Case 1: Is Advanced Auditing enabled?  

1. Open EventLog Analyzer and go to Settings > Database Audit > SQL Servers.

2. The DDL/DML Monitoring column should show Manage for the required instance. If it says Not configured, then edit the required instance, and enable Advanced Auditing.

Note:

1. Advanced Auditing always needs to be enabled for successful database auditing.

2. Advanced Auditing needs to be enabled only for the initial configuration of the DDL/DML Monitoring and Column Integrity Monitoring features.

Case 2: Are the audit policies configured?  

1. Open SQL Server Management Studio in the Windows machine in which SQL Server is installed, and connect to the required instance.
   

2. Click the Security option.
   

3. The Server Audit Specifications section should have an audit specification with a name starting with ME_LOG360. Ensure it is enabled.
   

4. Double-click the audit specification:
         a. Find the name of the mapped audit in the Audit field. An audit with the same name should be present under the Audits section (Security > Audits). Ensure it is enabled.
         b. The Audit Action Type should contain the following policies:
   
                   

   1. SCHEMA_OBJECT_ACCESS_GROUP

   2. DATABASE_CHANGE_GROUP

   3. SCHEMA_OBJECT_CHANGE_GROUP

   4. DATABASE_OBJECT_CHANGE_GROUP

   5. DATABASE_OBJECT_ACCESS_GROUP

   6. DATABASE_PRINCIPAL_CHANGE_GROUP

   7. SERVER_PRINCIPAL_CHANGE_GROUP

   8. SERVER_OBJECT_CHANGE_GROUP

   9. APPLICATION_ROLE_CHANGE_PASSWORD_GROUP

   10. LOGIN_CHANGE_PASSWORD_GROUP

   11. USER_CHANGE_PASSWORD_GROUP

   12. BACKUP_RESTORE_GROUP

   13. SERVER_ROLE_MEMBER_CHANGE_GROUP

   14. DATABASE_ROLE_MEMBER_CHANGE_GROUP

   15. DATABASE_OBJECT_PERMISSION_CHANGE_GROUP

   16. DATABASE_PERMISSION_CHANGE_GROUP

   17. SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP

   18. SERVER_OBJECT_PERMISSION_CHANGE_GROUP

   19. SERVER_PERMISSION_CHANGE_GROUP

   20. DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP

   21. DATABASE_OWNERSHIP_CHANGE_GROUP

   22. SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP

   23. SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP

   24. AUDIT_CHANGE_GROUP

   25. TRACE_CHANGE_GROUP

   26. SERVER_STATE_CHANGE_GROUP

   27. SUCCESSFUL_LOGIN_GROUP

   28. FAILED_LOGIN_GROUP

   29. LOGOUT_GROUP
       
       

   Case 3: Are EVENTID=33205 events logged in the Event Viewer?  

   1. In the target Windows machine where SQL Server is installed, open the Event Viewer > Application, and check for events with EVENTID=33205.
      
      

   2. If events with EVENTID=33205 are not present, simulate some events, e.g.: log in to the SQL Server instance using SQL Server Management Studio. A successful login will generate an event with EVENTID=33205 and action_id=LGIS, and a failed login will generate an event with EVENTID=33205 and action_id=LGIF.
      
              a. If events still don't appear check Case 4: Is the Event Viewer holding events for more than the monitoring interval (default: 10 minutes)?

    

   Case 4: Is the Event Viewer holding events for more than the monitoring interval (default: 10 minutes)?  

   Are events in the Event Viewer getting overwritten with new events before EventLog Analyzer can collect them? Ensure that the time difference between the first and the last log of Event Viewer is greater than the monitor interval. If not, increase the size of the Security category.

    

   Case 5: Are any Log Collection Filter profiles in EventLog Analyzer filtering out the logs?  

   In EventLog Analyzer, go to Settings > Admin Settings > Log Collection Filters, and ensure that no filter profiles are configured to drop the expected logs.