Enable SQL Server Audit. Then actually read it.

SQL Server Audit is a built in feature that records server and database events to a log you can review. You create a server audit object, point it at a target, add an audit specification for the events you care about, and then read the results with a system function or in SQL Server Management Studio.

This guide is for database administrators and security teams turning on SQL Server Audit in 2026. Read it with the SQL Server audit defense guide and the SQL Server licensing guide so the control and the cost stay aligned.

How do you enable SQL Server Audit?

You build the audit in layers. First the server audit object, then what it captures, then where it writes. Microsoft documents the full model in its reference pages.

How do you create the server audit object?

The server audit defines the destination and the behavior on failure. You create it once, then attach specifications to it.

• Target: a binary file path, the Security log, or the Application log.
• On failure: continue, shut down, or fail the operation.
• State: the audit is created disabled and must be enabled to record.

How do you add a server audit specification?

A server level specification captures instance wide action groups such as logins, server role changes, and backup events. It binds to the server audit and turns on the categories you choose.

How do you add a database audit specification?

A database level specification captures actions inside one database, such as SELECT, INSERT, or schema changes on named objects. The granular per object database audit needs Enterprise edition, which Microsoft sets out in the SQL Server Audit reference.

How do you review the SQL Server audit log?

Where you read the log depends on the target you chose. File targets and Windows event logs use different tools, so pick the path that matches your setup.

How do you query an audit file?

Use the system function to read a file target straight from a query window. It returns one row per event, which you can filter by time, action, or principal.

• Function: sys.fn_get_audit_file with the file path pattern.
• Filter: by event_time, action_id, server_principal_name.
• Export: insert results into a table for retention and reporting.

How do you read events in the Windows log?

If you sent the audit to the Security or Application log, open Windows Event Viewer and filter the relevant source. This path suits teams that already centralize Windows event logs.

How long should you keep audit logs?

Set retention to match your compliance window, not your disk space. File targets support rollover and a maximum file count, so size the policy before you enable a high volume specification.

Auditing is cheap to turn on and easy to ignore. The value is in the review cadence. A log nobody reads is evidence you collected and never used.

What to do next

1. Decide which events matter: logins, schema changes, sensitive table access.
2. Create the server audit object and choose a file or Windows log target.
3. Add a server specification for instance wide events.
4. Add a database specification for the objects that carry risk.
5. Enable the audit and the specifications, then generate test events.
6. Confirm you can read the log with sys.fn_get_audit_file or Event Viewer.
7. Set retention, rollover, and a regular review owner.
8. Document the configuration so an auditor can follow it without you.

Frequently asked questions

How do I enable SQL Server Audit?

Create a server audit object that names a target, add a server or database audit specification for the events you want, then enable both. The audit is created disabled, so it records nothing until you turn it and its specifications on.

What is the difference between a server and a database audit specification?

A server specification captures instance wide action groups such as logins and role changes. A database specification captures actions inside one database, such as SELECT or schema changes on named objects, and the per object form needs Enterprise edition.

How do I read a SQL Server audit file?

Use the system function sys.fn_get_audit_file with the file path pattern in a query window, or open the file in the SQL Server Management Studio log viewer. The function returns one row per event so you can filter by time, action, or principal.

Does SQL Server Audit need a special license?

No. SQL Server Audit is a built in control feature, not a separate license. Enabling it does not change what you owe, although the granular per object database audit is an Enterprise edition feature.

Can I send audit events to the Windows Security log?

Yes. The server audit can target the Windows Security log or Application log instead of a file. The Security log is more tamper resistant, which suits centralized and compliance focused logging.

How do I stop the audit file from filling the disk?

Set a maximum file size, enable rollover, and cap the maximum number of files when you create the audit. Match the retention to your compliance window and archive older files rather than keeping everything on the database volume.