Implemented basic Audit across 2008/R2, 2012 estate of 30 machines. Whether applied using SSMS 2016, SSMS 2008/R2 or TSQL, the 2008/R2 attempts ignore the MAX_ROLLOVER_FILES = 3. And instead spawns 100s 50MB logs files consuming 10s GBs. (2012 machines behave fine - x3 50MB files only as configured)
CREATE SERVER AUDIT siemAudit
TO FILE (FILEPATH = ’E:\AuditLogs\’, MAXSIZE = 50MB, MAX_ROLLOVER_FILES = 3)
Any ideas?
Longshot: No delete permission? (from memory the files are not reused but rather as a new file is created, which exceeds the MAX_ROLLOVER_FILES limit, the now-stale file is deleted, if that fails "tough" I think - same if you reduce the MAX_ROLLOVER_FILES limit - that does not cause any now-unnecessary files to be deleted, just sets a new "delete the now-stale file when a new file is opened that exceeds the limit")
Edit: Looks like that would also the case if something is holding the audit file open - e.g. querying the Audit at the time when it checks MAX_ROLLOVER_FILES and discovers that it needs to delete a file - and then that delete fails. No subsequent attempt is make to repeat the failed-delete
Thank you Kristen. Will test your solution today and update this post once the results are confirmed. May take 24 hours to cycle over the logs.
Many thanks