Audit DBA activity

[sarpedor]

Hi,

I would like to maintain audit trail of DBA activity (which does not have admin access to the OS). SQL server should be setup in such a way that the DBA *cannot* alter/delete the log file showing his/her DB actions.
2 developers told this is not possible, as SQL server cannot store log file on another (more secure) server. I have hard times to believe that. Any thoughts?

Thanks!

 

[Corran007]

why are you interested in monitoring your dba's activities? do you trust them so little that you need to monitor them? If you do, i suggest you get some new ones.

but to answer your question. if im a dba on a server, i can do just about anything i want on the os via cmdshell. As far as i know there is no way to monitor what you do on the database server. the transaction log might have the info, but ive never looked into it with the tools that rip them apart (like lumingent log explorer).

If you are truely that worried about what your dba's are doing, you will have to find or write your own application that logs all their activities. There might be some third party app that does this already. but honestly if you have sa on the server, you already shouldnt have to worry about being trusted.