We are happy to inform that the Azure Log Analytics (OMS) Agent is now capable of pushing SQL Server audit logs into Azure Log Analytics (OMS), supporting SQL Server both on-premises, as well as on Azure VMs.
The Azure Log Analytics (OMS) platform can now be used as a centralized data store for all your SQL Server audit logs, for deeper visibility and advanced cross-resource analytics. Additional info on the platform can be found in What is Log Analytics.
Image may be NSFW.
Clik here to view.
To enable this new capability, SQL Server audit logs need to be written to the Windows Application Log. This can be configured using T-SQL, as well as via the Audit Properties in SSMS:
T-SQL example:
CREATE SERVER AUDIT MyServerAudit
TO APPLICATION_LOG
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)
SSMS example:
Image may be NSFW.
Clik here to view.
After setting up SQL Server auditing as described above, the Azure Log Analytics (OMS) agent should be configured to send logs to a Workspace. This can be done from Control Panel –> Microsoft Monitoring Agent Properties –> Azure Log Analytics (OMS)
Image may be NSFW.
Clik here to view.
Finally, the Azure Log Analytics (OMS) Workspace needs to be configured to collect Application Logs. This can be done from the Azure Login Analytics / OMS portals via Settings –> Data –> Windows Event Logs –> Application:
Image may be NSFW.
Clik here to view.
Additional info:
Log Analytics (OMS) – documentation
Log Analytics (OMS) – Collect data from Windows computers
Log Analytics (OMS) – Collect data from Azure VMs
SQL Security team
