 |
modify encryption
with user passwd
| for user username
{with login passwd
| with user passwd
| with keyvalue}
[for recovery
Note that keyvalue is displayed only for replication of alter encryption key modify encryption. For example, when user “stephen” modifies his key copy, the following information is saved: MODIFY ENCRYPTION for user stephen WITH USER PASSWD |
|
AEK add encryption |
119 |
add encryption for user user_name for login association | recovery|with keyvalue] Note that keyvalue is displayed only for replication of alter encryption key add encryption. |
|
alter encryption key drop encryption |
120 |
drop encryption [for recovery | for user user_name See the Encrypted Columns Users Guide. |
|
alter encryption key modify owner |
121 |
modify owner [new owner user_name] See the Encrypted Columns Users Guide. |
|
alter encryption key recover key |
122 |
recovery key [with key_value] with keyvalue is only used during replication of alter encryption key See the Encrypted Columns Users Guide. |
|
errorlog |
errorlog or errorlog_admin function |
127 |
The parameters passed to errorlog_admin are logged to identify the subcommand: errorlog_admin (param1, param2,...). |
errors |
Fatal error |
36 |
Other information: Error number.Severity.State |
Non-fatal error |
37 |
Other information: Error number.Severity.State |
|
exec_procedure |
Execution of a procedure |
38 |
Other information: All input parameters |
exec_trigger |
Execution of a trigger |
39 |
— |
func_obj_access, func_dbaccess |
Accesses to objects and databases via Transact-SQL functions. (Auditing must be enabled for the sa_role to audit functions). |
86 |
— |
grant |
grant |
40 |
— |
insert |
insert into a table |
41 |
Keywords or option:
|
insert into a view |
42 |
Keywords or options: insert |
|
install |
install |
93 |
— |
load |
load database |
43 |
— |
load transaction |
44 |
— |
|
login |
Any login to the server |
45 |
Other information:
|
login_locked |
Login locked due to exceeding the configured number of failed login attempts |
112 |
|
logout |
Any logouts from the server |
46 |
Other information: Host name |
mount |
mount database |
101 |
— |
password |
sp_passwordpolicy and all its actions except list. |
115 |
Parameters for sp_passwordpolicy |
quiesce |
quiesce database |
96 |
— |
reference |
Creation of references to tables |
91 |
Keywords or options: reference Other information: Name of the referencing table |
remove |
remove java |
94 |
— |
revoke |
revoke |
47 |
— |
rpc |
Remote procedure call from another server |
48 |
Keywords or options: Name of client program Other information: Server name, host name of the machine from which the RPC was executed. |
Remote procedure call to another server |
49 |
Keywords or options: Procedure name |
|
security |
connect to (CIS only) |
90 |
Keywords or options: connect to |
online database |
83 |
— |
|
proc_role function (executed from within a system procedure) |
80 |
Other information: Required roles |
|
Regeneration of a password by an sso |
76 |
Keywords or options: Setting SSO password Other information: Login name |
|
Role toggling |
55 |
Previous value: on or off Current value: on or off Other information: Name of the role being set |
|
Server start |
50 |
Other information:
|
|
sp_webservices |
111 |
Keywords or options: deploy if deploying a web service. deploy_all if deploying all web services |
|
sp_webservices |
111 |
Keywords or options: undeploy if undeploying a web service. undeploy_all if undeploying all web services |
|
Server shutdown |
51 |
Keywords or options: shutdown |
|
set proxy or set session authorization |
88 |
Previous value: Previous suid Current value: New suid |
|
sp_configure |
82 |
Keywords or options: SETCONFIG Other information:
|
|
sp_ssladmin administration enabled |
99 |
Keywords contains SSL_ADMIN addcert, if adding a certification. |
|
Audit table access |
61 |
— |
|
create login, drop login |
103 |
Keywords or options: create login, drop login |
|
create, drop, alter, grant, or revoke role |
85 |
Keywords or options: create, drop, alter, grant, or revoke role |
|
built-in functions |
86 |
Keywords or options: Name of function |
|
Security command or access to be audited, specifically, starting Adaptive Server with -u option to unlock the administrator’s account.. |
95 |
Other information contains 'Unlocking admin account' |
|
Changes to the LDAP state changes |
123 |
Keywords or options: Primary URL state and secondary URL state
Additional information indicates whether the state change happened automatically or because of a manually entered command. |
|
The regeneration of asymmetric keypairs for network password encryption by the system or sp_passwordpolicy |
117 |
Information in extrainfo |
|
select |
select from a table |
62 |
Keywords or options:
|
select from a view |
63 |
Keywords or options:
|
|
setuser |
setuser |
84 |
Other information: Name of the user being set |
table_access |
delete |
18 |
Keywords or options: delete |
insert |
41 |
Keywords or options: insert |
|
select |
62 |
Keywords or options:
|
|
update |
70 |
Keywords or options:
|
|
truncate |
truncate table |
64 |
— |
transfer_table |
transfer table |
136 |
transfer table |
unbind |
sp_unbindefault |
67 |
— |
sp_unbindmsg |
69 |
— |
|
sp_unbindrule |
68 |
— |
|
unmount |
unmount database |
102 |
— |
create manifest file |
116 |
Information in extrainfo |
|
update |
update to a table |
70 |
Keywords or options:
|
update to a view |
71 |
Keywords or options:
|
|
view_access |
delete |
19 |
Keywords or options: delete |
insert |
42 |
Keywords or options: insert |
|
select |
63 |
Keywords or options:
|
|
update |
71 |
Keywords or options:
|
Table 18-6 lists the values that appear in the event column, arranged by the audit event.
Audit event ID |
Command name |
Audit event ID |
Command name |
|---|---|---|---|
1 |
ad hoc audit record |
62 |
select table |
2 |
alter database |
63 |
select view |
3 |
alter table |
64 |
truncate table |
4 |
bcp in |
65 |
Reserved |
5 |
Reserved |
66 |
Reserved |
6 |
bind default |
67 |
unbind default |
7 |
bind message |
68 |
unbind rule |
8 |
bind rule |
69 |
unbind message |
9 |
create database |
70 |
update table |
10 |
create table |
71 |
update view |
11 |
create procedure |
72 |
Reserved |
12 |
create trigger |
73 |
auditing enabled |
13 |
create rule |
74 |
auditing disabled |
14 |
create default |
75 |
Reserved |
15 |
create message |
76 |
SSO changed password |
16 |
create view |
77 |
Reserved |
17 |
access to database |
78 |
Reserved |
18 |
delete table |
79 |
Reserved |
19 |
delete view |
80 |
role check performed |
20 |
disk init |
81 |
dbcc |
21 |
disk refit |
82 |
config |
22 |
disk reinit |
83 |
online database |
23 |
disk mirror |
84 |
setuser command |
24 |
disk unmirror |
85 |
UDR command |
25 |
disk remirror |
86 |
built-in function |
26 |
drop database |
87 |
Disk release |
27 |
drop table |
88 |
set SSA command |
28 |
drop procedure |
89 |
kill or terminate command |
29 |
drop trigger |
90 |
connect |
30 |
drop rule |
91 |
reference |
31 |
drop default |
92 |
command text |
32 |
drop message |
93 |
JCS install command |
33 |
drop view |
94 |
JCS remove command |
34 |
dump database |
95 |
Unlock admin account |
35 |
dump transaction |
96 |
quiesce database |
36 |
Fatal error |
97 |
create SQLJ function |
37 |
Non-fatal error |
98 |
drop SQLJ function |
38 |
execution of stored procedure |
99 |
SSL administration |
39 |
Execution of trigger |
100 |
disk resize |
40 |
grant |
101 |
mount database |
41 |
insert table |
102 |
unmount database |
42 |
insert view |
103 |
login command |
43 |
load database |
104 |
create index |
44 |
load transaction |
105 |
drop index |
45 |
login |
106 |
sp_encryption (encrypted column administration) |
46 |
logout |
107 |
create encryption key |
47 |
revoke |
108 |
Alter Encryption Key as/not default |
48 |
rpc in |
109 |
drop encryption key |
49 |
rpc out |
110 111 |
deploy user-defined web services undeploy user defined web services |
50 |
server boot |
112 |
login has been locked |
51 |
server shutdown |
113 |
quiesce hold security |
52 |
Reserved |
114 |
quiesce release |
53 |
Reserved |
115 |
Password administration |
54 |
Reserved |
116 |
create manifest file |
55 |
role toggling |
117 |
regenerate keypair |
56 |
Reserved |
118 |
alter encryptin key modify encryption |
57 |
Reserved |
119 |
alter encryption key add encryption |
58 |
Reserved |
120 |
alter encryption key drop encryption |
59 |
Reserved |
121 |
alter encryption key modify owner |
60 |
Reserved |
122 |
alter encryption key for key recovery |
61 |
access to audit table |
123 |
LDAP state changes |
127 |
Errorlog administration |
||
136 |
transfer table |
