如何在 SQL 服务器的服务器审核上添加多个过滤器?
How to add multiple filters on Server Audit of SQL Server?
我想过滤 SQL 审核,这样我就不想捕获由特定用户和特定模式触发的事件。在现有的服务器审核之一中,我发现过滤谓词为
(
[schema_name]<>'sys' AND
[server_principal_name]<>'SILVER\Distributor' AND
[server_principal_name]<>'SILVER\Replicator' AND
[server_principal_name]<>'SILVER\Merger' AND
[server_principal_name]<>'SILVER\Collecter' AND
[server_principal_name]<>'SILVER\Reporter' AND
[server_principal_name]<>'SILVER\Starter' AND
)
我觉得应该是OR而不是AND。根据 TSQL,似乎永远不会满足上述条件。 AND表示必须满足所有条件。我确实使用函数 sys.fn_get_audit_file 阅读了日志,但没有看到任何属于上述受限用户和架构的记录。看起来上面的谓词虽然有效。
这里AND是作为规则的分隔符吗
你能解释一下吗?
您可以更改谓词
(
[schema_name]<>'sys' AND
[server_principal_name]<>'SILVER\Distributor' AND
[server_principal_name]<>'SILVER\Replicator' AND
[server_principal_name]<>'SILVER\Merger' AND
[server_principal_name]<>'SILVER\Collecter' AND
[server_principal_name]<>'SILVER\Reporter' AND
[server_principal_name]<>'SILVER\Starter' AND
)
相当于使用 or
NOT (
[schema_name] = 'sys' OR
[server_principal_name] = 'SILVER\Distributor' OR
[server_principal_name] = 'SILVER\Replicator' OR
[server_principal_name] = 'SILVER\Merger' OR
[server_principal_name] = 'SILVER\Collecter' OR
[server_principal_name] = 'SILVER\Reporter' OR
[server_principal_name] = 'SILVER\Starter'
)
甚至更易读
[schema_name]<>'sys' AND
[server_principal_name] NOT IN (
'SILVER\Distributor',
'SILVER\Replicator',
'SILVER\Merger',
'SILVER\Collecter',
'SILVER\Reporter',
'SILVER\Starter'
)
我想过滤 SQL 审核,这样我就不想捕获由特定用户和特定模式触发的事件。在现有的服务器审核之一中,我发现过滤谓词为
(
[schema_name]<>'sys' AND
[server_principal_name]<>'SILVER\Distributor' AND
[server_principal_name]<>'SILVER\Replicator' AND
[server_principal_name]<>'SILVER\Merger' AND
[server_principal_name]<>'SILVER\Collecter' AND
[server_principal_name]<>'SILVER\Reporter' AND
[server_principal_name]<>'SILVER\Starter' AND
)
我觉得应该是OR而不是AND。根据 TSQL,似乎永远不会满足上述条件。 AND表示必须满足所有条件。我确实使用函数 sys.fn_get_audit_file 阅读了日志,但没有看到任何属于上述受限用户和架构的记录。看起来上面的谓词虽然有效。
这里AND是作为规则的分隔符吗
你能解释一下吗?
您可以更改谓词
(
[schema_name]<>'sys' AND
[server_principal_name]<>'SILVER\Distributor' AND
[server_principal_name]<>'SILVER\Replicator' AND
[server_principal_name]<>'SILVER\Merger' AND
[server_principal_name]<>'SILVER\Collecter' AND
[server_principal_name]<>'SILVER\Reporter' AND
[server_principal_name]<>'SILVER\Starter' AND
)
相当于使用 or
NOT (
[schema_name] = 'sys' OR
[server_principal_name] = 'SILVER\Distributor' OR
[server_principal_name] = 'SILVER\Replicator' OR
[server_principal_name] = 'SILVER\Merger' OR
[server_principal_name] = 'SILVER\Collecter' OR
[server_principal_name] = 'SILVER\Reporter' OR
[server_principal_name] = 'SILVER\Starter'
)
甚至更易读
[schema_name]<>'sys' AND
[server_principal_name] NOT IN (
'SILVER\Distributor',
'SILVER\Replicator',
'SILVER\Merger',
'SILVER\Collecter',
'SILVER\Reporter',
'SILVER\Starter'
)