Azure Log Analytics (OMS) Agent now collects SQL Server audit logs

We are happy to inform that the Azure Log Analytics (OMS) Agent is now capable of pushing SQL Server audit logs into Azure Log Analytics (OMS), supporting SQL Server both on-premises, as well as on Azure VMs.

The Azure Log Analytics (OMS) platform can now be used as a centralized data store for all your SQL Server audit logs, for deeper visibility and advanced cross-resource analytics. Additional info on the platform can be found in What is Log Analytics.

To enable this new capability, SQL Server audit logs need to be written to the Windows Application Log. This can be configured using T-SQL, as well as via the Audit Properties in SSMS:

T-SQL example:

CREATE SERVER AUDIT MyServerAudit
TO APPLICATION_LOG
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)

SSMS example:

After setting up SQL Server auditing as described above, the Azure Log Analytics (OMS) agent should be configured to send logs to a Workspace. This can be done from Control Panel –> Microsoft Monitoring Agent Properties –> Azure Log Analytics (OMS)

Finally, the Azure Log Analytics (OMS) Workspace needs to be configured to collect Application Logs. This can be done from the Azure Login Analytics / OMS portals via Settings –> Data –> Windows Event Logs –> Application:

 

 

Additional info:

SQL Server Auditing

Log Analytics (OMS) – documentation

Log Analytics (OMS) – Collect data from Windows computers

Log Analytics (OMS) – Collect data from Azure VMs

 

SQL Security team