FIX: SQL Server Audit Events fail to write to the Security log

Applies to: SQL Server 2016 DeveloperSQL Server 2016 EnterpriseSQL Server 2016 Enterprise Core

Symptoms


Assume that you have configured multiple SQL Server Audit Events to write to the Security log in Microsoft SQL Server 2016 Service Pack 2 (SP2). In this scenario, you may notice that all Server Audits except for the first Server Audit will fail to write. Additionally, when you add the second Server Audit, you may receive an error message that resembles the following in the SQL Server error log:

Error: 33204, Severity: 17, State: 1.

SQL Server Audit could not write to the security log

Cause


This issue occurs when the Registry Event Source Flag is set to '0'.

Workaround


The workaround for this issue is one of the following:

  • Make the Server Audit Events to be written to a file instead of to the SQL Server Security log.
  • Change the following registry key from 0 to 1, to enable writing to the SQL Server Security log by multiple Server Audit Events:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQL$<InstanceName>$Audit\EventSourceFlags

    Note: Server Audits need to be restarted for the new registry setting to take effect.

    ALTER SERVER AUDIT [AuditName] WITH (STATE = OFF)
    GO
    ALTER SERVER AUDIT [AuditName] WITH (STATE = ON)
    GO

Resolution


Service pack information for SQL Server 2016

This issue is fixed in the following service pack for SQL Server:

       Service Pack 2 for SQL Server 2016

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


Learn about the terminology that Microsoft uses to describe software updates.