Troubleshooting: No data in Microsoft SQL Server DDL/DML report

Troubleshooting: No data in Microsoft SQL Server DDL/DML report

Issue description  

This article provides troubleshooting guidance for cases where no data appears under DDL/DML report in SQL Server auditing report.

Possible cause  

  1. Advance Auditing not enabled: This may occur if you have not enabled Advanced Auditing or if the user account used does not have sufficient permission to set audit policies in your SQL Server instance.
  2. Audit Policies are not configured properly in your SQL Server instance.
  3. Event ID = 33205 are not being logged in Event Viewer.
  4. Event Viewer does not hold the events for more than the monitoring interval.
  5. Misconfiguration of the log collection filter.
  6. You lack a license

  Prerequisites  

  • Need access to EventLog Analyzer console with an administrator role or custom role that has permission to view SQL Server reports and configure SQL Servers.
  • Need access to the SQL Server.
  • A SQL Server instance authentication account with the following permission:


Server roles
User mapping
Securables
  1. public
  2. server admin
public
  1. Connect SQL
  2. Alter any server audit
 

 Steps to follow  

There are two areas where you need to review if the data is not populated in the Reports section:
I. Configuration in the EventLog Analyzer user interface
II. SQL Server troubleshooting

 I.  Configuration in EventLog Analyzer user interface   

  1. Log in to the EventLog Analyzer console.
  2. Navigate to Settings > Database Audit > SQL Server.
  3. If the instance is not added, then refer to this page: How to add a SQL Server instance in EventLog Analyzer.
  4. If Advanced Auditing is not enabled under SQL Server Instance Configuration, add the Instance Name and Port number used by SQL server.
    1. Learn more about identifying the port number at the end of this document. 
    2. Set the Instance Authentication type and enter the credentials.
    3. If you are unable to verify the credentials in Advanced auditing, refer to this page to resolve the issue: Troubleshooting: MicroSoft SQL Server advanced auditing verification failed.
Note 1: The above mentioned credentials is the same as the user logon credential for the SQL Server instance.
Note 2: Enabling advanced auditing will create an audit policy and disabling advanced auditing will remove the audit policy on this SQL Server instance. Click here to learn more.
  1. Check whether any Log Collection Filter option is enabled, which might filter the log collection:
  • Basics of SQL event: 
  • Event Type: Application
  • Event ID: 33205
  1. If the above steps did not get the reports, check whether you have configured your SQL Server for Windows auditing. If yes, proceed with the next step; else, skip to II. SQL Server troubleshooting.
  2. Navigate to Settings > Log Source Configuration > Devices > Windows Device. Verify whether the Last Message Time reflects the present timestamp, indicating recent event collection. Additionally, ensure the Device Status is marked as Success to confirm that logs are being collected properly.
Case 1: Events are not collected in present, but the status is marked as Success 
Check out II. SQL Server troubleshooting and check whether the Events are recorded in the respective server's Event Viewer.
Case 2: Events are not collected in present and status is not marked as Success 
  1. If the status is not updated as success but is marked as any other errorslike agent not communicating, service status unavailable, RPC server unavailable, or Access Deniedthe log collection may not happen as intended. You need to resolve the error to have seamless log collection before proceeding with further steps. Refer to the following articles to resolve the error and check whether the data starts to populate:
    • Error: Agent troubleshooting : EventLog Analyzer
    • Error: service status unavailable : EventLog Analyzer
    • Error : RPC server unavailable - EventLog Analyzer
    • Error: Access Denied - EventLog Analyzer
  1. Once the status is updated, check whether the log collection happens and if the data is available in the reports.
  2. If the issue persists, check out II. SQL Server troubleshooting and check whether the Events are recorded in the respective server's Event Viewer.

  II. SQL Server troubleshooting  

 Step 1: Check whether Events are recorded in the native 
  • RDP to SQL server where instance is hosted.
  • Log in to your SQL Server.
  • Press Win + R to open the Run window, type and enter eventvwr.msc to open Event Viewer, expand Windows Logs, then select Application.
  • Choose Find option and enter the Event ID as "33205" to check whether the matching string value in the event exists. This will help you to identify whether the event is recorded.

If you notice Event ID 521 (Unable to Log Events to Security Log), Windows OS does not log Security events in Event Viewer. Refer to the following Windows documents to resolve this issue:
 
Other possibilities for having Event ID 521 and its fixes are as follows.
 Security log full 
  • Open Event Viewer and navigate to Windows Logs, then Security.
  • Check whether the log size has reached its limit.
  • Increase the maximum log size, as mentioned in Step 3
 Event logging is disabled 
  • Open Event Viewer, then expand Windows Logs.
  • Right click Application, then choose Properties to check whether logging is enabled.
 Windows Event Log service is not running 
  • Open the Run window (Win + R), then type and enter services.msc.
  • Locate Windows Event Log service, ensure it is running, and set to Automatic.
 
Step 2: Check whether audit policies are enabled in the SQL Server instance to record the events 
  1. Open SQL Server Management Studio on the Windows machine in which SQL Server is installed, and connect to the required instance.
  2. Click the Security option.
  3. The Server Audit Specifications section should have an audit specification with a name starting with "ME_LOG360". Ensure it is enabled.
  1. Double-click the audit specification:
  1. Find the name of the mapped audit in the Audit field. An audit with the same name should be present under the Audits section (Security > Audits). Ensure it is enabled.
  2. The Audit Action Type should contain the following policies:
  • SCHEMA_OBJECT_ACCESS_GROUP
  • BACKUP_RESTORE_GROUP
  • DATABASE_ROLE_MEMBER_CHANGE_GROUP
  • SERVER_ROLE_MEMBER_CHANGE_GROUP
  • FAILED_LOGIN_GROUP
  • SUCCESSFUL_LOGIN_GROUP
  • DATABASE_CHANGE_GROUP
  • DATABASE_OBJECT_CHANGE_GROUP
  • DATABASE_PRINCIPAL_CHANGE_GROUP
  • SCHEMA_OBJECT_CHANGE_GROUP
  • SERVER_PRINCIPAL_CHANGE_GROUP
  • LOGIN_CHANGE_PASSWORD_GROUP
  • SERVER_STATE_CHANGE_GROUP
 
Step 3:  Check whether Event Viewer is holding events for more than the monitoring interval (default: 10 minutes)  
EventLog Analyzer cannot collect the events in the Event Viewer if they are getting overwritten with new events before EventLog Analyzer can collect them. Follow these steps to
  1. Open Event Viewer and choose Windows Logs, right click Application, t select Properties.
  2. In the Log Properties - Application dialog box, ensure the maximum log size is set to at least 4GB to withstand the log flow rate. Also, enable the option to Overwrite events as needed (Oldest events first).
  3. Event Viewer must hold the logs for at least 15 minutes if the log collection mode is set to 10 minutes of interval.

   Tips   

  • EventLog Analyzer connects to SQL Server using TCP/IP, so ensure that TCP/IP is enabled for the instance:
  1. In the SQL Server Configuration Manager console, click SQL Server Network Configuration.
  2. Double-click Protocols for (the required instance). In the center pane, under the Protocol Name column, ensure TCP/IP is Enabled. If Disabled:
    1. Double-click TCP/IP, toggle the Enabled status from No to Yes, then click OK.
  3. Restart the SQL Server instance.
  •    The SQL Server instance should not use a dynamic port: 
  1. In the SQL Server Configuration Manager console, click SQL Server Network Configuration.
  2. Double-click Protocols for (the required instance). In the center pane, under the Protocol Name column, double-click TCP/IP.
  3. In the TCP/IP Properties pop-up, click the IP Addresses menu, and go to the IPAll section at the bottom.
  4. Ensure that the TCP Dynamic Ports field is empty.
 

How to reach support   

Gather related information of the above troubleshooting steps and click here to reach the support team for any assistance.
 


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • What are the audit policies required to generate events for an SQL Server report?

                      Existing Reports vs SQL Server Policies S. no. Report Group Total Reports Report Name Criteria Required Server-level Audit Action Types 1 SQL Server Events 2 All Events - - Important Events - - 2 SQLServer Trend Report 2 Read Event Trend ...

                    • ​How to add an SQL server in EventLog Analyzer

                      Objective This article focuses on how to add SQL servers in EventLog Analyzer and receive the reports of SQL instances. Prerequisites Have access to the EventLog Analyzer console as an administrator Have access to the SQL server for manual ...

                    • Troubleshooting guide: No data available in a Compliance Report

                      Overview This document provides a technical explanation and resolution guide when there is no data being displayed under compliance reports in ManageEngine EventLog Analyzer. Compliance reports include regulatory standards such as PCI-DSS, HIPAA, ISO ...

                    • Why are some SQL Server reports showing no data?

                      Case 1: Are the required audit policies configured? Open SQL Server Management Studio application in the Windows machine in which SQL Server is installed, and connect to the required instance. Click the Security option. The Server Audit ...

                    • Why are SQL Server audit logs not collected?

                      Case 1: Is Advanced Auditing enabled? Open EventLog Analyzer and go to Settings > Database Audit > SQL Servers. The DDL/DML Monitoring column should show Manage for the required instance. If it says Not configured, then edit the required instance, ...

                      Related Products