Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Configure MSSQL Auditor on a LEM Agent

Configure MSSQL Auditor on a LEM Agent

Last updated: September 7, 2018


It is important to follow the steps in sequence to be successful. 


Auditing a Microsoft SQL Server to LEM has 4 parts:

  • Installing the MSSQL Profiler on the SQL Server – The profiler defines the auditing needed from the SQL database. The Profiler is included with Microsoft SQL, and is specific to each version of SQL.
  • Installing the MSSQL Auditor – The Auditor performs the connection to the SQL database and places the logs to a file. The Auditor can be downloaded from the SolarWinds Customer Portal.
  • Installing the LEM Agent on the SQL Server – The LEM Agent delivers the log data from the Connector to LEM. The LEM Agent can be downloaded from the SolarWinds Customer Portal.
  • Configuring the MSSQL Connector – The SQL Connector fetches data from the file location set by the Auditor. The MSSQL Connector is configured under the Agent.

Depending on Active Directory group policies, local permissions and rights, software already installed on the SQL server, and firewall settings, there may be issues why the SQL Auditor cannot be installed. When SQL Auditor is installed, ensure the installer file is located on the local hard drive, and a right-click to select Runas Administrator is selected for the install (even if your user is an administrator, the application still needs the admin install).

Depending upon the permissions and rights of the SQL server, you may need to designate a separate server (does not need to be a SQL server), to be the "SQL management server" for collecting logs.

This server would have the SQL Profiler, SQL Auditor, LEM agent, and SQL Auditor Connector installed and configured.

Typically, the profiler, auditor, agent and connector are installed and configured on the same server as SQL (SQL 2005, SQL 2008, SQL 2012, SQL 2014, 2000-SQL-MSDE, 2005-SQL-Express, 2008-SQL-Express.


It is very important that you install both SQL auditor and the LEM Agent using the Run as administrator option. To do so, copy the installer files to the local hard drive, right-click the installer file, and then select Run as administrator. This step is required even if your user account is an administrator account.


All versions of LEM


Install the following components on your database server prior to installing MSSQL Auditor.

  • Microsoft SQL 2005 Profiler, 2008 Profiler, 2012 Profiler (matches SQL version)
  • Microsoft .NET 2.0 Framework
  • SolarWinds LEM Agent for Windows

Multiple SQL Servers can be monitored from a SQL mgmt server, and the procedure is at the bottom of this article. The SQL mgmt server does not require SQL to be installed. When you have decided to monitor your SQL servers with MSSQL Auditor, select a system that has network access to the SQL servers to be monitored, and that are on the same domain. Install SQL System Profiler, SolarWinds LEM MSSQL Auditor, and the LEM agent on that same server. This allows you to monitor multiple SQL servers from one system, and reduces the workload on the SQL server itself. However, the version of SQL must match the installed Profiler version. If you have 2008 SQL Server, you must install 2008 Profiler.


I. Verify the Language option and the Date/Time format:

Refer to Microsoft documentation for reference.

  • Windows and SQL Language option should be English. The SQL Auditor cannot parse other languages that utilize accented characters)
  • Verify the Date/Time format to be MM/DD/YYYY HH:mm:ss.


II. Install MSSQL Profiler:

Refer to Microsoft documentation for reference.

  • SQL Profiler may be pre-installed with your SQL install, or it could be a part of your SQL downloads.
  • When auditing and monitoring multiple SQL Servers, add all servers to the Profiler configuration.


III. Install MSSQL Auditor on the SQL server:

You must install SQL Auditor using the Run as administrator option.

  1. Extract the contents of  to a local hard drive on the SQL server.

    Get the latest version of MSSQLAuditor from Solarwinds customer portal for connection to the latest version of SQL. (because of changes to SQL 2017, SQL Auditor is currently being updated for SQL 2017)

  2. From the extracted folder, SolarWinds-LEM-v6.4.0-MSSQLAuditor, right-click mssqlaudsetup.exe >, and then select Run as administrator (only works if the installer is located on the local hard drive).
  3. To start the wizard, click Next.
  4. If you agree, accept the End User License Agreement, and then click Next.
  5. Click Change to specify an installation folder, or accept the default, and then click Next.
  6. Click Install.
  7. When the installation is finished, select Launch SolarWinds MSSQL Auditor, and then click Finish.
    SQL Auditor cannot be un-installed from Programs and Features.
    A Microsoft Un-install utility is needed to remove the SQL Auditor, and the registry entry is a manual entry.
    Find the un-installer here:
    Below is the registry key to delete if SQL Auditor is being removed (not required if re-installing Auditor):  


IV. Launch SQL Profiler to import and save the template

The template defines the fields to be audited by the SQL Auditor.


  1. Launch SQL Profiler, and then select Import from the File > Templates > Import menu.
  2. Import the SQL specific tdfs file from C:\program files (x86)\Solarwinds Log and Event Manager SQL Auditor\tdfs\.
  3. Use the drop-down lists in the middle to select the SolarWinds/Trigeo template. Specify the appropriate version of SQL Server.
  4. Navigate to File > Templates > Edit Template.
    In the Template Properties dialog, select the “Use as a default template for selected server type” option, and then click Save. For context, click here to view a screen capture of the Properties dialog.
  5. Profiler may not save the template to the same directory that it was imported from, but may be saved to the user profile (hopefully Microsoft will fix this in future versions of SQL).     
    1. Locate and copy the saved template: C:\Users\<username>\AppData\Roaming\Microsoft\SQL Profiler\SQL\<10>\*.tdfs  or  possibly:  C:\Users\<username>\AppData\Roaming\Microsoft\SQL Profiler\11.0\Templates\Microsoft SQL Server\110\*.tdfs.
    2. Open Windows Explorer and rename the original C:\program files (x86)\Solarwinds Log and Event Manager SQL Auditor\tdfs\Solarwinds2016.tdfs file. This is the file that we imported to Profiler.
    3. Open Windows Explorer and move/copy/save the Profiler template (from C:\Users\<username>\AppData\Roaming\Microsoft\SQL Profiler\SQL\<10>\*.tdfs) to C:\program files (x86)\Solarwinds Log and Event Manager SQL Auditor\tdfs\).
  6. Go to the next section to configure the SQL Auditor.


V. Configure MSSQL Auditor for use with your servers:

  • If you did not select Launch SolarWinds MSSQL Auditor from previous steps above, you can launch it from the SolarWinds Log and Event Manager Program group in the Start menu.
  • SolarWinds recommends using a domain-based account that has sysadmin privileges (SA) on the database, although the account only needs to have Execute permissions for any stored procedures that have the xp_trace prefix.
  • The account must also have logon as a service right.


  1. Enter the name of the SQL Server instance that you want to monitor in the SQL Server\Instance field (the server name is preferred, and the DB instance must be known), and then click Add Server. Do the same for each SQL Server.
    In the SQL Server Configuration Manager example below, the database instance is MSSQLSERVER, which is also the default instance for SQL Server.

    SQL Server Management Studio will show the Database names. Open Object Explorer, connect to an instance of the SQL Server Database Engine, and then expand that instance to view databases.
  2. If you want to use an account other than the Local System Account to run MSSQL Auditor on your database server, open SQL Auditor, select This Account from the Run Service As section, and provide the appropriate credentials.
    This account must have both logon as a service right, and have SA privileges.
    1. Run the Local Security Policy on the SQL server to verify the Local Policies, User Rights Assignment, and Logon as a Service right. This is needed for SQL Auditor to run.)
    2. To verify SA privileges, log onto the SQL server using the account chosen for Auditor, and try running SQL Configuration Manager. If it fails to start, the user does not have SA privileges.
  3. In the Manage Auditor Service section, click Start Auditor Service (green Play icon), and then click OK.
    You can conduct the test (only works before starting the auditor), but this is only a basic test for functionality.
  4. SQL Auditor should now use the new configuration template file, and SQL Auditor should be logging the data to the logs directory:  C:\program files (x86)\Solarwinds Log and Event Manager SQL Auditor\logs\


VI. Start the MSSQL Auditor connector on your LEM Agent:

Repeat these steps for the MSSQL 2000 Application Log connector, if SQL Logging appears in the Microsoft Application event log. This connector applies to any version of SQL (not just SQL 2000) that logs to the Windows Application event log.


  1. Open your LEM console and log in to the LEM Manager as an administrator.
  2. Click Manage, and then select Nodes.
  3. Locate the LEM Agent for your database server and verify it is connected to your LEM Manager.
  4. Click the gear icon next to the LEM Agent, and then select Tools.
  5. At the top of the Refine Results pane, enter MSSQL in the search box.
  6. Click the gear icon next to the SolarWinds Log and Event Manager MSSQL Auditor 2000, 2005, 2008, 2012, 2014, 2016 connector, and then select New.
  7. Give the new tool a custom Alias, or accept the default.
  8. Verify that the value in the Log File field matches the folder on your database server, and then click Save.
  9. Click the gear icon next to the new tool (denoted by an icon in the Status column), and then select Start.
  10. To exit the Connector Configuration window, click Close.

You can verify your setup by creating a filter for all Alerts with MSSQL in theToolAlias field. The exact conditions would state, Any Alert.ToolAlias = *MSSQL*, provided you accepted the default Alias values above.

If you are seeing the data in the LEM console, it should also be going to the database.
If you have trouble with this, contact SolarWinds Support for assistance.




Deploying SQL Auditor for multiple SQL servers (different versions of Windows and different versions of SQL).

Microsoft SQL Profiler comes with each version of SQL and it needs to match the SQL version.
If the SQL Profiler does not match the SQL version, the Auditor may not collect logs, and it may not run.

The SolarWinds SQL Auditor is a universal version, but during install the executables used (within SQL Auditor) are specific to a particular version of SQL.
While you can deploy SQL Profiler, SQL Auditor, and the LEM Agent (with associated SQL connectors) on each SQL server, it is not necessary.

You can install the Profiler, Auditor, and Agent on a designated SQL management server(s). These are just Windows server(s) with Profiler, Auditor, and Agent installed.

For example, assume the following:

SQL management servers

server A = windows 2012-R1, no SQL installed
server B = windows 2008-R2, SQL 2012 installed
server C = windows 2016-R1, no SQL installed


SQL servers (servers with SQL installeded, and SQL servers to be monitored.)

server1 = windows 2008-R2, SQL 2008
server2 = windows 2012-R1, SQL 2008

server3 = windows 2008-R1, SQL 2012
server4 = windows 2012-R2, SQL 2012

server5 = windows 2008-R2, SQL 2005
server6 = windows 2016-R1, SQL 2005


Configure the servers that collect the logs

The SQL Server version is important, not the version of Windows.

  • In each example, configure all three installs to receive logs.
  • Point the auditor to the SQL database (on the SQL server) to read the database logs. Be sure you have the SQL server hostname, SQL database name, and SQL instance name.
  • Ensure the LEM Agent has the LEM hostname or IP contained in the config file (C:\windows\syswow64\ContegoSPOP\spop.conf) when the agent is installed.

Server A: Install SQL 2008 Profiler, install (latest) SQL Auditor, and point each to get SQL from server1 and server2 (Note SQL version 2008). Install the LEM 6.3.1 Agent, and enable/config the SQL connectors on the Agent.


Server B: Install SQL 2012 Profiler, and then install (the latest) SQL Auditor. Point each to get SQL from server3 and server4 (Note SQL version 2012). Install LEM 6.3.1 Agent, and enable/config the SQL connectors on the agent.


Server C: Install SQL 2005 Profiler, install (latest) SQL Auditor, and point each to get SQL from server5 and server6 (Note SQL version 2005).  Install LEM 6.3.1 Agent, and enable/config the SQL connectors on the agent. (SQL Auditor uses the same executable for gathering logs as SQL 2012.)


Look for receipt of SQL logs from all three management servers.


Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any. 

Last modified