Setup Instructions

Step 1 - Create Extended Events Session

CREATE EVENT SESSION [Failed Logins]
ON SERVER
    ADD EVENT sqlserver.error_reported
    (ACTION
     (
         sqlserver.client_app_name,
         sqlserver.client_hostname,
         sqlserver.database_id,
         sqlserver.database_name,
         sqlserver.nt_username,
         sqlserver.server_instance_name,
         sqlserver.session_nt_username,
         sqlserver.username
     )
     WHERE (
               [package0].[equal_int64]([Severity], (14))
               AND [error_number] = (18456)
               OR [error_number] = (18452)
               OR [error_number] = (17806)
           )
    )
    ADD TARGET package0.event_file
    (SET filename = N'c:\traces\XE_Failed_Logins.xel', max_file_size = (100), max_rollover_files = (100))
WITH
(
    MAX_MEMORY = 4096KB,
    EVENT_RETENTION_MODE = ALLOW_SINGLE_EVENT_LOSS,
    MAX_DISPATCH_LATENCY = 30 SECONDS,
    MAX_EVENT_SIZE = 0KB,
    MEMORY_PARTITION_MODE = NONE,
    TRACK_CAUSALITY = OFF,
    STARTUP_STATE = ON
);
GO

Step 2 - Create a SQL Server load table

USE [FailedLogins]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

CREATE TABLE [dbo].[XE_Trace_Load](
	[Timestamp] [DATETIME2](7) NULL,
	[Server_Instance_Name] [VARCHAR](100) NULL,
	[error_number] [VARCHAR](25) NULL,
	[client_hostname] [VARCHAR](50) NULL,
	[client_app_name] [VARCHAR](100) NULL,
	[database_name] [VARCHAR](255) NULL,
	[username] [VARCHAR](100) NULL,
	[severity] [INT] NULL,
	[message] [VARCHAR](512) NULL
) ON [PRIMARY]
GO

Step 3 - Create/Modify the Powershell Script Datatable

Because the SQL BulkCopy API can only use a Powershell Datatable as input, we must populate that datatable with our imported XE events
In the sample code, we have created a Datatable to mirror the SQL Server Load Table's schema

# Create Datatable for SqlBulkCopy
$dt = New-Object System.Data.DataTable
$col1 = New-object system.Data.DataColumn timestamp,([datetime])
$col2 = New-object system.Data.DataColumn server_instance_name,([string])
$col3 = New-object system.Data.DataColumn error_number,([string])
$col4 = New-object system.Data.DataColumn client_hostname,([string])
$col5 = New-object system.Data.DataColumn client_app_name,([string])
$col6 = New-object system.Data.DataColumn database_name,([string])
$col7 = New-object system.Data.DataColumn username,([string])
$col8 = New-object system.Data.DataColumn severity,([int])
$col9 = New-object system.Data.DataColumn message,([string])

$dt.columns.add($col1)
$dt.columns.add($col2)
$dt.columns.add($col3)
$dt.columns.add($col4)
$dt.columns.add($col5)
$dt.columns.add($col6)
$dt.columns.add($col7)
$dt.columns.add($col8)
$dt.columns.add($col9)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Setup Instructions

Step 1 - Create Extended Events Session

Step 2 - Create a SQL Server load table

Step 3 - Create/Modify the Powershell Script Datatable

Clone this wiki locally