Microsoft SQL Server Audit
SQL Server Audit via Windows Event ID 33205 — login/logout lifecycle, DML queries (SELECT/INSERT/UPDATE/DELETE), stored procedure execution, schema changes (CREATE/ALTER/DROP), permission management (GRANT/DENY/REVOKE), role membership, backups, DBCC commands, and password changes.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/database-mssql-audit/generator.yml \
--id mssql \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| SELECT | Read queries on tables and views | ~35% | database |
| LOGIN | Successful login (creates session) | ~15% | authentication |
| LOGOUT | Session logout (correlated) | ~14% | authentication |
| UPDATE | Update queries on tables | ~10% | database |
| INSERT | Insert queries on tables | ~8% | database |
| EXECUTE | Stored procedure and function execution | ~7% | database |
| DELETE | Delete queries on tables | ~3% | database |
| LOGIN_FAILED | Failed login attempts | ~2.5% | authentication |
| SCHEMA_CHANGE | CREATE/ALTER/DROP tables, indexes, procs | ~2.3% | configuration |
| BACKUP | Database backup operations | ~1.5% | database |
| PERMISSION | GRANT/DENY/REVOKE permissions | ~1% | iam |
| ROLE_MEMBER | Add/remove role membership | ~0.3% | iam |
| PASSWORD | Password change events | ~0.2% | iam |
| DBCC | DBCC maintenance commands | ~0.2% | database |
Realism Features
- Session-correlated events — login creates a session reused by DML/DDL events, logout removes it, ensuring consistent user/IP/app context
- 5-host SQL Server fleet — production, reporting, staging, and dev instances with unique agent IDs and Windows Server OS metadata
- 13 SQL and Windows logins — sa, application service accounts, Windows domain users (CONTOSO\), and NT SERVICE accounts with weighted selection
- 6 databases with hierarchical schema/table/view/proc objects matching enterprise patterns (SalesDB, WebPortalDB, HR, CRM, DWH)
- Parameterized T-SQL statements — SELECT/INSERT/UPDATE/DELETE with @P1 parameters, schema-qualified object names
- Mixed authentication — SQL logins and Windows domain logins with proper user.domain extraction
- Failed logins with error XML — error codes 18456, states 2/5/7/8 in additional_information XML
Sample Output
{
"@timestamp": "2026-03-06T14:22:31.456789+00:00",
"event": {
"action": "login-succeeded",
"category": ["database", "authentication"],
"code": "33205",
"dataset": "microsoft_sqlserver.audit",
"kind": "event",
"module": "microsoft_sqlserver",
"outcome": "success",
"type": ["connection", "start"]
},
"sqlserver": {
"audit": {
"action_id": "LGIS",
"class_type": "LX",
"database_name": "master",
"server_instance_name": "SQLPROD01\\MSSQLSERVER",
"server_principal_name": "api_service",
"session_id": 52,
"succeeded": 1
}
},
"user": { "name": "api_service" },
"source": { "ip": "192.168.12.45", "port": 52134 },
"winlog": { "channel": "Security", "event_id": "33205" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| domain | CONTOSO | Windows domain name for domain logins |
| agent_version | 8.17.0 | Winlogbeat agent version string |
Related Generators
MySQL Audit
MySQL Enterprise Audit Plugin events (ECS-compatible JSON) covering all four audit classes — connection, general, table_access, and audit. Generates connect/disconnect lifecycle, DML queries (SELECT/INSERT/UPDATE/DELETE), table access tracking, DDL schema changes, GRANT/REVOKE privileges, admin commands, query errors, and failed authentication attempts with realistic query statistics.
PostgreSQL Audit Logs
PostgreSQL with pgAudit — SELECT/INSERT/UPDATE/DELETE queries with parameterized statements, connection lifecycle, authentication failures, DDL operations, role management (GRANT/REVOKE), and database errors (deadlocks, constraint violations).
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.