Events

  • Updated on Apr 3, 2025
  • Published on Jan 6, 2024
  • 5 minute(s) read

Auditing and Event Collection

When auditing is enabled, the Events screen displays audit events collected from SQL instances. It offers two main views, both editable by the selected time range and any filters:

  • Overview Screen: Displays the total count of each event per instance, with options to group the data by instance, database, or SQL statement.

  • Details Screen: Lists all events for the selected instance that occurred within the specified time range, displayed in chronological order and sortable.

Both pages can be filtered using drop-down menus and the selected time range, which persist between screens. For more details about the filters, refer to the Drop-Down Filters section of the User Guide.

Enabling Auditing

To enable auditing, submit a support request to support@fortified.com to activate the Events collection. Specify that you are requesting the Events Collection and indicate whether it should be enabled for all instances or specific ones.

This request authorizes the creation of necessary objects for the Events collection on each specified instance, including:

  • WISdom database: Stores collected audit data

  • Job (WISdom - Run Operations): Executes every minute to gather data from the Server Audit and XE Session, storing it in the WISdom database

  • Server Audit (WISdom_Default_Audit): Captures audit events

  • XE Session (WISdom_Deadlock_Session): Captures deadlock events

The WISdom service then uploads this data from the database to the WISdom Cloud every minute, ensuring minimal data buildup in the WISdom database and enabling real-time display in the UI.

Enabling auditing offers the added benefit of more frequent deadlock information collection. Typically, deadlock data is gathered hourly from the SQL Server Health XE Session, system_health. However, on very busy SQL instances, deadlock events may be purged before the hourly collection, leading to missed deadlocks. With the WISdom_Deadlock_Session, data is collected every minute, ensuring a more accurate and timely capture of deadlock events.

Both the Overview and the Details pages are customizable with the use of the available drop-down filters and the time range selector with the selections persisting between screens.

For more guidance on using filters and navigating the interface, check out the Tools section of the User Guide, specifically:

The filter options available for the 2 screens are as follows:

  • Instance - The name of the instance being monitored.

  • Database - Name of a database. The database name may include more than a single instance.

  • Object Type - Displays the predefined Object Types that are audited. These Object Types have been logically according to the Event Type. (see the Event Type below for more information and link to Microsft documentation)

  • Event Type - Provides the Event Types to be filtered based on server level and database level Action Groups. More information can be found on the Microsoft Learn site with the SQL Server Audit Action Groups and Actions document.

  • Tag - Allow the Events to be filtered based on tags assigned to the objects. See the Tags page for detailed information on managing tags.

Expand the Overview or Details for more information.

Overview

Overview screen

The Overview screen is your go-to hub for event data! It showcases the total count of events with two dynamic sections: the Events table and the Slicers. Dive into the data and explore the frequency of events in a visually appealing and interactive way.

Events Table

The Events table displays the total count of events by instance and database within the specified time range. You can further organize this data using the Group By feature, which allows you to categorize events by Instance, Database, or SQL Statement. This provides a detailed breakdown of event counts for each selected group.

While the Slicers also show the total count for each group, the Group By feature lets you expand individual objects to view counts for their sub-objects. For example, if you group by database and expand the "master" database, you'll see all events associated with that database across different instances.

This functionality offers a comprehensive view of event distribution, helping you analyze and understand event patterns more effectively.

The table includes standard functions available for most tables in WISdom, such as:

  • Search bar: Quickly find specific events.

  • Group By drop-down: Organize data by Instance, Database, or SQL Statement.

  • Action icon: View the table in full screen or export data to Excel.

  • Row display options: Change the number of rows displayed on the screen (lower left corner).

Each row has standard functionalities:

  • Column actions: Some columns allow you to add or exclude filters or copy text.

  • SQL Statement column: Clicking this column displays the full text of the statement in a flyout.

  • Row Action Icon: Navigates to the Details screen, applying the filter for the selected instance.

Slicers

The Slicers panel is open by default. If it's not visible, click the blue funnel icon in the upper right corner to display it. For more screen space, you can collapse the slicers by clicking the blue bar labeled "Slicers" or the funnel icon again. Refer to the Slicers documentation for additional functionality.

The slicers provide quick access to the total count of events by various categories. In the Events - Overview screen, the categories include:

  • Top Instances

  • Top Databases

  • Top Statements

  • Top Audit Events

Each category is collapsible, sortable by column, and can be displayed in full screen or exported. This allows you to easily navigate and analyze the event data based on your specific needs.

Details

Details screen

The Details screen focuses on data for a single instance. Upon accessing this screen, any filters applied on the previous screen will remain active. If no instance is selected, a message will prompt you to choose an instance to display data. You can modify filters and the time range directly on this screen without returning to the Overview screen.

Event Table

The Event table is the primary information source on this screen. It lists all events that occurred within the specified time range based on the selected filters. By default, the list is sorted by date in descending order, but it may be sorted by any column. Additionally, a search feature is available in the upper right corner of the table.

The table includes standard functions available for most tables in WISdom, such as:

  • Search bar: Quickly find specific events.

  • Action icon: View the table in full screen or export data to Excel.

  • Row display options: Adjust the number of rows displayed on the screen (located in the lower left corner).

Each row offers the following functionalities:

  • Column actions: Some columns allow you to add or exclude filters or copy text (Instances and Databases).

  • SQL Statement column: Clicking this column reveals the full text of the statement in a flyout.