This article is half-done without your Comment! *** Please share your thoughts via Comment ***
I know, you guys are thinking that why we require DDL Trigger to track database changes in SQL Server.
SQL Server already has Changed Data Capture (CDC) and Audit option.
When we are talking about DDL Trigger, compare to other automated process this manual process is still preferred by SQL DBA because It is easy to use and manage.
A Database Administrator is also responsible for all different types of Database Security like: Database / Schema / Object level permission, Tracking object creation.
I have enabled SQL Server Audit for one of our production report server, but some time It does not work as per the expectation.
I have searched the alternate solution and found that we can create DDL trigger on a database to track the DDL operation of different objects.
We can also use DDL triggers to verify the result of SQL Server Audit.
Other take care points of DDL Trigger are:
Only SA or Admin user has to perform this stuff. The DBA should restrict other common database user to view or modify the DDL trigger.
It should be encrypted.
If our database is heavily loaded with tons of transaction, we should not create any type of DDL trigger on it.
Here, I am creating one encrypted DDL Trigger which tracks different types of object like:
Stored Procedure, Table, View, Function, Trigger, Sequence, Index.
Step to create Encrypted DDL Trigger:
First Create separate database:
1 2 |
CREATE DATABASE [DDLChanges] GO |
Create one table which will hold all event information:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
CREATE TABLE [DDLChanges].[dbo].[tbl_TrackDDLChanges]( [EventDate] [datetime] NOT NULL DEFAULT (getdate()), [EventType] [nvarchar](64) NULL, [EventDDL] [nvarchar](max) NULL, [LoginName] [nvarchar](255) NULL, [DatabaseName] [nvarchar](255) NULL, [SchemaName] [nvarchar](255) NULL, [ObjectName] [nvarchar](255) NULL, [HostName] [varchar](64) NULL, [IPAddress] [varchar](32) NULL, [ProgramName] [nvarchar](255) NULL, [EventXML] [xml] NULL ) GO |
SELECT your application Database and create below encrypted DDL trigger:
If you require to enable DDL trigger on multiple database, execute DDL trigger one by one on each require a database.
Please do not create a DDL Trigger on [DDLChanges] database, that we have created in the first step which is for tracking purposes.
Now, perform any DDL action on your database and check [DDLChanges].[dbo].[tbl_TrackDDLChanges] table where you can find important information like: which SQL Query, who created, which host, what time, on which database and other.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
CREATE TRIGGER [trg_DDL_Changes] ON DATABASE WITH ENCRYPTION FOR CREATE_PROCEDURE ,ALTER_PROCEDURE ,DROP_PROCEDURE ,CREATE_TABLE ,ALTER_TABLE ,DROP_TABLE ,CREATE_VIEW ,ALTER_VIEW ,DROP_VIEW ,CREATE_FUNCTION ,ALTER_FUNCTION ,DROP_FUNCTION ,CREATE_TRIGGER ,ALTER_TRIGGER ,DROP_TRIGGER ,CREATE_SEQUENCE ,ALTER_SEQUENCE ,DROP_SEQUENCE ,CREATE_INDEX ,ALTER_INDEX ,DROP_INDEX AS BEGIN SET NOCOUNT ON; DECLARE @EventData XML = EVENTDATA(); DECLARE @ip VARCHAR(32) = ( SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID ); INSERT DDLChanges.dbo.tbl_TrackDDLChanges ( EventType ,EventDDL ,LoginName ,DatabaseName ,SchemaName ,ObjectName ,HostName ,IPAddress ,ProgramName ,EventXML ) SELECT @EventData.value('(/EVENT_INSTANCE/EventType)[1]','NVARCHAR(100)') ,@EventData.value('(/EVENT_INSTANCE/TSQLCommand)[1]','NVARCHAR(MAX)') ,SUSER_SNAME() ,DB_NAME() ,@EventData.value('(/EVENT_INSTANCE/SchemaName)[1]','NVARCHAR(255)') ,@EventData.value('(/EVENT_INSTANCE/ObjectName)[1]','NVARCHAR(255)') ,HOST_NAME() ,@ip ,PROGRAM_NAME() ,@EventData END GO |