WHO changed is showing “System” in Netwrix Auditor for SQL Server reports

SQL Server
6.5 and older
Copy Article URL Copied

Netwrix Auditor for SQL Server changes have “System” reported in the WHO field.

Netwrix Auditor for SQL Server is using two sources of data for analysis: 

  • SQL Server native auditing – used for retrieving change details
  • SQL Server configuration snapshot – used for determining what has changed since the previous data collection.

For example: 
You have changed the column parameters. This action must be captured by SQL Server native auditing and logged into the auditing log on the SQL Server (with information on Who made the change and When the change was made). 
Netwrix Auditor for SQL Server will detect that change during the snapshot comparison (the column parameter has been changed) and then search the SQL Server native auditing logs for corresponding events to add WHO CHANGED and WHEN CHANGED information. If the corresponding event cannot be found, the product reports WHO as SYSTEM.

You can always prove the system changes by reviewing the SQL Server native auditing logs. In order to do that please open the SQL Server Profiler application and open SQL traces from C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log
Note: the path above is provided for the SQL 2008 default installation. If you have another version of SQL Server or if it is installed to another location, please correct the path accordingly.

Go Up