Forum Discussion

ChrisCurtisIT's avatar
ChrisCurtisIT
Brass Contributor
Jul 10, 2024

Unable to View Audit Logs

Hi all!  I am once again coming to you, asking for assistance. We had a security alert in Azure and I was able to go all the way through to see what the issue was, BUT when I try to go into the...
azure
azure resource manager
microsoft sentinel
adrianberezin's avatar
adrianberezin
Copper Contributor
Oct 21, 2024

ChrisCurtisIT 
Hello Chris,
I faced the same problem with Audit, and before this problem I a bit extended QUERY STORE. The logs stopped working because of the low free space of about 100 MB.

 

 

 

 

ALTER DATABASE [sqldb-p-xxxxx]
SET QUERY_STORE = ON
    (
      OPERATION_MODE = READ_WRITE,
      CLEANUP_POLICY = ( STALE_QUERY_THRESHOLD_DAYS = 30 ),
      DATA_FLUSH_INTERVAL_SECONDS = 900,
      MAX_STORAGE_SIZE_MB = 1000,
      INTERVAL_LENGTH_MINUTES = 60,
      SIZE_BASED_CLEANUP_MODE = AUTO,
      QUERY_CAPTURE_MODE = AUTO
    );

 

 

 

But apart from this, I can read my Blob storage with logs  with a simple query 
So for now this approach that I'm using is the only way to check the logs.....

 

 

 

SELECT *
FROM sys.fn_get_audit_file('
https://xxxx.blob.core.windows.net/sqldbauditlogs/xxx/xxxxx/SqlDbAuditing_ServerAudit/2024-10-11/08_46_00_673_697.xel'

 

 

 

 

So, I guess the problem with the amount of data.
In my case, it is about 30-50 records x 50MB  per day, and as far as I remember Audit is using the whole folder PATH and not the exact file, and it can be the problem

Resources