Auditing events are not inserted into the central repository database in a timely manner

Problem description

Auditing is configured and audited events can be seen in the repository and in the reports, but auditing events are not pulled to the repository for hours/days.

Cause

This kind of issue is usually caused by one of the following:

  • Connection issues
  • Auditing configuration is set to audit too many events and the central instance cannot process them in a timely manner causing the trace files to pile up on the audited instance and/or on the central repository temporary locations

Resolution

While the connection issues differ from one environment to another, resolving network congestion or connection breakdowns should be a high priority to fix not only for the auditing purpose but for the general environment as well.

The auditing configuration should always be checked and updated to ensure only a minimal number of events are being audited to ensure the high quality of the auditing trail.

Most commonly used practice is to use the elimination system – run the report previews and determine which events are taking the bulk of the auditing trail and try to exclude as many as possible by using filters, especially for application and logins (on the server level) and object filters (on the database level):

Auditing configuration using simple filter

It is a good practice to make sure to remove the piled up traces from the active traces folder while this issue is being resolved to lift up the processing encumbrance – simply move the content of the temporary folder (default is C:\ProgramData\ApexSQL\ApexSQLAudit\Auditing\SQL Server\Active Traces\) to another destination so processing of this bulk will halt and allow processing of freshly created traces while updating the configuration to be able to easily determine when the configuration is ‘proper’ enough to ensure smooth auditing in the future.

Once the new configuration is set, copy the (previously moved) trace files back to the origin folder to allow ApexSQL Audit to process them and insert all audited data into the central repository database.

As an additional step, in order to remove excess audited data, do the following:

  1. Click on the Maintenance button in the main ribbon
  2. Choose the Purge data option and complete the purge wizard to delete this specific data from the repository to make it easier to create and read the reports

Repository maintenance

 

Related posts:

  1. Inventory of system alerts for SQL auditing
  2. ApexSQL Audit glossary of terms
  3. SQL auditing and data flow overview with ApexSQL Audit
  4. FISMA (NIST800-53 rev. 4) compliance checklist for ApexSQL Audit
  5. Resolving SQL auditing connection issues