Azure Log Analytics (OMS) Agent now collects SQL Server audit logs
We are happy to inform that the Azure Log Analytics (OMS) Agent is now capable of pushing SQL Server audit logs into Azure Log Analytics (OMS), supporting SQL Server both on-premises, as well as on Azure VMs.
The Azure Log Analytics (OMS) platform can now be used as a centralized data store for all your SQL Server audit logs, for deeper visibility and advanced cross-resource analytics.
To enable this new capability, SQL Server audit logs need to be written to the Windows Application Log. This can be configured using T-SQL, as well as via the Audit Properties in SSMS:
CREATE SERVER AUDIT MyServerAudit
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)
After setting up SQL Server auditing as described above, the Azure Log Analytics (OMS) agent should be configured to send logs to a Workspace. This can be done from Control Panel –> Microsoft Monitoring Agent Properties –> Azure Log Analytics (OMS)
Finally, the Azure Log Analytics (OMS) Workspace needs to be configured to collect Application Logs. This can be done from the Azure Login Analytics / OMS portals via Settings –> Data –> Windows Event Logs –> Application:
SQL Security team