SQL Server JSON Log File
The following information lists all of the columns generated by SQL Server Activity Monitor into a JSON log file, along with descriptions.
| Field | Type | Description | Example | | -------------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | ------- | | TimeLogged | DateTime | UNC Datetime of the event, format: yyyy-MM-ddTHH:mm:ss.fffZ | 2021-02-18T15:39:29.424Z | | ActivityType | Fixed string | | SqlServer | | AgentHost | String | Host of Stealthbits Activity Monitor Agent Service | W7-VS17 | | UserName | String | Name of user performed the operation | admin | | Success | bool | The result of the operation. For Login operations, False means the login has failed. For other operations, the result is always True. | True | | TypeMask | uint | Integer representation of performed operation: combination (mask) of codes of SqlServerEvent enumeration. - Select = 0x01, - Insert = 0x02, - Update = 0x04, - Delete = 0x08, - Merge = 0x10, - Execute = 0x20, - LoginSuccessful = 0x40, - LoginFailed = 0x80, - Logout = 0x0100, - Grant = 0x0200, - Revoke = 0x0400, - Deny = 0x0800, - Error = 0x1000, - Create = 0x2000, - Alter = 0x4000, - Drop = 0x8000 | 33 (Combination of Select and Execute) | | TypeMaskDesc | String | Text representation of TypeMask field | Select | Execute | | ClientAppName | String | Name of application that cause the operation | Microsoft SQL Server Management Studio - Transact-SQL IntelliSense | | ClientHostName | String | Name of client host | W10 | | ClientIp | String | IP address of the client (can be empty) | 127.0.0.1 | | DatabaseName | String | Name of affected Database | AdventureWorks | | SqlText | String | Query text | select * from [SalesLT].[Customer] | | ErrorNumber | Integer | MSSQL Error Code | 208 | | Message | String | Message text of the error | Invalid object name 'SalesLT.Customer1'. | | Category | String | Category of the error | 2 | | SqlObjects | String | Array of affected objects | |
JSON Examples
| Event | JSON Example |
|---|---|
| Error | {"TimeLogged":"2021-06-11T12:57:18.600Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"testuser1","Success":true,"TypeMask":4096,"TypeMaskDesc":"Error","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"StealthRECOVER_22-04","SqlText":"select * from [SalesLT].[Customer1]","ErrorNumber":208,"Message":"Invalid object name 'SalesLT.Customer1'.","Category":"2"} |
| Login | {"TimeLogged":"2021-06-11T12:50:40.038Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"testuser1","Success":true,"TypeMask":64,"TypeMaskDesc":"Login","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"master"} {"TimeLogged":"2021-06-11T12:28:24.165Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"","Success":false,"TypeMask":64,"TypeMaskDesc":"Login","ClientAppName":"Microsoft SQL Server Management Studio","ClientHostName":"W10","ClientIp":"","DatabaseName":"master","ErrorNumber":18456,"Message":"Login failed for user 'testuser'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>]"} |
| Logout | {"TimeLogged":"2021-06-11T13:14:28.386Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"testuser1","Success":true,"TypeMask":256,"TypeMaskDesc":"Logout","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"StealthRECOVER_22-04"} |
| SqlEvent | {"TimeLogged":"2021-06-11T13:22:48.682Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"sa","Success":true,"TypeMask":5,"TypeMaskDesc":"Select | Update","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"AdventureWorksLT2019","SqlText":"select top 100 * from [SalesLT].[SalesOrderDetail] d left join [SalesLT].[Product] p on p.ProductID=d.ProductID; Update [SalesLT].[Product] set ProductNumber='zzz' where ProductNumber='xxx'; ","SqlObjects":[{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"SalesOrderDetail","op":"Select"},{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Select | Update"}]} |
| Permission | {"TimeLogged":"2021-06-11T13:27:48.009Z","ActivityType":"SqlServer","AgentHost":"W7-VS17","UserName":"sa","Success":true,"TypeMask":512,"TypeMaskDesc":"Grant","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"AdventureWorksLT2019","SqlText":" GRANT ALL ON [SalesLT].[Product] TO [sqluser3]; ","SqlObjects":[{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Grant"}]} |