Operational Defect Database
BugZero found this defect 1308 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Microsoft SQL Server | 2397659
KB4052136 - FIX: SQL Server Audit Events don't write to the Security log - Microsoft Support
Last update date:
7/13/2023
Affected products:
SQL Server 2016
SQL Server 2019 on Windows
SQL Server 2022 on Windows (all editions)
Affected releases:
build lower than 15.0.4316.3
Fixed releases:
15.0.4316.3
Description:
Symptoms
Assume that you configured multiple SQL Server Audit Events to write to the Security log in Microsoft SQL Server 2022, Microsoft SQL Server 2019, or Microsoft SQL Server 2016 Service Pack 2 (SP2). In this scenario, you notice that all Server Audits except the first Server Audit don't write. Additionally, when you add the second Server Audit, you might receive an error message that resembles the following message in the SQL Server error log: Error: 33204, Severity: 17, State: 1. SQL Server Audit could not write to the security log.
Cause
This problem occurs if the Registry Event Source Flag is set to 0.
Workaround
To work around this problem, use one of the following methods: Set the Server Audit Events to be written to a file instead of to the SQL Server Security log. To enable multiple Server Audit Events to write to the SQL Server Security log, change the value of following registry subkey from 0 to 1:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQL$<InstanceName>$Audit\EventSourceFlags Note: Server Audits have to be restarted for the new registry setting to take effect. ALTER SERVER AUDIT [AuditName] WITH (STATE = OFF) GO ALTER SERVER AUDIT [AuditName] WITH (STATE = ON) GO Important: Editing the registry incorrectly can severely damage your system. Before you make changes to the registry, we recommend that you back up any valued data on the computer.
Resolution
This problem is fixed in the following cumulative updates for SQL Server: Cumulative Update 6 for SQL Server 2022 Cumulative Update 21 for SQL Server 2019 About cumulative updates for SQL Server Each new cumulative update for SQL Server contains all the hotfixes and security fixes that were in the previous build. We recommend that you install the latest build for your version of SQL Server: Latest cumulative update for SQL Server 2022 Latest cumulative update for SQL Server 2019 Service pack information for SQL Server 2016 This problem is fixed in the following service pack for SQL Server: Service Pack 2 for SQL Server 2016 About service packs for SQL Server: Service packs are cumulative. Each new service pack contains all the fixes that are in previous service packs, together with any new fixes. Our recommendation is to apply the latest service pack and the latest cumulative update for that service pack. You do not have to install a previous service pack before you install the latest service pack. Use Table 1 in the following article for finding more information about the latest service pack and latest cumulative update. How to determine the version, edition, and update level of SQL Server and its components
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.
