One of the most common questions I hear from clients is:
“How can we track who is logging into our SQL Server environment?”
Whether you’re dealing with compliance requirements, security reviews, troubleshooting, or simply trying to understand who is connecting to your servers, login auditing is an important part of SQL Server administration.
Unfortunately, many organizations start with the wrong solution.
In this article, we’ll compare SQL Server Audit and Extended Events for login auditing, explain why using the SQL Server Error Log is usually a bad idea, and help you choose the right approach for your environment.
Why Login Auditing Matters
Login auditing isn’t just for security teams.
We frequently work with organizations in healthcare, finance, and other regulated industries that need to demonstrate compliance with standards such as:
- PCI DSS
- SOX
- HIPAA
- Internal security policies
Beyond compliance, login auditing can help answer important operational questions:
- Who logged into the production server at 2:00 AM?
- Which applications are actively using this SQL Server?
- Did someone log in using the SA account?
- Are service accounts being used from unexpected locations?
- Who needs to be migrated during a server upgrade?
Having reliable login data can save hours of investigation time.
The Wrong Way: Logging Successful Logins to the SQL Server Error Log
SQL Server includes a server-level option that allows you to log:
- Failed logins
- Successful logins
- Both successful and failed logins
While this might sound convenient, it’s rarely the right solution.
The Problems
When successful login auditing is enabled in the SQL Server Error Log:
- The log quickly becomes flooded with login messages.
- Important error messages become difficult to find.
- High-login environments can generate massive amounts of noise.
- Some login activity may not be captured as expected under heavy load.
The SQL Server Error Log is designed to help DBAs identify problems. Filling it with thousands of successful login entries makes troubleshooting significantly more difficult.
Our Recommendation
Keep failed login auditing enabled if you need it.
Avoid logging every successful login to the SQL Server Error Log.
Instead, use SQL Server Audit or Extended Events.
Option #1: SQL Server Audit
For most organizations, SQL Server Audit is the best place to start.
SQL Server Audit was specifically designed for security and compliance auditing. It provides a structured, reliable, and lightweight way to capture login activity.
Benefits of SQL Server Audit
- Tracks successful logins
- Tracks failed logins
- Records audit configuration changes
- Captures client IP addresses
- Compliance-friendly
- Minimal performance overhead
- Easy long-term retention
One particularly valuable feature is that SQL Server Audit can record when someone changes or disables the audit itself.
If an attacker attempts to tamper with your auditing configuration, that activity can also be captured.
Storage Options
Audit data can be written to:
- Audit files
- Windows Application Log
- Windows Security Log
Writing to the Windows Security Log is especially attractive in environments where centralized security monitoring is already in place.
Information Captured
A SQL Server Audit login event can include:
- Login name
- Session ID
- Client IP address
- Application name
- Event time
- Success or failure status
- Additional XML details
For many compliance requirements, this is exactly the information auditors want to see.
Option #2: Extended Events
Extended Events provides another excellent solution for login auditing.
In fact, SQL Server Audit is built on top of the Extended Events infrastructure.
Why Use Extended Events?
Extended Events offers:
- Extremely low overhead
- Greater flexibility
- Custom filtering options
- Login and logout tracking
- Ability to integrate with custom monitoring solutions
If you’re more interested in troubleshooting than compliance, Extended Events can be a very attractive option.
The Big Advantage: Logout Tracking
One significant difference between Extended Events and SQL Server Audit is that Extended Events can capture both login and logout events.
This allows you to answer questions such as:
- How long was a session connected?
- Which sessions remained open overnight?
- What was the average session duration?
This information can be extremely valuable during troubleshooting.
The Trade-Offs
Extended Events also comes with some limitations.
Compared to SQL Server Audit:
- Configuration can be more complex.
- Querying the results requires XML parsing.
- Some information may require additional event collection.
- Client IP addresses are not always readily available.
For experienced DBAs, these challenges are manageable. However, for organizations focused primarily on compliance, SQL Server Audit is usually simpler.
SQL Server Audit vs. Extended Events
| Feature | SQL Server Audit | Extended Events |
|---|---|---|
| Successful Login Tracking | Yes | Yes |
| Failed Login Tracking | Yes | Yes |
| Logout Tracking | No | Yes |
| Client IP Address | Yes | Limited |
| Compliance Friendly | Excellent | Good |
| Performance Impact | Very Low | Extremely Low |
| Windows Security Log Integration | Yes | No |
| Custom Flexibility | Moderate | High |
| Ease of Reporting | Easier | More Complex |
Best Practices for Login Auditing
Regardless of which method you choose, consider these recommendations.
Retain Data Appropriately
Some organizations only need a few days of history.
Others may need months or years of retention.
Consider:
- Archiving audit files
- Compressing older files
- Moving completed files to long-term storage
- Integrating with centralized logging systems
Monitor for Suspicious Activity
Once auditing is enabled, use the data.
Examples include:
- Logins outside business hours
- SA account usage
- Service accounts connecting from unexpected systems
- User accounts connecting from unusual locations
Simple SQL Agent jobs can be created to review audit data and generate alerts.
Filter Unnecessary Noise
Many environments generate repetitive login activity from:
- SQL Agent jobs
- Monitoring tools
- Application service accounts
Filtering these known connections can dramatically improve the usefulness of your audit data.
Which Option Should You Choose?
For most environments, I recommend starting with SQL Server Audit.
It provides:
- Excellent compliance support
- Rich login information
- IP address tracking
- Simple reporting
- Minimal performance impact
If you need logout tracking, advanced customization, or highly detailed troubleshooting, then Extended Events may be the better choice.
Either way, you’ll get much better results than filling your SQL Server Error Log with successful login messages.
Need Help with SQL Server Auditing?
At Stedman Solutions, we regularly help clients implement login auditing, security monitoring, compliance reporting, and SQL Server performance tuning.
Whether you’re preparing for a compliance audit, investigating suspicious activity, or simply trying to understand who is using your SQL Servers, our team can help.
For DBA-managed services, Stedman Solutions are true SQL Server specialists delivering the best staffing, expertise, monitoring, support, mentoring, and price performance.
Learn more about our managed services at https://stedmansolutions.com/managed-services/.
You can also monitor your SQL Server environment using Database Health Monitor, our powerful monitoring and diagnostic tool available at http://DatabaseHealth.com.
If you have questions about login auditing or SQL Server security, contact us at https://stedmansolutions.com/contact-us/.
Check out our main podcast page at https://stedmansolutions.com/home/sql-server-podcast/
And don’t forget to listen on Spotify at https://open.spotify.com/episode/1xXEYZrRHnNxYjeHsY20IW?si=RkjtGQB2QPu8PSPv9-lsVA
More from Stedman Solutions:
Steve and the team at Stedman Solutions are here for all your SQL Server needs.
Contact us today for your free 30 minute consultation..
We are ready to help!