SQL Server JSON Log File

The following information lists all of the columns generated by SQL Server Activity Monitor into a JSON log file, along with descriptions.

Field	Type	Description	Example
TimeLogged	DateTime	UNC Datetime of the event, format: yyyy-MM-ddTHH:mm:ss.fffZ	2021-02-18T15:39:29.424Z
ActivityType	Fixed string		SqlServer
AgentHost	String	Host of Stealthbits Activity Monitor Agent Service	W7-VS17
UserName	String	Name of user performed the operation	admin
Success	bool	The result of the operation. For Login operations, False means the login has failed. For other operations, the result is always True.	True
TypeMask	uint	Integer representation of performed operation: combination (mask) of codes of SqlServerEvent enumeration. - Select = 0x01, - Insert = 0x02, - Update = 0x04, - Delete = 0x08, - Merge = 0x10, - Execute = 0x20, - LoginSuccessful = 0x40, - LoginFailed = 0x80, - Logout = 0x0100, - Grant = 0x0200, - Revoke = 0x0400, - Deny = 0x0800, - Error = 0x1000, - Create = 0x2000, - Alter = 0x4000, - Drop = 0x8000	33 (Combination of Select and Execute)
TypeMaskDesc	String	Text representation of TypeMask field	Select \| Execute
ClientAppName	String	Name of application that cause the operation	Microsoft SQL Server Management Studio - Transact-SQL IntelliSense
ClientHostName	String	Name of client host	W10
ClientIp	String	IP address of the client (can be empty)	127.0.0.1
DatabaseName	String	Name of affected Database	AdventureWorks
SqlText	String	Query text	select * from [SalesLT].[Customer]
ErrorNumber	Integer	MSSQL Error Code	208
Message	String	Message text of the error	Invalid object name 'SalesLT.Customer1'.
Category	String	Category of the error	2
SqlObjects	String	Array of affected objects

JSON Examples

Error

{
    "TimeLogged": "2021-06-11T12:57:18.600Z",
    "ActivityType": "SqlServer",
    "AgentHost": "W7-VS17",
    "UserName": "testuser1",
    "Success": true,
    "TypeMask": 4096,
    "TypeMaskDesc": "Error",
    "ClientAppName": "Microsoft SQL Server Management Studio - Query",
    "ClientHostName": "W10",
    "ClientIp": "127.0.0.1",
    "DatabaseName": "StealthRECOVER_22-04",
    "SqlText": "select * from [SalesLT].[Customer1]",
    "ErrorNumber": 208,
    "Message": "Invalid object name 'SalesLT.Customer1'.",
    "Category": "2"
}

{
    "TimeLogged": "2021-06-11T12:50:40.038Z",
    "ActivityType": "SqlServer",
    "AgentHost": "W7-VS17",
    "UserName": "testuser1",
    "Success": true,
    "TypeMask": 64,
    "TypeMaskDesc": "Login",
    "ClientAppName": "Microsoft SQL Server Management Studio - Query",
    "ClientHostName": "W10",
    "ClientIp": "127.0.0.1",
    "DatabaseName": "master"
}

{
    "TimeLogged": "2021-06-11T12:28:24.165Z",
    "ActivityType": "SqlServer",
    "AgentHost": "W7-VS17",
    "UserName": "",
    "Success": false,
    "TypeMask": 64,
    "TypeMaskDesc": "Login",
    "ClientAppName": "Microsoft SQL Server Management Studio",
    "ClientHostName": "W10",
    "ClientIp": "",
    "DatabaseName": "master",
    "ErrorNumber": 18456,
    "Message": "Login failed for user 'testuser'. Reason: Could not find a login matching the name provided. [CLIENT: local machine]"
}

Logout

{
    "TimeLogged": "2021-06-11T13:14:28.386Z",
    "ActivityType": "SqlServer",
    "AgentHost": "W7-VS17",
    "UserName": "testuser1",
    "Success": true,
    "TypeMask": 256,
    "TypeMaskDesc": "Logout",
    "ClientAppName": "Microsoft SQL Server Management Studio - Query",
    "ClientHostName": "W10",
    "ClientIp": "127.0.0.1",
    "DatabaseName": "StealthRECOVER_22-04"
}

SqlEvent

{
    "TimeLogged": "2021-06-11T13:22:48.682Z",
    "ActivityType": "SqlServer",
    "AgentHost": "W7-VS17",
    "UserName": "sa",
    "Success": true,
    "TypeMask": 5,
    "TypeMaskDesc": "Select | Update",
    "ClientAppName": "Microsoft SQL Server Management Studio - Query",
    "ClientHostName": "W10",
    "ClientIp": "127.0.0.1",
    "DatabaseName": "AdventureWorksLT2019",
    "SqlText": "select top 100 * \r\nfrom [SalesLT].[SalesOrderDetail] d\r\nleft join [SalesLT].[Product] p on p.ProductID=d.ProductID;\r\nUpdate [SalesLT].[Product] set ProductNumber='zzz' where ProductNumber='xxx';\r\n",
    "SqlObjects": [
        {
            "t": "U",
            "db": "AdventureWorksLT2019",
            "s": "saleslt",
            "o": "SalesOrderDetail",
            "op": "Select"
        },
        {
            "t": "U",
            "db": "AdventureWorksLT2019",
            "s": "saleslt",
            "o": "Product",
            "op": "Select | Update"
        }
    ]
}

Permission

{
    "TimeLogged": "2021-06-11T13:27:48.009Z",
    "ActivityType": "SqlServer",
    "AgentHost": "W7-VS17",
    "UserName": "sa",
    "Success": true,
    "TypeMask": 512,
    "TypeMaskDesc": "Grant",
    "ClientAppName": "Microsoft SQL Server Management Studio - Query",
    "ClientHostName": "W10",
    "ClientIp": "127.0.0.1",
    "DatabaseName": "AdventureWorksLT2019",
    "SqlText": "\r\n\r\nGRANT ALL ON [SalesLT].[Product] TO [sqluser3]; ",
    "SqlObjects": [
        { "t": "U", "db": "AdventureWorksLT2019", "s": "saleslt", "o": "Product", "op": "Grant" }
    ]
}

JSON Examples​

Error​

Login (Success)​

Login (Failed)​

Logout​

SqlEvent​

Permission​

JSON Examples

Error

Login (Success)

Login (Failed)

Logout

SqlEvent

Permission