Common SQL Server database auditing goals include the ability to
achieve compliance regulatory standards, perform data flow checkups, complete internal/external investigations of who changed what, perform post-disaster analysis when data is unintentionally changed and to discover why did it occur, when, etc. maintain history of data changes (before-after auditing)There are many different ways of auditing a SQL Server database to accomplish these goals. In this article, we are going to look into auditing SQL Server databases change history (before-after) using the database transaction log files with SQL Server Change Data Capture (aka CDC) and withApexSQL Log.
CDC is an out-of-the-box feature of SQL Server enterprise version (and now in all editions of SQL Server 2016 and up). ApexSQL Log is a 3 rd party tool for SQL Server database auditing and data loss recovery which reads transaction log files and backups and enables users to examine them in a comprehensive grid and roll back or forward any logged changes.
The following are side by side comparisons of functionality, organized by category
Supported SQL Servers: Change Data Capture supports SQL Servers from 2008 or higher. In addition, the Enterprise edition of SQL Server is a requirement, except in SQL Server 2016 and higher. ApexSQL Log supports all SQL Server versions from version 2005 onwards and also fully supports all editions of SQL Server (Express, Standard, Developer, Enterprise). Auditing mechanisms Change Data Capture audits only online transaction log file and these mechanisms require installation and configuration of the tool in order to audit data. This means that auditing of events that have occurred prior to the CDC installation cannot be performed. ApexSQL Log on the other hand is able to audit transaction log files as well as backups, which means that once installed, ApexSQL Log will audit any events that have occurred long before the application has been installed in the environment. Transaction log and recovery model: Change Data Capture fully supports all recovery models (full, bulk-logged, simple). When a database is in the simple recovery model and SQL Server needs to truncate the online transaction log file, truncation will be postponed until CDC is successfully performed and audited information is extracted from the online transaction log file. ApexSQL Log offers two modes of auditing, Continuous and Ad hoc. With continuous auditing, ApexSQL Log is set up to poll the transaction log frequently and pump data to a repository, which ensures that the information inside the transaction log file is audited before the log file gets truncated. Using this method, ApexSQL Log can operate successfully regardless of the recovery modelIn ad hoc mode, where ApexSQL Log is used only when needed, for example in the case of a forensic auditing situation where data changes are being investigated, ApexSQL Log generally requires the database to be in the full recovery model
Data repository: Change Data Capture uses repository tables to store the audited data. These tables are created for each audited database separately. ApexSQL Logset up for continuous auditing, ApexSQL Log can create repository tables directly in the audited database, or any other database on any connectible SQL Server instance when set up for continuous auditing. The repository in this cases is centralized and stores information for all tables, allowing for easy querying and reporting.
Used on an ad hoc basis, ApexSQL Log works without a repository, by reading the transaction log and rendering results directly to a grid in the user interface where the auditing results can be inspected and analyzed before pumping them into repository tables.
Auditing setup: Change Data Capture must be configured via usage of system stored procedures, which means that in order to setup CDC some SQL Server knowledge is required. In addition, there are no specific mechanisms in SQL Server Management Studio that will enable user to quickly complete the process. ApexSQL Log’s provides both a GUI and CLI to setup auditing, enabling users to configure auditing for many databases relatively quickly. In addition, users can save their configurations in a form of project which can be than latter applied to additional SQL Server instances and databases. Audited data: Change Data Capture audits DML changes only (vs DDL) and the information available is the operation type (insert, update or delete), basic historical data (history of change operations), and the data values before and after the change.Image may be NSFW.
Clik here to view.
ApexSQL Log audits both DML and DDL changes, but also provides additional important information, including who, when and complete historical data of each row affected by the data/structure change, as well as a variety of information regarding the operation and transaction that has occurred.
Image may be NSFW.
Clik here to view.
Audited data information comparison Information Description ApexSQL Log CDC Operation Operation type Schema Schema name of table affected by change Object Object affected by change User User that made the change User ID ID of the user that made the change Transaction state State of the transaction Begin/end times Time when the transaction begun and ended Transaction name Name of transaction Transaction ID ID of transaction Transaction duration Transaction length LSN Unique LSN identifier SPID Server process ID number Parent object Parent object of the affected object Parent schema Parent schema of