{"id":1103,"date":"2011-03-14T00:00:00","date_gmt":"2011-03-14T00:00:00","guid":{"rendered":"https:\/\/test.simple-talk.com\/uncategorized\/the-default-trace-in-sql-server-the-power-of-performance-and-security-auditing\/"},"modified":"2026-03-18T13:36:50","modified_gmt":"2026-03-18T13:36:50","slug":"the-default-trace-in-sql-server-the-power-of-performance-and-security-auditing","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/performance-sql-server\/the-default-trace-in-sql-server-the-power-of-performance-and-security-auditing\/","title":{"rendered":"SQL Server Default Trace: Auditing Guide with Scripts"},"content":{"rendered":"
\n

The SQL Server default trace is a lightweight, always-on trace that ships enabled by default since SQL Server 2005. It records events across six categories – Database (file growths\/shrinks), Errors and Warnings, Full-Text, Objects (schema changes), Security Audit (login failures, permission changes), and Server events – rotating across five .trc files in the SQL Server installation directory.<\/p>\n

Because it\u2019s already running, the default trace is the fastest way to investigate \u201cwhat changed\u201d on a SQL Server instance without setting up Extended Events or a server-side trace. This guide provides ready-to-run T-SQL scripts for auditing every event category the default trace captures.<\/p>\n

Introduction<\/h2>\n

SQL Server provides us with variety of tools for auditing. All of them have their advantages and pitfalls. The default trace, introduced in SQL Server 2005, has the great advantage of being switched on by default, and is usually already there to use. It provides comprehensive information about changes in the system.<\/p>\n

Firstly, let’s start by answering some basic questions:<\/p>\n

What is the default trace?<\/strong> The default trace is enabled by default in SQL Server and is a minimum weight trace which consists by default of five trace files ( .trc) located in the SQL Server installation directory. The files are rolled over as time passes.<\/p>\n

How do we know that the default trace is running<\/strong>? We can run the following script in order to find out if the default trace is running:<\/p>\n

SELECT* FROM sys.configurations WHERE configuration_id = 1568\n<\/pre>\n
If it is not enabled, how do we enable it?<\/strong> We can run this script in order to enable the default trace:<\/p>\n
sp_configure 'show advanced options', 1;\nGO\nRECONFIGURE; \nGO\nsp_configure 'default trace enabled', 1;\nGO\nRECONFIGURE;\nGO\n<\/pre>\n
What is logged in the Default Trace?<\/strong> If we open the Default trace file in Profiler and look at the trace definition we will see that events in 6 categories are captured: Database, Errors and Warnings, Full-Text, Objects, Security Audit and Server. Also, all available columns are selected for every sub-event.<\/p>\n
\"1254-Fig1.jpg\"<\/p>\n
Figure 1: This is how the Default trace looks like<\/p>\n
So, how can we benefit from each audited category? In the following sections I will explain briefly what each category means, as well as some of the sub-events, and will provide essential scripts for auditing the events in the Default Trace.<\/p>\n
Database Events<\/h2>\n
Let’s start with the first event: the Database. As we can see, the sub-events are pretty much self-explanatory – the growth and shrinkage of data and log files, together with the changes in mirroring status. It is important to monitor file growths and shrinkages; It would be a vast topic to explain why, but in an nutshell, it is because of possible performance issues. Every time a file is grown or shrunk, SQL Server will halt and wait for the disk system to make the file available again. And halt, in this case, means halt<\/strong>: no transactions processed until the action is completed.<\/p>\n
These are the database events that are monitored:<\/p>\n