SQL Server Audits and Action_IDs
We were recently re-doing our SQL Server Audits and I was reminded again how painful setting the filters can be. MS expects an integer for “action_id”, but to actually use, them you need to know what those actually mean.
I came across this blog post by Chris Provolt listing the text versions of the action_id’s. That was helpful, especially the quick query to see what’s available:
Select DISTINCT action_id,name,class_desc,parent_class_desc from sys.dm_audit_actions
However, as you can tell by running this, the action_id’s returned are all text values. That doesn’t help when trying to set up your SQL Audits.
MSDN provides code for a function to translate the text audit_id into the expected numeric value.
CREATE FUNCTION dbo.Getint_action_id (@action_id VARCHAR(4))
returns INT
BEGIN
DECLARE @x INT;
SET @x = CONVERT(INT, CONVERT(VARBINARY(1), Upper(
Substring(@action_id, 1, 1))));
IF Len(@action_id) >= 2
SET @x = CONVERT(INT, CONVERT(VARBINARY(1), Upper(
Substring(@action_id, 2, 1))
))
* Power(
2, 8) + @x;
ELSE
SET @x = CONVERT(INT, CONVERT(VARBINARY(1), ‘ ‘)) * Power(2, 8) + @x;
IF Len(@action_id) >= 3
SET @x = CONVERT(INT, CONVERT(VARBINARY(1), Upper(
Substring(@action_id, 3, 1))
))
* Power(
2, 16) + @x;
ELSE
SET @x = CONVERT(INT, CONVERT(VARBINARY(1), ‘ ‘)) * Power(2, 16) + @x;
IF Len(@action_id) >= 4
SET @x = CONVERT(INT, CONVERT(VARBINARY(1), Upper(
Substring(@action_id, 4, 1))
))
* Power(
2, 24) + @x;
ELSE
SET @x = CONVERT(INT, CONVERT(VARBINARY(1), ‘ ‘)) * Power(2, 24) + @x;
RETURN @x;
END;
Once you create that function, you can use it to generate a list of the Integer action_ids, the text action_ids, and the name/description of those action_ids. (You can also expand it out to see which actions are applicable to various objects at the server and database level if you so desire.)
SELECT DISTINCT dbo.Getint_action_id(action_id) Action_ID_Int,
action_id, NAME AS Action_Description
–,class_desc,parent_class_desc
FROM sys.dm_audit_actions
ORDER BY action_id
This will result in the following values (as of SQL 2012):
| Action_ID_Int | action_id | NAME |
|---|---|---|
| 1329873729 | ACDO | DATABASE_OBJECT_ACCESS_GROUP |
| 542065473 | ACO | SCHEMA_OBJECT_ACCESS_GROUP |
| 1329742913 | ADBO | BULK ADMIN |
| 1346651201 | ADDP | DATABASE_ROLE_MEMBER_CHANGE_GROUP |
| 1347634241 | ADSP | SERVER_ROLE_MEMBER_CHANGE_GROUP |
| 538987585 | AL | ALTER |
| 1313033281 | ALCN | ALTER CONNECTION |
| 1397902401 | ALRS | ALTER RESOURCES |
| 1397967937 | ALSS | ALTER SERVER STATE |
| 1414745153 | ALST | ALTER SETTINGS |
| 1381256257 | ALTR | ALTER TRACE |
| 1280462913 | APRL | ADD MEMBER |
| 538989377 | AS | ACCESS |
| 1129534785 | AUSC | AUDIT SESSION CHANGED |
| 1179866433 | AUSF | AUDIT SHUTDOWN ON FAILURE |
| 1213486401 | AUTH | AUTHENTICATE |
| 538984770 | BA | BACKUP |
| 541868354 | BAL | BACKUP LOG |
| 1111773762 | BRDB | BACKUP_RESTORE_GROUP |
| 1179595331 | C2OF | TRACE AUDIT C2OFF |
| 1313813059 | C2ON | TRACE AUDIT C2ON |
| 1196180291 | CCLG | CHANGE LOGIN CREDENTIAL |
| 1196182851 | CMLG | CREDENTIAL MAP TO LOGIN |
| 1430343235 | CNAU | AUDIT_CHANGE_GROUP |
| 538988355 | CO | CONNECT |
| 538988611 | CP | CHECKPOINT |
| 538989123 | CR | CREATE |
| 538976324 | D | DENY |
| 1179074884 | DAGF | FAILED_DATABASE_AUTHENTICATION_GROUP |
| 1279738180 | DAGL | DATABASE_LOGOUT_GROUP |
| 1397178692 | DAGS | SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP |
| 1178681924 | DBAF | DATABASE AUTHENTICATION FAILED |
| 1396785732 | DBAS | DATABASE AUTHENTICATION SUCCEEDED |
| 1128481348 | DBCC | DBCC |
| 1195590212 | DBCG | DBCC_GROUP |
| 541868612 | DBL | DATABASE LOGOUT |
| 538987588 | DL | DELETE |
| 1280462916 | DPRL | DROP MEMBER |
| 538989124 | DR | DROP |
| 541284164 | DWC | DENY WITH CASCADE |
| 538990661 | EX | EXECUTE |
| 538989638 | FT | FULLTEXT |
| 541545542 | FTG | FULLTEXT_GROUP |
| 538976327 | G | GRANT |
| 1111773767 | GRDB | DATABASE_PERMISSION_CHANGE_GROUP |
| 1329877575 | GRDO | DATABASE_OBJECT_PERMISSION_CHANGE_GROUP |
| 542069319 | GRO | SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP |
| 1330860615 | GRSO | SERVER_OBJECT_PERMISSION_CHANGE_GROUP |
| 1448301127 | GRSV | SERVER_PERMISSION_CHANGE_GROUP |
| 541546311 | GWG | GRANT WITH GRANT |
| 1346653513 | IMDP | DATABASE_PRINCIPAL_IMPERSONATION_GROUP |
| 542133577 | IMP | IMPERSONATE |
| 1347636553 | IMSP | SERVER_PRINCIPAL_IMPERSONATION_GROUP |
| 538988105 | IN | INSERT |
| 541214540 | LGB | BROKER LOGIN |
| 1195525964 | LGBG | BROKER_LOGIN_GROUP |
| 1094993740 | LGDA | DISABLE |
| 1111770956 | LGDB | CHANGE DEFAULT DATABASE |
| 1095059276 | LGEA | ENABLE |
| 1279674188 | LGFL | FAILED_LOGIN_GROUP |
| 1179207500 | LGIF | LOGIN FAILED |
| 1397311308 | LGIS | LOGIN SUCCEEDED |
| 1196181324 | LGLG | CHANGE DEFAULT LANGUAGE |
| 541935436 | LGM | DATABASE MIRRORING LOGIN |
| 1196246860 | LGMG | DATABASE_MIRRORING_LOGIN_GROUP |
| 1296975692 | LGNM | NAME CHANGE |
| 542066508 | LGO | LOGOUT |
| 1146308428 | LGSD | SUCCESSFUL_LOGIN_GROUP |
| 538988364 | LO | LOGOUT_GROUP |
| 1111772749 | MNDB | DATABASE_CHANGE_GROUP |
| 1329876557 | MNDO | DATABASE_OBJECT_CHANGE_GROUP |
| 1346653773 | MNDP | DATABASE_PRINCIPAL_CHANGE_GROUP |
| 542068301 | MNO | SCHEMA_OBJECT_CHANGE_GROUP |
| 1330859597 | MNSO | SERVER_OBJECT_CHANGE_GROUP |
| 1347636813 | MNSP | SERVER_PRINCIPAL_CHANGE_GROUP |
| 1196182862 | NMLG | NO CREDENTIAL MAP TO LOGIN |
| 538988623 | OP | OPEN |
| 1111773263 | OPDB | DATABASE_OPERATION_GROUP |
| 1448300623 | OPSV | SERVER_OPERATION_GROUP |
| 1380013904 | PWAR | APPLICATION_ROLE_CHANGE_PASSWORD_GROUP |
| 541284176 | PWC | CHANGE PASSWORD |
| 1195595600 | PWCG | LOGIN_CHANGE_PASSWORD_GROUP |
| 1396922192 | PWCS | CHANGE OWN PASSWORD |
| 1480939344 | PWEX | PASSWORD EXPIRATION |
| 1129142096 | PWMC | MUST CHANGE PASSWORD |
| 1280333648 | PWPL | PASSWORD POLICY |
| 542267216 | PWR | RESET PASSWORD |
| 1397905232 | PWRS | RESET OWN PASSWORD |
| 542463824 | PWU | UNLOCK ACCOUNT |
| 538976338 | R | REVOKE |
| 538985298 | RC | RECEIVE |
| 538986066 | RF | REFERENCES |
| 538989394 | RS | RESTORE |
| 541284178 | RWC | REVOKE WITH CASCADE |
| 541546322 | RWG | REVOKE WITH GRANT |
| 538987603 | SL | SELECT |
| 538988115 | SN | SEND |
| 1313624147 | SPLN | SHOW PLAN |
| 1448301651 | STSV | SERVER_STATE_CHANGE_GROUP |
| 1313953107 | SUQN | SUBSCRIBE QUERY NOTIFICATION |
| 1313035859 | SVCN | SERVER CONTINUE |
| 1146115667 | SVPD | SERVER PAUSED |
| 1146312275 | SVSD | SERVER SHUTDOWN |
| 1381193299 | SVSR | SERVER STARTED |
| 1095975252 | TASA | TRACE AUDIT START |
| 1347633492 | TASP | TRACE AUDIT STOP |
| 538988372 | TO | TAKE OWNERSHIP |
| 1111773012 | TODB | DATABASE_OWNERSHIP_CHANGE_GROUP |
| 1329876820 | TODO | DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP |
| 542068564 | TOO | SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP |
| 1330859860 | TOSO | SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP |
| 1195594324 | TRCG | TRACE_CHANGE_GROUP |
| 542069332 | TRO | TRANSFER |
| 1346847573 | UCGP | USER_CHANGE_PASSWORD_GROUP |
| 1195459669 | UDAG | USER_DEFINED_AUDIT_GROUP |
| 1430340693 | UDAU | USER DEFINED AUDIT |
| 538988629 | UP | UPDATE |
| 1178686293 | USAF | CHANGE USERS LOGIN AUTO |
| 1196184405 | USLG | CHANGE USERS LOGIN |
| 1129599829 | USTC | COPY PASSWORD |
| 1414743126 | VDST | VIEW DATABASE STATE |
| 1414746966 | VSST | VIEW SERVER STATE |
| 1413699414 | VWCT | VIEW CHANGETRACKING |
| 538984792 | XA | EXTERNAL ACCESS ASSEMBLY |
| 538989912 | XU | UNSAFE ASSEMBLY |
About Author
paschott
I’ve been working with SQL Server for quite some time. Along the way, I’ve learned quite a few things and realized that I won’t ever know everything about SQL Server. I intended to keep growing and learning to be able to do my job well and share my experiences with others. I currently work for a Health-related non-profit based in Boise as a Database Architect.