I have a Azure SQL Database with Auditing turned on. I noticed that my database comes online after a pause when it shouldn't. I checked the audit logs and it shows strange entries of 'sa' login trying to do smth. Not sure what these entries mean. Is a normal activity from Azure or somebody is trying to connect to my database? I believe that there is no such user 'sa' on Azure SQL databases, or am I wrong. Attaching the screenshot of audit logs.
Additional_info column shows these values (they repeat for every event).
<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data">destroyed</action_info> <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data">event disabled</action_info> <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data">event enabled<startup_type>automatic</startup_type></action_info>
Tried Google, found nothing.
I created azure SQL database in azure portal, and I enabled auditing server level destination as storage account. Image for reference:
After that I enabled auditing at database level with same destination of storage account. Image for reference:
It enabled successfully, and containers are created successfully in storage account.
Image for reference:
Audit Records:
Here is my log In this way I am not getting any error related to sa user. As per my knowledge sa user is the admin you created during setup of SQL Azure server According to this Once the azure database is in pause status, it resumes automatically in the following conditions:
May be for above reason database still remains in online when you pause it.