我想过滤SQL审核,以便不想捕获某些用户和某些架构触发的事件。在现有的服务器审核之一中,我发现筛选谓词为
(
[schema_name]<>'sys' AND
[server_principal_name]<>'SILVER\Distributor' AND
[server_principal_name]<>'SILVER\Replicator' AND
[server_principal_name]<>'SILVER\Merger' AND
[server_principal_name]<>'SILVER\Collecter' AND
[server_principal_name]<>'SILVER\Reporter' AND
[server_principal_name]<>'SILVER\Starter' AND
)
我认为应该是OR,而不是AND。根据TSQL,看起来上面的条件永远不会满足。 AND表示必须的所有条件。我确实使用功能sys.fn_get_audit_file读取了日志,但没有看到属于上述受限用户和架构的任何记录。看起来上面的谓词虽然有效。
这里的AND就像规则的分隔符一样。
您能解释一下吗?
答案 0 :(得分:1)
您可以更改谓词
(
[schema_name]<>'sys' AND
[server_principal_name]<>'SILVER\Distributor' AND
[server_principal_name]<>'SILVER\Replicator' AND
[server_principal_name]<>'SILVER\Merger' AND
[server_principal_name]<>'SILVER\Collecter' AND
[server_principal_name]<>'SILVER\Reporter' AND
[server_principal_name]<>'SILVER\Starter' AND
)
等同于使用or
NOT (
[schema_name] = 'sys' OR
[server_principal_name] = 'SILVER\Distributor' OR
[server_principal_name] = 'SILVER\Replicator' OR
[server_principal_name] = 'SILVER\Merger' OR
[server_principal_name] = 'SILVER\Collecter' OR
[server_principal_name] = 'SILVER\Reporter' OR
[server_principal_name] = 'SILVER\Starter'
)
甚至更具可读性
[schema_name]<>'sys' AND
[server_principal_name] NOT IN (
'SILVER\Distributor',
'SILVER\Replicator',
'SILVER\Merger',
'SILVER\Collecter',
'SILVER\Reporter',
'SILVER\Starter'
)