IDERA strives to ensure our products provide quality solutions for your SQL Server needs. The following known IDERA SQL Compliance Manager issues are described in this section. If you need further assistance with any issue, please contact Support.
Import Database settings with DML/SELECT filters, flips import settings.
When users import database audit settings and apply those settings to multiple databases, the imported settings apply only to some databases. If user imports and applies the audit settings to the same databases again, the configuration settings get flipped, applying the import settings to the databases it did not apply to before while deleting the settings from the ones it previously applied them to.
SQL Compliance Manager Object Activity Report renders all data on a single page.
When the Object Activity Report is run, the report displays all the collected data in a single page.
SQL Compliance Manager traces are getting collected on the Passive nodes of an Availability Group.
When a primary node becomes a secondary node, the Stored Procedure does not get disabled for the secondary node and the trace files keep gathering. This causes an accumulation of trace files on the secondary node.
Follow the steps below for the workaround to stop trace files from generating on the secondary node:
- Launch Trace Manager from the SQL Compliance Manager Desktop Console. SQLCM Menu-bar>Tools>Trace Manager.
- Enter the SQL Server Instance name and click the Connect button.
When working on a secondary node of an Availability Group, use the secondary´s instance name.
- In the SQLcompliance Stored Procedures field, make sure to check the “_” and “_” options.
- Click the “Drop SQLcompliance Stored Procedures” button.
- In the Registered Traces field, from the list of running traces, select the entries related to the SQL CM traces.
Use the file path to determine the traces related to SQL CM. Or check the Agent Properties for the audited instances to verify the trace directory file path.
- Once the desired registered trace is selected, click the Stop button. Select the record again and click the Close button.
- Repeat steps 5 and 6 for the remaining SQL CM traces.
Invalid stored procedures call to sp_SQLcompliance_AuditXE.
A message about an invalid stored procedure appears in the SQL Server Logs; "Could not find stored procedure master.dbo.sp_SQLcompliance_AuditXE". The error message appears because no stored procedure with the name "master.dob.sp_SQLcompliance_AuditXE" exists.
Event Filter does not work on Sensitive Column Data.
When using an Event Filter for a specific Login, all events captured get filtered except for the Sensitive Column SELECT operations.
The Add Dataset configuration window is allowing to add more of one Dataset of the same table.
When users add a Dataset as part of the tables audited for Sensitive Column Access, SQL CM has an issue that allows users to add the same Dataset multiple times.
Known issues in version 5.5.1
Installation and configuration issues
- (Fixed in version 5.6) Installation or upgrade of SQL Server 2012 native client may cause the system to reboot. When installing or upgrading the version of the native client, once the process is complete, a system reboot occurs without previous warning.
- IDERA Dashboard 3.0.3 and later does not support SQL Server 2005 SP1. Users should not attempt to install SQL Compliance Manager with IDERA Dashboard 3.0.3 and later on a SQL Server 2005 SP1 as that version of SQL Server is not supported by IDERA Dashboard.
- Case-sensitivity required when specifying the Repository database name. When specifying the location and name of your Repository database, SQL Compliance Manager requires that you use proper capitalization.
- IDERA SQL Compliance Manager does not capture Linked Server Trace Events for SQL Server 2005. Linked server events are not present in the trace files for SQL Server 2005, therefore linked server events are not captured in IDERA SQL Compliance Manager and no alerts will trigger. Microsoft has ended extended support for this version.
- (fixed in version 5.6) Create/Drop index events recorded as “Alter User Table” event. SQL Compliance Manager records Create/Drop index events as “Alter User Table” events.
- (fixed in version 5.6) IDERA SQL Compliance Manager is not loading events accessed through a View. SQL Compliance Manager does not display Sensitive Column events when accessed from a view. To access the information using views gather and filter out all SELECT statements. Note that this action will cause extra collection.
- (Fixed in version 5.6) Issues loading BAD auditing information. IDERA SQL Compliance Manager is not able to capture BAD auditing information when two objects with the same name exist in the same schema.
- (Fixed in version 5.6) SQL Text is not captured for DDL Statements. When monitoring an instance for DDL event, SQL Compliance Manager is not able to capture SQL Statements for DDL activities unless a user is added to the Privileged User Group. Users can also capture SQL Text by selecting Capture SQL statements for DDL and Security changes at Database Level.
Known issues in version 5.5
( Fixed in version 5.5.1 ) The SQL Compliance Manager Collection Server is not processing trace files, or processing them slowly, causing backlog files to get accumulated in the Collection Trace Directory in large transactional databases.
The workaround for this issue is to increase the tamper detection interval and the Collection interval.
( Fixed in version 5.5.1 ) IDERA SQL Compliance Manager installation fails if TLS 1.0 is disabled and if SQL Server 2012 Native Client is not available. IDERA SQL Compliance Manager 5.5 installs SQL Server 2012 native client (version 11.0.2100.60) which does not support TLS 1.2 enabled as per Microsoft.
Users with SQL Server versions prior to SQL Server 2012 R2 SP3 need to enable TLS 1.0 or update the native client to the supported version (11.4.7001.0) following the link below:
( Fixed in version 5.5.1 ) SQL Compliance Manager does not process trace files generated by an older Agent after upgrading versions of the Collection Server and the Agent.
( Fixed in version 5.5.1 ) When performing an archive of a highly transactional database with SQL Compliance Manager, the application shows a “violation of PRIMARY KEY constraint” error and terminates the statement. The workaround for this issue is to rename the current archive database, along with the database files associated to it and perform a new archive operation. The operation should create a new archive database and database files.
Known issues in version 5.4.x
- ( Fixed in version 5.5.1 ) SQL Compliance Manager does not accept user names longer than 20 characters and does not support some special characters for the user password, such as £.
- Removing databases using the Administration pane in the Management Console does not work. You can remove databases using the Explorer Activity panel.
( Fixed in version 5.5 ) During an Agent-only installation, if you accept the default destination path for SQL Compliance Manager, and then select a different destination drive and use a sub-folder in the Agent Trace Directory dialog box, the installer does not create the Agent Trace Directory during installation. If this issue occurs, reinstall the Agent specifying a folder instead of a sub-folder as the destination path or use the default path specified in the installer.
- If the audit settings are configured to audit DML events for a selected table, and extended events is enabled for DML and Select on the Instance, SQL Compliance Manager collects audit data for all tables and not only the selected table. If you turn off extended events, auditing correctly collects data for the selected table only.
- ( Fixed in version 5.5 ) Execute events are captured when extended events is enabled. There may be some extra events captured and shown through the Extended Events auditing than the events shown through the Trace method.
- ( Fixed in version 5.4.2 ) Cannot insert duplicate key row in object 'dbo.Events' with unique index 'IX_Events_eventId'.
- ( Fixed in version 5.4.2 ) DatabaseName appears as empty for Login Events. SQL Compliance Manager 5.4 traces do capture the DatabaseID, but do not include the database name.
- ( Fixed in version 5.5 ) Applying a regulation guideline does not work when there is a Privileged User defined.
- ( Fixed in version 5.4.2 ) Case-sensitive collation may prevent some trusted and privileged users from being captured.
- ( Fixed in version 5.4.2 ) Auditing an AlwaysOn database using the Node method causes the Registered SQL Servers list to display both nodes as Secondary.
- Audit Snapshot does not include setting to capture DDL SQL statements.
- Before-After data does not appear for Binary Collation SQL Server instances when extended events is enabled.
- ( Fixed in version 5.4.2 ) Audit settings at an instance level take precedence over database-level settings for a Privileged User.
- ( Fixed in version 5.5 ) Agent trace folder permissions are overwritten when the Agent is deployed.
- ( Fixed in version 5.4 ) SQL Compliance Manager attempts to contact the Agent (heartbeat check) on attached archive databases.
- ( Fixed in version 5.5 ) Users who export reports to Microsoft Excel fail when the SQL text contains more than 32,767 characters.
- ( Fixed in version 5.4.2 ) Some SQL Server startup/stop events may cause the integrity check to fail.
The Audit Events tab may display an incorrect user name in the Login column when auditing start and stop server events.
Specifically, the SELECT statement which uses the
permissions()function generates only DML event traces and not a SELECT event trace. This step results in SQL Compliance Manager reporting the SELECT statement as a DML event. In addition, the
permissions()function is deprecated. Microsoft recommends in MSDN documentation that users implement the
Has_Perms_By_Name()function instead of the
permissions()function. The difference between these two functions is that the
permissions()function always generates the DML event traces while the
Has_Perms_By_Name()function generates event traces according to permission type used. For example, SELECT event traces for SELECT permission types, and DML event traces for EXECUTE or DELETE permission types.
( Fixed in version 5.4.2 ) Users who change the default port for the AlwaysOn Availability Group from the default may experience the following issues. to avoid these issues, change the listener to the default port.
- SQL Compliance Manager does not accept the name format when attempting to add the listener name using the Cluster Configuration Console.
- If the port is not added, the agent cannot connect to the SQL Server instance. You can manually add the port to the registry setting later and it will then connect to the instance after restarting the SQLcomplianceAgent.
- Users cannot connect to the SQL Server instance even when adding the listener with the port in the SQL CM console.
- The Permissions Check also fails.
When you change the definition of a table you are auditing to include BLOB data types, the Before-After data trigger prevents UPDATE, DELETE, and INSERT operations from modifying the table, such as through stored procedures or third-party applications. This issue is most likely to occur when you are auditing all columns in the target table. This issue occurs because Before-After auditing does not support BLOB data types (such as text, image data, or XML code). To correct this issue, change the data definition of the table.
SQL Compliance Manager does not support collecting and processing events from encrypted SQL Server trace files. This issue is most likely to occur in environments that use third-party encryption software. For example, some applications can be configured to automatically encrypt all new files created on a specific computer. If you are running encryption software in your SQL Server environment, verify the encryption settings to ensure the application does not encrypt trace files on the audited SQL Server instances.
- After removing a server from auditing and leave registered databases archived, the user is able to right-click the archived database ‘server’ and register databases to audit.
- Users can select “Capture SQL statements for DDL activities” only if the “Database Definition DDL” option is saved first.
- Filtering by time does not work properly on the Alerts view.
- Some status alerts including Agent trace directory reached size limit and Collection Server trace directory reached size limit do not display properly in the Web Console.
- Status alerts are not generated for alert rules of the Agent cannot connect to audited instance Rule Type.
- ( Fixed in version 5.5 ) SQL Statement is not captured or displayed when viewing Event Properties for Create SQL Login and Create Windows Login events.
- ( Fixed in version 5.4.2 ) A Column Value Changed data alert is generated twice for each Before-After audit event.