Edit

Share via


How to configure SQL audit logs in Fabric Data Warehouse (Preview)

Applies to: ✅ Warehouse in Microsoft Fabric

Auditing in Fabric Data Warehouse provides enhanced security and compliance capabilities by tracking and recording database events.

You can configure SQL audit logs in Fabric Data Warehouse in the Fabric portal or via REST API.

Note

The SQL audit logs feature is currently in preview.

Prerequisites

  • A Fabric workspace with an active capacity or trial capacity.
  • You should have access to a Warehouse item within a workspace.
  • You must have the Audit permission to configure and query audit logs. For more information, see Permissions.

Configure SQL audit logs

You can configure SQL audit logs using the Fabric portal or via REST API.

  1. In your Fabric workspace, select the Settings of your warehouse item.

  2. Select the SQL audit logs page.

  3. Enable the setting Save events to SQL audit logs.

    Screenshot from the Fabric portal of the setting to enable.

    By default, all actions are enabled and retained for nine years.

  4. You can configure which events will be captured by SQL audit logs under Events to record. Select which event categories or individual audit action groups you want to capture. Only select the events your organization requires to optimize storage and relevance.

    Screenshot from the Fabric portal of the recording and retention options, the Events to record section.

  5. Specify a desired log retention period in Years, Months, and Days.

    Screenshot from the Fabric portal of the Log retention options.

  6. Select Save to apply your settings.

Your warehouse will now record the selected audit events and store the logs securely in OneLake.

Query audit logs

SQL audit log data is stored in .XEL files in the OneLake, and can only be accessed using the sys.fn_get_audit_file_v2 Transact-SQL (T-SQL) function. For more information on how audit files are stored in the OneLake, see SQL audit logs in Fabric Data Warehouse.

From the SQL query editor or any query tool such as SQL Server Management Studio (SSMS) or the mssql extension with Visual Studio Code, use the following sample T-SQL queries, providing your own workspaceId and <warehouseId>.

SELECT * 
FROM sys.fn_get_audit_file_v2
('https://onelake.blob.fabric.microsoft.com/<workspaceId>/<warehouseId>/Audit/sqldbauditlogs/'
, default, default, default, default);

To filter logs by time range, use the following query:

SELECT * 
FROM sys.fn_get_audit_file_v2
('https://onelake.blob.fabric.microsoft.com/<workspaceId>/<warehouseId>/Audit/sqldbauditlogs/'
, default, default, '2025-03-30T08:40:40Z', '2025-03-30T09:10:40Z');