NetWrix SQL Server Change Reporter

NetWrix SQL Server

Change Reporter Version 2.2

Enterprise Edition Quick Start Guide

NetWrix SQL Server Change Reporter Enterprise Edition Quick Start Guide

Contents 1. INTRODUCTION ............................................................................................................................................................ 3

1.1 KEY FEATURES .................................................................................................................................................................... 3 1.2 LICENSING ......................................................................................................................................................................... 4 1.3 HOW IT WORKS ................................................................................................................................................................. 5

2. GETTING STARTED........................................................................................................................................................ 7

2.1 SYSTEM REQUIREMENTS ...................................................................................................................................................... 7 2.2 CONFIGURING SQL SERVER TRACING ..................................................................................................................................... 8 2.3 INSTALLATION .................................................................................................................................................................... 8

3. WORKING WITH ENTERPRISE EDITION ......................................................................................................................... 9

3.1 GETTING STARTED ............................................................................................................................................................ 10 3.1.1 Step 1: Specify Object Type ............................................................................................................................ 10 3.1.2 Step 2: Supply Default Data Processing Account ........................................................................................... 11 3.1.3 Step 3: Specify SMTP Settings ........................................................................................................................ 12 3.1.4 Step 4: Specify Computer Collection Name .................................................................................................... 13 3.1.5 Step 5: Enable Features ................................................................................................................................. 14 3.1.6 Step 6: Configure Database ........................................................................................................................... 15 3.1.7 Step 7: Add SQL Servers ................................................................................................................................. 16 3.1.8 Step 8: Configure Feature Settings ................................................................................................................ 18 3.1.9 Step 9: Review the Settings ............................................................................................................................ 19

3.2 DATA COLLECTION AND REPORTING ..................................................................................................................................... 20 3.2.1 Running a Data Collection Task ..................................................................................................................... 20 3.2.2 Viewing Task Session Results ......................................................................................................................... 21 3.2.3 Viewing Scheduled Reports ............................................................................................................................ 22

4. FUTURE STEPS ............................................................................................................................................................ 23

5. ABOUT NETWRIX PRODUCTS ..................................................................................................................................... 24

6. DISCLAIMER ............................................................................................................................................................... 25


3

1. Introduction SQL Server is a complex system that involves many different types of objects and requires almost daily changes to server configurations, security, databases, etc. It's very hard to keep track of changes and enforce fine-grained delegation rules for environments managed by multiple DBAs and operators. A hot topic today is compliance with government and industry regulations which adds challenges to all types of IT infrastructures, especially SQL databases that store business-critical data and that support business applications.

The SQL Server Change Reporter is an easy-to-use auditing solution that reports changes made to your SQL Server's configurations, databases and security. The product reports on changes made to server instances, databases, users, roles, logins, schema changes and many other objects. If your situation requires monitoring of some non-default events, custom monitoring templates are available and may be ordered from NetWrix (*). The tool centrally monitors multiple servers and sends daily summary reports about any changes detected through the last day. New or changed databases, database users, roles, tables, views, indices and others - no change will pass behind the scenes, no matter who made it and how. It is especially easy to track with the Who (*) and When (*) reporting capabilities. You just setup this tool once and start getting daily summary reports about all changes grouped by server name. Advanced Reporting is also a feature with optional custom reports available for ordering from NetWrix (*). The SQL Server Change Reporter comes in three Editions: Freeware, Standard and Enterprise.

The SQL Server Change Reporter can be used to:

• Monitor and review administrative changes on SQL servers and at database levels. • Help you ensure compliance with regulatory and security requirements such as GLBA, SOX, HIPAA, and PCI

through consistent auditing and reporting. • Detect early all unauthorized and unwanted changes that can lead to server and database downtime.

1.1 Key Features The SQL Server Change Reporter helps you to carry out the following auditing and reporting tasks:

• Detect and report on changes made to server instances, databases, users, roles, logins, schema, credentials, tables, table views, table columns, stored procedures, functions, table column views, table indexes views, table column index views and other objects

• Audits database backup and restore operations (*) • Reports include information about what changes were made, who (*) made changes and when (*) they were

made • Provides on-demand Web-based reporting (*) • Create custom reports (can also be ordered from NetWrix) (*) • Provides storage for collected audit data and enables historical reporting for any period of time (*)

* Features marked with (*) are only available in the Standard and Enterprise Editions of the product.


4

1.2 Licensing The SQL Server Change Reporter is available in three editions: Freeware Edition, Standard Edition and Enterprise Edition.

The table below outlines the differences between them.

Feature Freeware Standard Edition Enterprise Edition

Who and When fields for every change No Yes Yes

Track database changes Changes made to database users, logins, credentials, roles and schemas only.

Changes made to server instances, databases, users, roles, logins, schema changes, tables, table views, table columns, stored procedures, functions, table column views, table index views, table column index views and other objects

Changes made to server instances, databases, users, roles, logins, schema changes, tables, table views, table columns, stored procedures, functions, table column views, table index views, table column index views and other objects

Track database operations No Backup and restore Backup and restore

Advanced reports based on SQL Server Reporting Services, with filtering, grouping and sorting

No Yes Yes

Handle multiple server collections each with its own individual settings No No Yes

Predefined reports Daily report with recent

changes Multiple predefined reports Multiple predefined reports

Custom reports No Yes. Create manually or order from NetWrix

Yes. Create manually or order from NetWrix

Long-term archiving and reporting No Any period of time Any period of time

Technical support Support forum Phone, e-mail Phone, e-mail

Licensing Free of charge Per server; please request a quote

Per server; please request a quote

Integrated interface for all NetWrix products which provides centralized configuration and settings management

No No Yes

Advanced Reporting integrated with the NetWrix Enterprise Management Console

No No Yes

Advanced Reports can be viewed directly from the NetWrix Enterprise Management Console

No No Yes

The Free Edition can be used by companies and individuals for an unlimited time, at no charge. The Standard/Enterprise Edition can be evaluated free of charge for 20 days.

http://forum.netwrix.com/

http://netwrix.com/requestq.html?product=sqlcr





5

1.3 How It Works

Figure 1: Product architecture and data flow


6

NetWrix SQL Server Change Reporter collection and reporting workflow is usually flows as follows: 1. SQL Server changes are periodically collected and stored as snapshot files. Reports displaying changes to

SQL servers are generated on schedule and then sent to the specified e-mail recipient(s). Optionally, Advanced Reports can be viewed with SQL SRS Report Manager. (*)

2. A user launches the Configurator and sets the parameters for automated data collection and reporting. 3. The NetWrix Management Console - SQL Server Change Reporter - <your managed object name> (where

<your managed object name> is the name of your managed object) scheduled task is launched periodically (typically, every night, at 3 AM by default; it can also be launched manually when needed). This task collects configuration snapshots and e-mails reports on databases and configuration changes to the specified recipients.

4. If Advanced Reporting (*) is configured, the task also stores information about SQL Server changes to the specified SQL server database (if the automatic data import fails, you can use the Database Importer to import data when necessary).

5. A user launches the mail client to view the reports sent by e-mail. 6. If Advanced Reporting is configured, the user launches a web browser and views the reports in Report

Manager (*).

* Features marked with (*) are only available in the Standard and Enterprise Editions of the product. For more information on Advanced Reporting, please refer to the NetWrix SQL Server Change Reporter Administrator Guide.

http://www.netwrix.com/download/documents/NetWrix_SQL_Server_Change_Reporter_Administrator_Guide.pdf


7

2. Getting Started This section describes the necessary prerequisites for the SQL Server Change Reporter installation.

2.1 System Requirements SQL SERVER:

Supported SQL Server configurations:

• MS SQL Server 2000, all Editions • MS SQL Server 2005, all Editions • MS SQL Server 2008, all Editions

COMPUTER WHERE THE SQL SERVER CHANGE REPORTER WILL BE INSTALLED:

OS requirement:

Windows 2000 or higher

Necessary additional software: • Microsoft.Net Framework 2.0 or later • Microsoft Windows Installer 3.1 or later • For Enterprise Edition, Microsoft Management Console 3.0 is required

Additional requirements: • Disk space – enough for a temporary data storage (SQL server configuration snapshots and/or audit

data will be stored there). We recommend at least 20 Gb of free disk space. An approximate formula is 50 bytes per every configuration object for each server.

Important: Before you install the SQL Server Change Reporter on a computer running Windows Server 2008, please turn off User Account Control (UAC). Otherwise, the product installation will fail.

Required rights and permissions The account which the SQL Server Change Reporter scheduled task will use for data processing and report generation requires the following:

1) Grant Alter trace on the server. To do this using SQL Server Management Studio (SSMS), go to: SSMS - Under Security tab --> Logins --> right click the name and select properties --> Securables tab --> Click add --> Select the instance you want to add the permissions to. The permissions appear in the Effective Permissions list.

2) Grant Connect SQL on the server. To do this using SQL Server Management Studio (SSMS), go to: SSMS --> right-click a database --> Properties --> Permissions and check Connect.

3) Grant Connect on all databases. To do this, follow the same instructions in Step 2. 4) Grant Select on all databases. To do this, follow the same instructions in Step 2.

Advanced Reporting is not covered by this guide, so if you plan configuring and using it, please refer to the NetWrix SQL Server Change Reporter Administrator Guide.




8

2.2 Configuring SQL Server Tracing Although some system tracing (auditing) configuration is necessary, the SQL Server Change Reporter will automatically setup all the required auditing properties on your SQL servers during the first program launch.

But you can also set it up manually. To do this, on the monitored SQL servers, launch the script file 'sqlcr_db.sql', which is located in the product installation folder

2.3 Installation To install the SQL Server Change Reporter, run the setup program on any computer in the domain where the managed SQL servers are located.

Important: If a target computer is running Windows Server 2008, make sure User Account Control (UAC) is turned off.

Follow the steps of the wizard. When prompted, accept the license agreement, then specify the installation folder and click Next to proceed with the installation.

On the last step of the installation wizard, the following dialog box appears:

Figure 2: The SQL Server Change Reporter Setup configuration utility selection dialog box

To launch the full-featured NetWrix Enterprise Management Console, select Launch Enterprise Edition and click Finish.


9

3. Working with Enterprise Edition If you are using the Enterprise license, Full Featured configuration utility mode is available to you. It features the NetWrix Enterprise Management Console (implemented as an MMC snap-in) that provides flexible configuration and management capabilities. With the NetWrix Enterprise Management Console, you can:

• Enable and configure long-term archiving • Enable and configure Advanced Reporting • Define the management scope for the NetWrix product you are using (these can be domains or OUs for AD

Change Reporter, SQL server instances for SQL Server Change Reporter, Exchange servers for Exchange Change Reporter, file servers for File Server Change Reporter, and so on)

• Enable management features for selected objects in bulk. For example, you can specify report generation frequency and recipients

• Handle numerous managed objects(server collections) with a single installation and having individual options for each collection

• Manage all NetWrix product configuration and settings via a truly integrated interface • Access Advanced Reporting right from NetWrix Enterprise Management Console

Start the Management Console by selecting NetWrix | NetWrix SQL Server Change Reporter Commercial Version | Configurator (Full Featured Mode) from the Start menu.

Figure 11: NetWrix Enterprise Management Console


10

3.1 Getting Started When you start the NetWrix Enterprise Management Console for the first time, no managed objects exist. You have to create a new managed object and perform its initial configuration, as described below.

3.1.1 Step 1: Specify Object Type 1. In the NetWrix Management Console main window, navigate to the Managed Objects tree node, right-

click it and select New Managed Object. Alternatively, you can click Create New Managed Object in the Task pad on the right.

2. The New Managed Object wizard starts. On the Select Managed Object Type step, select Computer Collection to create a collection of computers to be configured for data gathering and reporting. Click Next.

Figure 12: New Managed Object Wizard – Select Managed Object Type dialog box


11

3.1.2 Step 2: Supply Default Data Processing Account Next, you should select a user account that will be used by the SQL Server Change Reporter scheduled task as the default one for scheduled data processing and report generation.

Figure 13: New Managed Object Wizard – Data Processing Account setup dialog box

Click Specify Account; when selecting the account, consider that it should be granted the necessary access rights (see the System Requirements section above). At the next console launches, you can specify different accounts for object processing (as described later in this document).

Note: You will be presented with this step only in case if the Data Processing Account settings were not yet supplied via Settings -> Schedule NetWrix Management Console submenu.


12

3.1.3 Step 3: Specify SMTP Settings Next, specify the SMTP server settings that will be used to e-mail the reports. Supply the SMTP server name, port, and the From address.

Figure 14: New Managed Object Wizard – Configure SMTP Server Settings dialog box

Note: You will be presented with this step only if the SMTP settings were not yet supplied via Settings -> E-mail Settings NetWrix Management Console submenu.


13

3.1.4 Step 4: Specify Computer Collection Name You then have to enter the name of the computer collection (managed object) you are creating:

Figure 15: New Managed Object Wizard – Computer Collection Name setup dialog box

Enter the collection name, e.g., My Servers. If you want to use a specific account to process objects from this collection, enter the user name and password in this step. Alternatively, you can leave the Default account here (the one you supplied in Step 2 will be used).

Important: Make sure the processing account is granted the necessary rights and permissions (see 2.1. System Requirements section above).


14

3.1.5 Step 5: Enable Features You then should specify what management features will be applied to the collection - what NetWrix products will be involved in processing data from these computers. Select SQL Server Change Reporter and click Next:

Figure 16: New Managed Object Wizard – Enable Features dialog box


15

3.1.6 Step 6: Configure Database This step presents you with the Advanced Reporting settings configuration. Skip it by clicking Next. For more information on Advanced Reporting, please refer to the NetWrix SQL Server Change Reporter Administrator Guide.

Figure 17: New Managed Object Wizard – Advanced Reporting SQL Settings dialog box

http://www.netwrix.com/download/documents/NetWrix_SQL_Change_Reporter_Administrator_Guide.pdf


16

3.1.7 Step 7: Add SQL Servers Next, populate the managed object (computer collection) with the computers (SQL Servers) whose audit data needs to be processed.

Figure 18: Add Computer dialog box

Click Add…. Select SQL Server Instance. The dialog box will appear so you can enter the exact name of an object/ path to be added or just browse for it.

Figure 19: New Managed Object Wizard – the Add submenu


17

Figure 20: New Managed Object Wizard – Add Items to Collection dialog box

Enter an SQL Server name here or Browse your network for the computers you want to add.


18

3.1.8 Step 8: Configure Feature Settings Next, configure the settings for the feature/product that will process this managed object (computer collection). The SQL Server Change Reporter settings are described below:

Figure 21: New Managed Object Wizard – Configure the SQL Server Change Reporter Settings dialog box

1. Enable the reporting feature by selecting the corresponding checkbox. 2. Enter the e-mail addresses of reports recipients. The daily SQL Server change reports will be sent to

these recipients. For testing purposes, enter your e-mail.


19

3.1.9 Step 9: Review the Settings You can then review the settings you have configured for the new managed object and Finish the Wizard.

When created, the new object (computer collection) is displayed in the NetWrix Enterprise Management Console under the Managed Objects node:

Figure 22: NetWrix Management Console – Managed Objects window

Click Run to commence execution of event processing task that will be performed by the SQL Server Change Reporter or Stop the task execution (in this case, no report will be available).


20

3.2 Data Collection and Reporting This section shows you how to perform data collection and reporting using NetWrix Enterprise Management Console.

3.2.1 Running a Data Collection Task To run the data collection, select a managed object (from which you want to collect and report the changes) from the tree in the NetWrix Management Console and click Run in the right pane on the General tab:

Figure 29: NetWrix Management Console – Running Data Collection Task window

SQL Server snapshots will be collected and specified reports will be e-mailed to the selected recipients. Task session information can be examined using NetWrix Enterprise Management Console, as described below.


21

3.2.2 Viewing Task Session Results All task operation information is shown in the NetWrix Management Console. Expand the node of the feature (product) you need, for example, SQL Server Change Reporter, and select Sessions. Then select the data collection session you need to examine and review the information shown in the right pane:

Figure 30: NetWrix Management Console – Task Session Results window

For each selected session, you can review the following information: • Session status – Success, Warning, Error, or Fatal Error (meaning that data collection failed to start due to

incorrect account, remote computer powered off, or other reason specified in the Details below). • Type – the product that processed data during the selected session. • SQL Server – the list of servers included into the managed object (collection) processed during the session • Details – the detailed results of the audit data collection.

To generate a report on data collected during the selected session, use the settings in the lower pane on the right: • Server name - supply a SQL Server name whose data will be included in the report.

Click Run to launch the report generation process and automatically show the results. To see a report generated earlier (i.e., history), click View report (if the report has no history, it will be first generated and then displayed).


22

3.2.3 Viewing Scheduled Reports When the scheduled task is first run, the message notifies you of the initial analysis being completed. Next, you can make some changes to your SQL server to see the way they will be reported. After that, you can launch the scheduled task again and check the mailbox for the new report. The changes should be reported as shown in the figure below. If so, consider the product installation and configuration complete.

Figure 31: Scheduled Reports email example


23

4. Future Steps There are also many more features available in NetWrix SQL Server Change Reporter like On-Demand Reporting, SSRS-based Advanced Reporting, Long-term data archiving, Configurable Data Gathering Scheduling and others. For more information please refer to the NetWrix SQL Server Change Reporter Administrator Guide.

http://www.netwrix.com/download/documents/NetWrix_SQL_Change_Reporter_Administrator_Guide.pdf


24

5. About NetWrix Products Solutions developed by NetWrix Corporation help organizations to meet compliance standards, simplify identity management, and reduce IT infrastructure costs. The product line includes solutions for change management, identity management, virtualization, and Active Directory troubleshooting.

Enterprise Management Suite: NetWrix Enterprise Management Suite is a rich collection of all NetWrix products combined together into one integrated solution. The suite is well-maintained, regularly updated with new versions and completely new products that all customers are entitled to as long as their maintenance is up to date.

Change Reporter Suite: The Change Reporter Suite is an integrated solution for automated tracking and reporting of all critical changes in the entire IT infrastructure, including Active Directory, file servers, Microsoft Exchange, filer appliances such as NetApp or EMC, virtual infrastructure, physical infrastructure and SQL Server databases. Everything is centrally audited, consolidated, and presented in easy to understand reports with before and after values of all “who, what, when and where” modifications.

Identity Management Suite: The NetWrix Identity Management Suite brings convenience, enhanced security, and sensible benefits to everyone within an organization. The solution resolves account lockouts, forgotten passwords and password expiration problems, while also providing user account de-provisioning and privileged password management.

Active Directory Change Reporter: Full-featured Active Directory auditing and compliance solution with full coverage of AD, Group Policy, Exchange, and object-level rollback capabilities. Tracks who changed what, when, and where in Active Directory and related systems.

USB Blocker: USB Blocker enforces centralized access control to prevent unauthorized use of removable media that connects to computer USB ports—memory sticks, removable hard disks, iPods, and more.

File Server Change Reporter: File server and filer appliance auditing solution. Supports Windows servers, NetApp Filers and EMC appliances.

SQL Server Change Reporter: Auditing and reporting solution to monitor changes to SQL servers, instances, database schema, logins and roles, etc.

Privileged Account Manager: Shared access to privileged accounts with automatic password maintenance.

Non-owner Mailbox Access Reporter: Track users who access other user’s mailboxes and report unauthorized access to mailboxes of C and VP-level accounts.

Password Manager: product gives end users the ability to securely manage their passwords and resolve account lockout incidents in a self-service fashion without involvement of help desk personnel.

Account Lockout Examiner: detects, diagnoses, and resolves account lockouts in real time to reduce administrative costs associated with manual resolution of account lockouts.

Full list of products: http://www.netwrix.com/products.html For more information, please visit www.netwrix.com or call our toll-free number: +1-888-638-9749.

http://netwrix.com/Enterprise_Management_Suite.html

http://netwrix.com/change_auditing_solution.html

http://netwrix.com/identity_management.html

http://netwrix.com/active_directory_change_reporting_freeware.html

http://netwrix.com/usb_blocker_freeware.html

http://netwrix.com/file_server_auditing_change_reporting_freeware.html

http://netwrix.com/sql_server_audit_change_reporter_freeware.html

http://netwrix.com/privileged_account_manager.html

http://netwrix.com/non_owner_mailbox_access_reporter_exchange_freeware.html

http://www.netwrix.com/requeste.html?product=prm

http://www.netwrix.com/requeste.html?product=ale

http://www.netwrix.com/products.html

http://www.netwrix.com/


25

6. Disclaimer The information in this publication is furnished for information use only, does not constitute a commitment from NetWrix Corporation of any features or functions discussed and is subject to change without notice. NetWrix Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication.

NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners.

© 2010 NetWrix Corporation. All rights reserved. www.netwrix.com

http://www.netwrix.com/

NetWrix SQL Server Change Reporter

Documents