Active Directory JSON Log File
The following information lists all of the attributes generated by Active Directory Activity Monitor into a JSON log file:
| Attributes | Description |
|---|---|
| AffectedObject | If resolved, contains DN of the object affected by operation; otherwise, some textual representation of the object |
| AffectedObjectAccountName | If resolved, contains account name of the object affected by operation |
| AffectedObjectSid | If resolved, contains Sid of the object affected by operation |
| AgentDomain | Domain where SI agent is installed |
| AgentHost | Host name where SI agent is installed |
| AgentIP | IP address where SI agent is installed. If multiple IP addresses, one of them is reported. |
| AuthenticationType | Indicates type of the authentication event. Possible values: Kerberos, NTLM. |
| AuthProtocol | Indicates authentication protocol. Possible values: Unknown, Kerberos, KerberosTgs, KerberosAS, NTLM, NTLMv1, NTLMMixed, NTLMv2. |
| Blocked | Indicates if operation was blocked by SI agent. Blocking policies are required. |
| ClassName | Affected object class |
| DesiredAccess | Security and access rights requested during OpenProcess invoke. List of possible values can be found at: https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights. |
| EncryptionType | Indicates encryption type used in request part of the Kerberos ticket. Possible values: des_cbc_crc, des_cbc_md4, des_cbc_md5, reserved_0x4, des3_cbc_md5, reserved_0x6, des3_cbc_sha1, dsaWithSHA1, md5WithRSAEncryption, rc2CBC, rsaEncryption, rsaES, des_ede3_cbc, des3_cbc_sha1_kd, aes128, aes256, rc4_hmac, rc4_hmac_exp, subkey_keymaterial. |
| EventResult | Result of the operation triggered current event |
| EventType | Identifies event |
| EventsCount | Number of similar events captured during consolidation period which is 1 minute by default |
| From | Contains raw representation of the machine from which event was triggered |
| FromHost | If resolved, contains host name of the machine from which event was triggered |
| FromIp | If resolved, contains the IP address of the machine from which event was triggered |
| FromMac | If resolved, contains mac address of the machine from which event was triggered |
| IsN2Password | Indicates if password that was used for authentication is a previous or one before previous |
| IsUserExist | Indicates if user exists |
| KerbAuthTime | Time at which KDC issued the initial ticket that corresponds to this ticket |
| KerbEndTime | Ticket expiration time |
| KerbRenewTill | Latest time at which renewal of ticket can be valid |
| KerbSPN | Service principal name for which ticket was requested |
| KerbStartTime | Ticket start time |
| LogonType | Contains SECURITY_LOGON_TYPE. More details at https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type. |
| NewAttributes | Map of new attributes where key is name and value attribute value |
| NewName | New name of the AD object |
| NlpLogonType | NTLM logon type. Possible values: Unknown, Interactive, Network, Service, Generic, TransitiveInteractive, TransitiveNetwork, TransitiveService |
| OldAttributes | Map of old attributes where key is attribute name and value attribute value |
| PAC | List of RIDs extracted from ticket authorization data |
| ProcessID | Contains process ID that attempted to open LSASS process |
| ProcessName | Contains process name that attempted to open LSASS process |
| Protocol | Operation specific details |
| QueryFilter | LDAP filter used in the operation |
| QueryIsSSL | Indicates if LDAP connection is secure or not |
| QueryObjectsReturned | Number of returned objects produced by the LDAP request |
| Source | Indicates source of the operation. Currently can be: ‘Authentication’, ‘Active Directory’, ‘LSASS Guardian – Monitor’, ‘LDAP Monitor’, ‘AD Replication Monitoring’. |
| Success | Indicates if original operation completed successfully or not |
| TargetHost | Contains host name to which authentication attempt took place. In case of failed Kerberos AS, this field contains name of the domain controller. |
| TargetHostIP | If resolved, contains IP address of the target host |
| TargetProcess | Contains process name that is monitored. Currently this is only lsass.exe. |
| TgsReplyEncryptionType | Indicates encryption type used in reply part of the TGS Kerberos ticket. Possible values the same as for EncryptionType. |
| TimeLogged | UTC timestamp of the event |
| UserDN | If resolved, contains DN of the object triggered operation |
| UserName | If resolved, contains account name of the object triggered operation |
| UserSid | If resolved, contains SID of the object triggered operation |
File TSV Log File
The following information lists all of the columns generated by File Activity Monitor into a TSV log file, along with descriptions.
| Column Name(s) | Description |
|---|---|
| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option |
| Host | Host name of the monitored device |
| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID |
| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) |
| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) |
| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. |
| Rename Path | New name of the path if a rename event occurs |
| Process or IP | Indicates the source of the activity event: - For local Windows activity – Process name (e.g. notepad.exe) - For network Windows activity – IP Address of the user - For NAS device activity – IP Address for the NAS device of the user |
| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. |
| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. |
| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS |
| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \[SERVER][SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt |
| Volume ID | ID of the volume where the event occurred |
| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. |
| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 |
| File Size | Size of File |
| Tags | (Windows hosts only) Contains 'Copy' for read events that are probably file copies |
| Group ID | Linux hosts only Unique identifier for the File System Group (GID) |
| Group Name | Linux hosts only Name of the File System Group (GID) |
| Process ID | Linux hosts only Name of the File System Group (GID) |
Sub-Operation, Old Attributes, and New Attributes Table
The following table lists details for Sub-Operation, Old Attributes, and New Attributes according to File Operation.
| File Operation | Sub-Operation | Old Attributes | New Attributes |
|---|---|---|---|
| Owner was changed | Own | Old owner in SDDL format | New owner in SDDL format |
| Permissions were changed (DACL) | Dac | Old DACL in SDDL format | New DACL in SDDL format |
| Audit was changed (SACL) | Sac | Old SACL in SDDL format | New SACL in SDDL format |
| File attributes were changed | Att | Old attributes as a hexadecimal number (0xNNN) | New attributes as a hexadecimal number (0xNNN) |
| File is read from a shadow copy | VSS | Shadow copy creation time in YYYYMMDDThhmmss format (20180905T123456) |
Linux TSV Log File
The following information lists all of the columns generated by Linux Activity Monitor into a TSV log file, along with descriptions.
| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option |
| Host | Host name of the monitored device |
| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID |
| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) |
| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) |
| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. |
| Rename Path | New name of the path if a rename event occurs |
| Process or IP | Indicates the source of the activity event: - For Local activity – Process name (e.g. notepad.exe) - For Remote network activity – IP Address of the user |
| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. |
| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. |
| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS |
| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \[SERVER][SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt |
| Volume ID | ID of the volume where the event occurred |
| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. |
| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 |
| File Size | Size of File |
| Tags | Windows hosts only Contains 'Copy' for read events that are probably file copies |
| Group ID | Linux hosts only Unique identifier for the File System Group (GID). |
| Group Name | Linux hosts only Name of the File System Group (GID). |
| Process ID | Linux hosts only Name of the File System Group (GID). |
SharePoint JSON Log File
The JSON log file format is used to send SharePoint activity monitoring data to Enterprise Auditor v10.0 consoles. The following information lists all of the attributes generated by SharePoint Activity Monitor into a JSON log file:
| Attribute Name | Description | Example |
|---|---|---|
| TimeLogged | DateTime/ string | 2019-03-14T18:13:39.00Z |
| ActivityType | Constant “SharePoint” | SharePoint |
| AgentHost | Host name where agent is installed | sphost |
| UserSid | User SID who caused the event | S-1-0-0 |
| UserName | User Name who caused the event | System Account |
| UserID | ID of the user who caused the event | 1073741823 |
| UserLogin | User Login who caused the event | SHAREPOINT\system |
| Protocol | Protocol: HTTP / HTTPS.. | HTTP |
| AbsoluteUrl | Full Url: SiteUrl + DocLocation | http://sphost/Lists/Comments/1\_.000 |
| WebApplication | Web application name | SharePoint – 80 |
| SiteId | Site Id (guid) | 7b2c8d23-a74f-4c3c-985d-2c7facb5ebae |
| SiteUrl | Site Url | http://sphost/sites/mysite |
| WebTitle | Web title | my site |
| DocLocation | Location of an audited object at the time of the audited event | Lists/Comments/1_.000 |
| ItemId | A Guid that the object whose event is represented by the entry | 2c4174dc-322d-47bc-a420-52968fc3ba6c |
| ItemTitle | Title of the object | Welcome to my blog! |
| ItemType | Type of the object: Document / ListItem / List / Folder / Web / Site | ListItem |
| EventType | An SPAuditEventType that represents the type of event | Update |
| EventSource | A value that indicates whether the event occurred as a result of user action in the SharePoint Foundation user interface (UI) or programmatically. Values: SharePoint / ObjectModel | SharePoint |
| LocationType | Specifies the actual location of a document in a SharePoint document library: Invalid, Url, ClientLocation | Url |
| AppPrincipalId | The ID of the app principal who caused the event. If the value of EventSource is ObjectModel, thenAppPrincipalId holds the ID of the app principal whose context the code that caused the event was running. If there is no app context, the AppPrincipalId is null. | 0 |
| SourceName | The name of the application that caused the event | <empty> |
| RawEventData | A String that holds XML markup providing data that is specific to the type of event that the entry object represents. | <RelatedItem><Id>06C49477-0498-4858-900C-45B595337462</Id><Relationship><NewName>MyDocs/myfile.zip</NewName></Relationship></RelatedItem> |
| AuditMask | The new audit mask | [“CheckIn”,“View”,“Delete”,“Update”] |
| ChildId | The GUID of the child that is deleted/moved. | 06C49477-0498-4858-900C-45B595337462 |
| ChildDocLocation | The pre-deletion URL of the child item | Lists/Posts/2_.000 |
| NewDocLocation | The URL to which the item is moved | MyNewDocs/myfile.zip |
| Version | The new version of the document / The version that was deleted | 1.0 |
| DeleteType | Whether it is moved to the recycle bin (1) or is deleted completely (0). 1 - MovedToRecycle; 0 - DeletedCompletely | MovedToRecycle |
| SearchQuery | myfile | |
| SearchConstraint | site:“http://sphost/sites/mysite” | |
| GroupId | The ID of the new/deleted group The ID of the group that was bound to the role | 11 |
| GroupName | The name of the new/deleted group The name of the group that was bound to the role | My Super Group |
| TrusteeId | The ID of the user that was added/deleted from the group The ID of the user that was bound to the role | 8 |
| TrusteeName | The Name of the user/group that was added/deleted from the group The Name of the user/group that was bound to the role | spuser |
| TrusteeType | The name is the name of group or user: User / Group | User |
| UpdateType | Added or Removed | Added, Removed, or Updated |
| RoleId | The ID of the new/changed/deleted permission level | 1073741924 |
| RoleName | The name of the new/changed/deleted permission level | My Role |
| Permissions | The combination of permissions | [“ViewListItems”,“AddListItems”,“EditListItems”] |
SharePoint Online JSON Log File
The JSON log file format is used to send SharePoint Online activity monitoring data to Enterprise Auditor v10.0 consoles. The following information lists all of the attributes generated by SharePoint Online Activity Monitor into a JSON log file:
Base Schema
The following table details lists of attributes for base schema generated by SharePoint Online Activity Monitor.
| Attribute Name | Description | Example |
|---|---|---|
| TimeLogged | Event time (UTC) | 2019-03-14T18:13:39.0 00Z |
| ActivityType | Constant "SharePoint" | SharePointOnline |
| AgentHost | Host name where agent is installed. | sphost |
| Source | SharePoint, SharePointFileOperation, SharePointListOperation, SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation, SharePointSharingOperation, ComplianceDLPSharePoint, ComplianceDLPSharePointClassification | SharePointFileOperation |
| Id | Unique id of an audit record | 5ed5f834-7609-4ea6-df9b-08d76f79a875 |
| EventType | AccessInvitationCreated AccessInvitationExpired AccessInvitationRevoked AccessInvitationUpdated AccessRequestApproved AccessRequestCreated AccessRequestRejected ActivationEnabled AdministratorAddedToTermStore AdministratorDeletedFromTermStore AllowGroupCreationSet AppCatalogCreated AuditPolicyRemoved AuditPolicyUpdate AzureStreamingEnabledSet CollaborationTypeModified ConnectedSiteSettingModified CreateSSOApplication CustomFieldOrLookupTableCreated CustomFieldOrLookupTableDeleted CustomFieldOrLookupTableModified CustomizeExemptUsers DefaultLanguageChangedInTermStore DelegateModified DelegateRemoved DeleteSSOApplication eDiscoveryHoldApplied eDiscoveryHoldRemoved eDiscoverySearchPerformed EngagementAccepted EngagementModified EngagementRejected EnterpriseCalendarModified EntityDeleted EntityForceCheckedIn ExemptUserAgentSet FileAccessed FileCheckOutDiscarded FileCheckedIn FileCheckedOut FileCopied FileDeleted FileDeletedFirstStageRecycleBin FileDeletedSecondStageRecycleBin FileDownloaded FileFetched FileModified FileMoved FilePreviewed FileRenamed FileRestored FileSyncDownloadedFull FileSyncDownloadedPartial FileSyncUploadedFull FileSyncUploadedPartial FileUploaded FileViewed FolderCopied FolderCreated FolderDeleted FolderDeletedFirstStageRecycleBin FolderDeletedSecondStageRecycleBin FolderModified FolderMoved FolderRenamed FolderRestored GroupAdded GroupRemoved GroupUpdated LanguageAddedToTermStore LanguageRemovedFromTermStore LegacyWorkflowEnabledSet LookAndFeelModified ManagedSyncClientAllowed MaxQuotaModified MaxResourceUsageModified MySitePublicEnabledSet NewsFeedEnabledSet ODBNextUXSettings OfficeOnDemandSet PageViewed PeopleResultsScopeSet PermissionSyncSettingModified PermissionTemplateModified PortfolioDataAccessed PortfolioDataModified PreviewModeEnabledSet ProjectAccessed ProjectCheckedIn ProjectCheckedOut ProjectCreated ProjectDeleted ProjectForceCheckedIn ProjectModified ProjectPublished ProjectWorkflowRestarted PWASettingsAccessed PWASettingsModified QueueJobStateModified QuotaWarningEnabledModified RenderingEnabled ReportingAccessed ReportingSettingModified ResourceAccessed ResourceCheckedIn ResourceCheckedOut ResourceCreated ResourceDeleted ResourceForceCheckedIn ResourceModified ResourcePlanCheckedInOrOut ResourcePlanModified ResourcePlanPublished ResourceRedacted ResourceWarningEnabledModified SSOGroupCredentialsSet SSOUserCredentialsSet SearchCenterUrlSet SecondaryMySiteOwnerSet SecurityCategoryModified SecurityGroupModified SendToConnectionAdded SendToConnectionRemoved SharedLinkCreated SharedLinkDisabled SharingInvitationAccepted SharingRevoked SharingSet SiteAdminChangeRequest SiteCollectionAdminAdded SiteCollectionCreated SiteRenamed StatusReportModified SyncGetChanges TaskStatusAccessed TaskStatusApproved TaskStatusRejected TaskStatusSaved TaskStatusSubmitted TimesheetAccessed TimesheetApproved TimesheetRejected TimesheetSaved TimesheetSubmitted UnmanagedSyncClientBlocked UpdateSSOApplication UserAddedToGroup UserRemovedFromGroup WorkflowModified | FileDeleted |
| OrganizationId | Organization tenant ID | 86e5dcbf-56e9-4452-8c43-1e99f0e9aabd |
| UserType | Type of the user performed the operation. | Regular |
| UserId | The UPN of the user who performed the operation | user1@stealthbitstechnologie.onmicrosoft.com |
| UserName | Name of the user who performed the operation | User1 |
| UserLogin | An alternative ID of the user. "DlpAgent" for DLP events | i:0h.f/membership/10033fff8a7ae322@live.com |
| ClientIP | IP address of the user or a trusted application | 75.155.180.82 |
| Protocol | Protocol: HTTPS | HTTPS |
| Workload | Office 365 service where the activty occurred. | SharePoint |
| ResultStatus | Succeeded, ParticallySucceeded, Failed, True, False | ParticallySucceeded |
| AbsoluteUrl | Full path of the file/folder accessed by the user | https://stealthbitstechnologie-my.sharepoint.com/personal/sgiles_stealthbitstechnologie_onmicrosoft_com/personal/myfiles/21ded |
| Scope | Was this event created by a hosted O365 service or an on-premises server? online or onprem | |
| SiteId | Guid of the site | aef1ad6b-11c5-4b25-a669-b5f8379f8c55 |
| ItemType | Object type: File, Folder, Web, Site, Tenant, DocumentLibrary, Page, Differs from SP types | File |
| ItemTitle | ||
| EventSource | SharePoint or ObjectModel | SharePoint |
| UserAgent | User client or browser | |
| MachineDomainInfo | Information about device sync operations | |
| MachineId | Information about device sync operations | |
| UpdateType | Added, Removed, or Updated | Added |
| Version | The new version of the document/version of deleted document | 1 |
File/Folder Operations
The following table details lists of attributes for file/folder operations generated by SharePoint Online Activity Monitor.
| Attribute Name | Description | Example |
|---|---|---|
| SiteUrl | URL of the site | https://example-url.sharepoint.com/ |
| DocLocation | Relative URL of the file or document accessed by the user | Shared Documents/100 Sensitive Docs/Document.docx |
| SourceRelativeUrl | The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the AbsoluteUrl property | Shared Documents/100 Sensitive Docs |
| SourceFileName | File or folder name | My Document.docx |
| SourceFileExtension | File extension | docx |
| NewDocLocation | A relative URL to which the object is copied or moved | Shared Documents/100 Sensitive Docs/Copy.docx |
| DestinationRelativeUrl | Only for EventType: FileCopied, FileMoved The URL of the destination folder where a file is copied or moved. | Shared Documents/100 Sensitive Docs |
| DestinationFileName | Only for EventType: FileCopied, FileMoved The name of the file that is copied or moved. | Copy.docx |
| DestinationFileExtension | Only for EventType: FileCopied, FileMoved | docx |
Sharing
The following table details lists of attributes for sharing generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description |
|---|---|
| SharingType | The type of sharing permissions that were assigned to the user that the resource was shared with |
| TargetUserOrGroupName | UPN or name of the target user or group that a resource was shared with |
| TargetUserOrGroupType | Member, Guest, Group, or Partner |
| EventData |
Other SharePoint Events
The following table details lists of attributes for other SharePoint events generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description |
|---|---|
| CustomEvent | |
| EventData | Optional payload |
| ModifiedProperties | The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified, old, and new value |
DLP Events
The following table details lists of attributes for DLP events generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description | Example |
|---|---|---|
| SharePointMetaData | Metadata about the document that contained the sensitive information | https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#sharepointmetadata-complex-type |
| ExceptionInfo | Reasons why a policy no longer applies and any information about false positive or override | |
| PolicyDetails | Policy(s) that triggered the event | https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#policydetails-complex-type |
| SensitiveInfoDetectionIsIncluded | Indicates whether the event contains the value of the sensitive data type |
SharePoint TSV Log File
The TSV log file format is used to send SharePoint activity monitoring data to Enterprise Auditor v10.0 and earlier consoles. The following information lists all of the columns generated by SharePoint Activity Monitor into a TSV log file:
| Column Name | Description |
|---|---|
| Operation Time | Date timestamp of the event in UTC time |
| Host | Host name of the monitored device as entered by the user |
| UserSid/Uid | Unique identifier for the SharePoint user: - For CIFS activity – user SID - For NFS activity – UID |
| User Name | SharePoint user name |
| UserID | ID of the SharePoint user |
| UserLogin | Identity claims using encoding format for user login |
| Path | Truncated path where the event took place, e.g. sites/TestSite/Shared Documents/Testing.txt |
| Protocol | Protocol of the event |
| FullPath | Full path where the event took place, e.g. http://sharepoint.local/sites/TestSite/Shared Documents/Testing.txt |
| WebApplication | Title of the SharePoint web application |
| SiteId | ID of the site collection |
| SiteUrl | URL of the site collection |
| WebTitle | Title of the site collection |
| DocLocation | Location of the document |
| ItemID | ID of the item |
| ItemTitle | Title of the item |
| Item Type | Type of item |
| EventType | Type of SharePoint event |
| EventSource | Source where the event came from |
| LocationType | Location type of the SharePoint document location |
| AppPrincipalId | Application principal ID |
| SourceName | Name of the source |
| EventData | Raw event data |
| Param | Parameters for the event |
SQL Server JSON Log File
The following information lists all of the columns generated by SQL Server Activity Monitor into a JSON log file, along with descriptions.
| Field | Type | Description | Example | | -------------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | ------- | | TimeLogged | DateTime | UNC Datetime of the event, format: yyyy-MM-ddTHH:mm:ss.fffZ | 2021-02-18T15:39:29.424Z | | ActivityType | Fixed string | | SqlServer | | AgentHost | String | Host of Stealthbits Activity Monitor Agent Service | W7-VS17 | | UserName | String | Name of user performed the operation | admin | | Success | bool | The result of the operation. For Login operations, False means the login has failed. For other operations, the result is always True. | True | | TypeMask | uint | Integer representation of performed operation: combination (mask) of codes of SqlServerEvent enumeration. - Select = 0x01, - Insert = 0x02, - Update = 0x04, - Delete = 0x08, - Merge = 0x10, - Execute = 0x20, - LoginSuccessful = 0x40, - LoginFailed = 0x80, - Logout = 0x0100, - Grant = 0x0200, - Revoke = 0x0400, - Deny = 0x0800, - Error = 0x1000, - Create = 0x2000, - Alter = 0x4000, - Drop = 0x8000 | 33 (Combination of Select and Execute) | | TypeMaskDesc | String | Text representation of TypeMask field | Select | Execute | | ClientAppName | String | Name of application that cause the operation | Microsoft SQL Server Management Studio - Transact-SQL IntelliSense | | ClientHostName | String | Name of client host | W10 | | ClientIp | String | IP address of the client (can be empty) | 127.0.0.1 | | DatabaseName | String | Name of affected Database | AdventureWorks | | SqlText | String | Query text | select * from [SalesLT].[Customer] | | ErrorNumber | Integer | MSSQL Error Code | 208 | | Message | String | Message text of the error | Invalid object name 'SalesLT.Customer1'. | | Category | String | Category of the error | 2 | | SqlObjects | String | Array of affected objects | |
JSON Examples
| Event | JSON Example |
|---|---|
| Error | {"TimeLogged":"2021-06-11T12:57:18.600Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"testuser1","Success":true,"TypeMask":4096,"TypeMaskDesc":"Error","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"StealthRECOVER_22-04","SqlText":"select * from [SalesLT].[Customer1]","ErrorNumber":208,"Message":"Invalid object name 'SalesLT.Customer1'.","Category":"2"} |
| Login | {"TimeLogged":"2021-06-11T12:50:40.038Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"testuser1","Success":true,"TypeMask":64,"TypeMaskDesc":"Login","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"master"} {"TimeLogged":"2021-06-11T12:28:24.165Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"","Success":false,"TypeMask":64,"TypeMaskDesc":"Login","ClientAppName":"Microsoft SQL Server Management Studio","ClientHostName":"W10","ClientIp":"","DatabaseName":"master","ErrorNumber":18456,"Message":"Login failed for user 'testuser'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>]"} |
| Logout | {"TimeLogged":"2021-06-11T13:14:28.386Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"testuser1","Success":true,"TypeMask":256,"TypeMaskDesc":"Logout","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"StealthRECOVER_22-04"} |
| SqlEvent | {"TimeLogged":"2021-06-11T13:22:48.682Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"sa","Success":true,"TypeMask":5,"TypeMaskDesc":"Select | Update","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"AdventureWorksLT2019","SqlText":"select top 100 * from [SalesLT].[SalesOrderDetail] d left join [SalesLT].[Product] p on p.ProductID=d.ProductID; Update [SalesLT].[Product] set ProductNumber='zzz' where ProductNumber='xxx'; ","SqlObjects":[{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"SalesOrderDetail","op":"Select"},{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Select | Update"}]} |
| Permission | {"TimeLogged":"2021-06-11T13:27:48.009Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"sa","Success":true,"TypeMask":512,"TypeMaskDesc":"Grant","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"AdventureWorksLT2019","SqlText":" GRANT ALL ON [SalesLT].[Product] TO [sqluser3]; ","SqlObjects":[{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Grant"}]} |