Designing Tables for Audit Data in SQL Server

By: Jeremy Kadlec   |   Read Comments (5)   |   Related Tips: More > Auditing and Compliance

Problem
My company is just starting to look at adding functionality to retain historical data for key tables and columns for auditing purposes in many of our SQL Server databases.  I have seen some of your recent tips related to triggers (Forcing Trigger Firing Order in SQL Server and Trigger Alternatives in SQL Server - OUTPUT Clause).  Based on using triggers or a similar technology, what is the best way to store the historical data?  What options are available to store the data?  Are there really a variety of options?  Should the historical data be in the same database as the original data?  Does it really make a difference?

Solution
Being in the position to start to capture historical data is a good one.  This gives you the opportunity to build a solution that can be used across various applications in the enterprise.  As such, this is a big undertaking so an appropriate amount of time should be spent planning, building, testing and implementing the solution.  If you agree with that premise, then this need should be considered a project and a formal process should be followed if the decisions you make have a wide scope across your applications and business processes.

Requirements

If you agree that capturing auditing data is a project, then it is appropriate to start with defining the requirements for the project.  Consider gathering the following information as a baseline set of requirements:

• Find out what data needs to be audited
• Find out why the data is going to be audited
• Find out how the data is going to be used
  • Reporting and\or Business Intelligence
  • Historical record of changes for customer service purposes
  • Legal or regulatory requirements
• Find out which databases and applications need to be audited
• Find out what type of meta data needs to be stored with the audited data
  • Start date
  • End date
  • Start date and end date
  • Date the record was captured
  • User making the change
  • Corresponding application, database, SQL Server instance, etc.
• Reporting needs
  • Line of business reporting
  • Monthly reporting
  • Business process reporting
  • Reporting frequency
  • Reporting users
  • Line of business application access to the auditing data
• Data collection
  • Determine if triggers, the OUTPUT clause, stored procedure logic, application logic, Service Broker or some combination of these approaches will be responsible for writing the data to the audit tables
• Data consistency requirements
  • Based on how the data is going to be used determine if all of the audit data should\could be stored in the same format
• Audit data location
  • Stored with the base data i.e. same database or in a separate file group on a different disk sub system
  • Stored in a specific database on the instance i.e. separate database
  • Stored in a centralized SQL Server database i.e. remote instance

Design Options

As indicated above, a couple of key technical design decisions relate to how the data is written to the auditing tables, where the auditing data is stored and if a consistent approach can be used to store the data for reporting purposes.  With different answers to these questions leading to a different solution, let's outline a few different sample ideas to see if any of these could resolve your issue:

Depending on where the data is stored (i.e. instance, centrally, etc.) it is necessary to store additional data for reporting purposes.  These columns may include:

• Per Instance - Centralized auditing on a per SQL Server instance perspective
  • Source database
• Per Application - Centralized auditing per line of business application
  • Source database
  • Source application
• Per Environment - Centralized auditing across all production SQL Server instances
  • Source database
  • Source application
  • Source SQL Server instance

In addition to adding columns to the tables as the suggestions above outline, it is also necessary to setup the infrastructure from a data perspective to replicate the data or be able to write the data directly to the tables.  This could mean taking one of more of the following approaches:

• Adding permissions to accounts
• Coding the logic in a trigger to write centrally
• Including a separate auditing connection string in the application
• Setting up a Linked Server to enable writing the data
• Writing the data locally then replicating centrally
• Using SQL Server Integration Services to capture the data and write it locally on a specific interval
• Use Service Broker to write data to a queue for centralized processing

Next Steps

• As you are faced with auditing needs, consider the information in this tip as a jumping off point to determine what information is needed when planning, designing, developing, testing and implementing a solution.
• The code examples in this tip are just that, examples.  As you begin to define your auditing infrastructure, consider how these tables took advantage of a generic means to stored audited data either via table structures or an XML data type.  If these solutions only meet 80% of the auditing need in your environment, research how these general ideas can be modified to meet your needs, whether it is including multiple [BaseTableUniqueKey_Value] columns or having different data types for the columns or whatever the case may be.
• If you choose to have some sort of centralized solution be sure to setup the needed infrastructure to support the centralized solution.  Be sure this does not cause any sort of performance or security issue.  In addition, consider getting creative with some of the new SQL Server 2005 features such as Service Broker or SQL Server Integration Services.
• Depending on the particular auditing need, consider using columns with the XML data type to store the data.  This may be a simple and elegant way to support a number of different audited data sets from different base tables, if needed.
• Check out these additional resources:
  • Forcing Trigger Firing Order in SQL Server
  • Trigger Alternatives in SQL Server - OUTPUT Clause
  • Disable Triggers in SQL Server 2005
  • Auditing DDL (Create, Alter, Drop) Commands in SQL Server 2005

Last Update: 4/2/2008

About the author

Jeremy is the CTO @ Edgewood Solutions, co-founder of MSSQLTips.com and SQL Server MVP since 2009.

View all my tips

We Recommend

• More SQL Server DBA Tips...

Comments and Feedback:

Wednesday, April 02, 2008 - 11:56:06 AM - MarkJo_FP

Read The Tip

I also have to do data change auditing on our database.  Our current implementation has been in place for several years but I am looking at changing it.  The new approach is based on an article by Itzik Ben-Gan a couple years ago.  Below is a summary of the current approach and the proposed approach.  Any comments would be greatly appreciated.   Current Approach Currently auditing is done with 3 "INSTEAD OF" triggers (trg<tableName>Insert, trg<tableName>Update, trg<tableName>Delete) on each table and 2 auditing tables (AuditLog and AuditDetail). The insert trigger copies the data from Inserted to a temp table, calls a procedure that populates the AuditLog table with the table name, Table PK, Operation, who made the change, the time of the change and what computer the changes was made on. The procedure then inserts a row for each column of the table into the AuditDetail table. This contains the column name, old value (always NULL in this case) and new value. Once the procedure is completed the temp table is dropped and the data from INSERTED is inserted into the base table. The Update trigger copies data from Inserted and Deleted into temp tables and calls a procedure that populates the AuditLog table just like the insert trigger and then compares the inserted and deleted temp tables column by column and inserts a row in the AuditDetails table for each of the columns that have changed. The temp tables are then dropped and the base table is updated. The Delete trigger copies data from Deleted into a temp table and calls a procedure that populates the AuditLog table and inserts a row for each column of the table into the AuditDetail table and then deletes the record in the base table. Pros: Only 2 additional tables required. Cons: Performances is terrible in a table with millions of records. Bulk changes to a table take hours. New Approach What I am considering for the new approach is this.  One trigger on each table and 3 additional tables per audited table. The trigger identifies the type of statement that fired the trigger and the number of rows affected. Uses table variable instead of temp tables which allow roll back of a change with ability to log the attempted change. Has logic to log attempted changes to the data and block the change (e.g. changing the PK column or integrity violations). Each audited table will have a <TableName>AuditHeader table that contains the dmltype, date of change, who made the change, application name, what computer the change was made from, a failed flag and comment if the attempted change failed or was blocked. Each audited table will also have a <TableName>InsAuditDelDetail table that contain a FK to the header table and a column for each of the columns in the base table. This table will store the full row of data for inserts and deletes. The final table is <TableName>AuditUpdDetail. This table contain a FK to the Header table, the name of the column, the old value and new value for each of the columns that changed in the update. Pros: Performance is very good. I ran a change of several hundred thousand records and the time went from about 4 minutes to 6 minutes. A comercial package using two audit tables ran for 20 minutes and crashed. Current version ran for several hours and I killed it. Avoids hot spots created by all user changes resulting in hitting just 2 tables (the detail in particular). Cons: A lot of extra tables. May be more difficult to generate a view of all changes depending on requirements Admittedly bulk changes do not happen often but when they do it is a killer and we are seeing performance problems under normal use with the current approach when the log grows too large. Some of this can be mitigated by table and index changes. The <TableName>AuditUpdDetail could be eliminate and the <TableName>InsAuditDelDetail used. The before and after values would need to be determined by comparison of the 2 records. I have seen this approach also. Another downside to this is that you are storing an entire record even if only one column changed (a big hit for tables with image data, file attachments, etc.)

Friday, April 04, 2008 - 7:21:33 AM - admin

Read The Tip

MarkJo_FP, Thank you for sharing some of the challenges you are facing today with auditing. Although your new solution does have many tables it sounds like the performance is acceptable and is something you are willing to manage. How do you think a generic solution either with an XML column or a generic table would fair in that scenario? We have implemented both solutions under different circumstances and they have appeared to perform well and meet the overall reporting needs. Just interested in your thoughts on the matter as opposed to recommending a different approach. Thank you, The MSSQLTips.com Team

Tuesday, April 08, 2008 - 9:30:14 AM - MarkJo_FP

Read The Tip

If I am understanding your generic solution, I think it is very similar to out current approach of using 2 tables.  Your implementation has the flexibility to audit selected columns in a table whereas we audit the entire table.  I assume you use triggers to populate these tables when a change is made.  You are storing the table and column information in one table whereas we have a header table where we store the table name, rowid, operation, modifiedby, modifieddate and computername and then a child table which stores the column name, old value and new value. Since you are storing only one value for the column you are apparently storing either the new value for the column or the old value for the column.  How do you distinguish between inserts, updates and deletes when reporting?  How does it handle failed update attempts? We have an auditlog viewer as part of the product that allows searching the log based on a variety of criteria.  Without storing the old and new values I assume you would need to join on the previous change for that column.  Storing the Old and New values is where we ended up with the temp tables and INSERTED and DELETED tables as I described in my post. Have you tried doing a bulk load (or change) of data with your auditing in place.   It is not very common but I do run into it once in a while. If I am missing something in my assumptions above let me know.  I am always looking for better ways to deal with the auditing issues.  Thanks. Mark

Friday, April 11, 2008 - 10:08:41 AM - admin

Read The Tip

Mark, Thank you for the lengthy reply and feedback. Generic tables:  You are correct, only specific columns are being audited with the 2 table generic solution.  The requirement is not to audit the entire row. For the population, some of the data is populated via a trigger and other data is actually populated by calling a stored procedure when a specific set of logic is called in the front end application. We are storing new values and use the start date to determine when the new value went into effect. We do not have a need to distinguish between INSERT, UPDATE and DELETE statements.  I could see how that could be very important in some environments. We are not trying to capture failed attempts to INSERT, UPDATE and DELETE data.  Once again that is not a requirement, but with some data is sometimes more important than a normal change. Reporting is primarily from the front end application or custom reports. XML tables This option has much more flexibility and can include many of these items based on the XML schema. Once again may of the items you mentioned were not requirements, but I think this solution has a much easier means to change schema with less development time, but that could change based on implementation details. Thank you, The MSSQLTips.com Team

Thursday, May 27, 2010 - 4:08:52 PM - DylanGross	Read The Tip
Hello I am Dylan Goss and I love this forum. I hope to learn from you, thanks!

Post a Comment or Question

Keep it clean and stay on the subject or we may delete your comment.
Your email address is not published. Required fields are marked with an asterisk (*)

*Name

*Email

Notify for updates Signup for our newsletter

Comments *** NOTE *** - If you want to include code from SQL Server Management Studio (SSMS) in your post, please copy the code from SSMS and paste the code into a text editor like NotePad before copying the code below to remove the SSMS formatting.
*Enter Code

 

Sponsor Information

"Amazing, Amazing, Amazing! SQL doctor is truly one of the most powerful tools I have seen." SQL Monitor: prioritize your SQL Server workload with easy-to-use performance monitoring Is “blocking” a bad word at your company? Contact the Edgewood SQL Server Consultants for the resolution. In two mouse clicks view SQL bottlenecks. With ZERO impact pinpoint all poor performing SQL with 100% accuracy. Demystify TempDB Performance and Manageability