Introduction

Azure SQL Database auditing tracks database events for compliance, security monitoring, and forensic analysis. When auditing stops writing logs, compliance requirements may be violated and security visibility is lost.

Symptoms

Audit logs missing:

```bash $ az storage blob list \ --account-name auditstorage \ --container-name sqldbsecuritylogs \ --query '[].name'

# Returns empty or missing recent logs ```

Audit policy error:

json
{
  "error": {
    "code": "AuditConfigurationInvalid",
    "message": "The storage account 'auditstorage' is not accessible for auditing"
  }
}

Query audit status:

```bash $ az sql server audit-policy show \ --resource-group my-rg \ --server my-server \ --query '{State:state,Storage:storageEndpoint}'

# Shows state: Disabled or storage endpoint missing ```

Common Causes

  1. 1.Audit policy disabled - Auditing turned off at server or database level
  2. 2.Storage account inaccessible - Firewall blocking SQL server access
  3. 3.Storage account deleted - Audit destination removed
  4. 4.Storage quota exceeded - Container full, cannot write new logs
  5. 5.Authentication failed - Storage access key expired or wrong
  6. 6.Audit retention expired - Logs deleted by retention policy
  7. 7.Network connectivity - SQL server cannot reach storage endpoint

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: Check Audit Policy Status

```bash # Check server-level audit policy az sql server audit-policy show \ --resource-group my-rg \ --server my-server \ --query '{State:state,StorageEndpoint:storageEndpoint,Retention:retentionDays}'

# Check database-level audit policy az sql db audit-policy show \ --resource-group my-rg \ --server my-server \ --name my-database \ --query '{State:state,Actions:auditActionsAndGroups}' ```

Step 2: Enable Audit Policy

```bash # Enable server-level auditing az sql server audit-policy update \ --resource-group my-rg \ --server my-server \ --state Enabled \ --storage-account auditstorage \ --retention-days 90

# Enable database-level auditing az sql db audit-policy update \ --resource-group my-rg \ --server my-server \ --name my-database \ --state Enabled \ --storage-account auditstorage

# Verify policy enabled az sql server audit-policy show \ --resource-group my-rg \ --server my-server \ --query 'state' ```

Step 3: Check Storage Account Access

```bash # Verify storage account exists az storage account show \ --name auditstorage \ --resource-group my-rg \ --query '{Name:name,Status:provisioningState,Kind:kind}'

# Check storage account firewall az storage account show \ --name auditstorage \ --resource-group my-rg \ --query 'networkAcls'

# Allow Azure services access az storage account update \ --name auditstorage \ --resource-group my-rg \ --bypass AzureServices

# Or add SQL server subnet to allowed list az storage account network-rule add \ --account-name auditstorage \ --resource-group my-rg \ --subnet /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/sql-subnet ```

Step 4: Verify Audit Container

```bash # Check audit container exists az storage container show \ --account-name auditstorage \ --name sqldbsecuritylogs \ --query '{Name:name,PublicAccess:publicAccess}'

# Create container if missing az storage container create \ --account-name auditstorage \ --name sqldbsecuritylogs

# Container naming: sqldbsecuritylogs for server-level # Or database-specific containers ```

Step 5: Check Storage Quota

```bash # Check storage account usage az storage account show \ --name auditstorage \ --resource-group my-rg \ --query 'statusOfPrimary'

# List blobs to check size az storage blob list \ --account-name auditstorage \ --container-name sqldbsecuritylogs \ --query 'length(@)'

# If approaching limits, increase storage capacity # Or clean up old audit logs az storage blob delete-batch \ --account-name auditstorage \ --container-name sqldbsecuritylogs \ --pattern "2022/*" # Delete old year logs ```

Step 6: Configure Log Analytics Auditing

```bash # Alternative: Use Log Analytics for audit logs az sql server audit-policy update \ --resource-group my-rg \ --server my-server \ --state Enabled \ --laws /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace

Step 7: Test Audit Writing

```bash # Generate test activity az sql db show \ --resource-group my-rg \ --server my-server \ --name my-database

# Wait 5-10 minutes for audit propagation sleep 600

# Check for new audit logs az storage blob list \ --account-name auditstorage \ --container-name sqldbsecuritylogs \ --query "[?contains(name, '$(date -u +%Y/%m/%d)')].name" ```

Step 8: Check Audit Actions Configuration

```bash # Review audit action groups az sql server audit-policy show \ --resource-group my-rg \ --server my-server \ --query 'auditActionsAndGroups'

# Add missing action groups if needed az sql server audit-policy update \ --resource-group my-rg \ --server my-server \ --actions FAILED_DATABASE_AUTHENTICATION_GROUP,SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,BATCH_COMPLETED_GROUP

# Default action groups: # - SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP # - FAILED_DATABASE_AUTHENTICATION_GROUP # - BATCH_COMPLETED_GROUP ```

Step 9: Set Up Monitoring for Audit Failures

```bash # Create alert for audit policy changes az monitor activity-log alert create \ --name audit-policy-change \ --resource-group my-rg \ --condition category='Security' and operationName='Microsoft.Sql/servers/auditingPolicies/write'

Step 10: Use Event Hub for Real-Time Auditing

```bash # Configure Event Hub for streaming audit logs az sql server audit-policy update \ --resource-group my-rg \ --server my-server \ --state Enabled \ --eh /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.EventHub/namespaces/my-eh/eventhubs/sql-audit

# Benefits of Event Hub: # - Real-time audit stream # - Integration with SIEM systems # - Higher throughput than storage ```

Audit Storage Structure

bash
auditstorage/
  sqldbsecuritylogs/
    servername/
      dbname/
        2024/
          01/
            15/
              10_00_00_Audit_123456.xel

Verification

```bash # After enabling audit policy az sql server audit-policy show \ --resource-group my-rg \ --server my-server \ --query '{State:state,Storage:storageEndpoint,Retention:retentionDays}'

# Should show: # State: Enabled # Storage: https://auditstorage.blob.core.windows.net/

# Should show > 0 for recent activity ```

Prevention

To prevent Azure SQL auditing not writing issues from recurring, implement these proactive measures:

1. Monitor Audit Log Generation

yaml
groups:
- name: azure-sql-audit
  rules:
  - alert: AzureSQLAuditNotWriting
    expr: |
      rate(azure_sql_audit_events_total[1h]) == 0
    for: 1h
    labels:
      severity: warning
    annotations:
      summary: "Azure SQL audit logs not being generated"

2. Test Audit Logging Regularly

```bash # Weekly audit test script cat << 'EOF' > /usr/local/bin/test_sql_audit.sh #!/bin/bash SERVER="my-server" DB="my-database" RG="my-rg"

# Generate test audit event sqlcmd -S $SERVER.database.windows.net -d $DB -U admin -P $PASSWORD -Q "SELECT 1"

# Wait for audit log sleep 60

# Should show > 0 EOF

chmod +x /usr/local/bin/test_sql_audit.sh ```

3. Configure Audit Retention

```bash # Set appropriate retention az sql server audit-policy update \ --resource-group my-rg \ --server my-server \ --retention-days 90 # Keep 90 days

# Monitor storage capacity az storage account show \ --name auditstorage \ --resource-group my-rg \ --query '{Used:usage.capacity,Quota:usage.quota}' ```

Best Practices Checklist

  • [ ] Monitor audit log generation
  • [ ] Test audit logging regularly
  • [ ] Configure appropriate retention
  • [ ] Monitor storage capacity
  • [ ] Review audit configuration monthly
  • [ ] Document audit requirements
  • [Fix Azure SQL Database Deadlock](/articles/fix-azure-sql-database-deadlock)
  • [Fix Azure SQL Database DTU Limit](/articles/fix-azure-sql-database-dtu-limit)
  • [Fix Azure Storage Account Inaccessible](/articles/fix-azure-storage-account-inaccessible)
  • [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
  • [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
  • [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
  • [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
  • [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure SQL Database Auditing Not Writing", "description": "Troubleshoot Azure SQL audit log issues. Check storage configuration, audit policy settings, and connectivity to log destinations.", "url": "https://www.fixwikihub.com/fix-azure-sql-auditing-not-writing", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-03T10:16:06.737Z", "dateModified": "2026-04-03T10:16:06.737Z" } </script>