SQL Server Audit Log Purging and Archival
SQL Server audit log purging depends on the type of output you select in the
Audit object.
If you send audit events to the Windows Application or Security log then your SQL
audit data will be subject to whatever event log settings are configured on that
event log. On the other hand if you output audit events in binary log file format
you can also choose how large audit files should grow before rolling over to a new
file, how many files to keep before SQL Server starts deleting old audit logs and
even whether to reserve disk space in advance for these audit files.
But, commonly accepted best practice mandates that log files should be removed from
the system where they are generated and that includes outside the control of the
system that generates them so we do not recommend that the file patch you specify
above serve as any kind of permanent resting place for audit logs. Instead this
audit data should be collected into your centralized log management/SIEM archive.
And that is one of the functions facilitated by my
LOGbinder for SQL Server collector.