Auditing SELECT of views

Products Auditor Discussions & Questions
,
1

When configuring Netwrix Auditor, in the datasource, in the “audit SELECT”, I can fill up the following fields:

  • Server
  • Database
  • Schema
  • Table

but can I put a “View” in the Table field to monitor who is accessing a particular SQL View?

2

Hello Vincent,

Thank you for your question.

In Netwrix Auditor, when configuring a data source to audit SELECT operations, the Server, Database, Schema, and Table fields are intended for specifying actual database tables. Although you can technically enter the name of a view in the “Table” field, it will not produce meaningful audit results.

This is because a SQL view is just a virtual object that represents a stored query and does not hold data itself. Any SELECT against a view is translated and executed against its underlying tables. As such, Netwrix Auditor does not track access to the view directly.

To reliably monitor data access, we recommend configuring auditing on the base tables instead. This approach ensures that all SELECT activity—whether performed directly on the table or through a view—is properly captured.

Please don’t hesitate to reach out if you need any further assistance.

Best regards,
Evgenii

3

Thank you so much Evgenii. Your answer is very clear and precise.

The reason I wanted to audit the SQL View is that I wanted to confirm it is not used before deleting it.

1 Like
4

Hello Vincent,

You’re very welcome!

Regarding your follow-up question—if your goal is to confirm whether a particular view is still being used before removing it, one practical approach is to query the SQL Server query cache. The following script uses dynamic management views to find recently executed statements that reference the view:

SELECT 
    qs.last_execution_time,
    qt.text AS query_text
FROM 
    sys.dm_exec_query_stats AS qs
CROSS APPLY 
    sys.dm_exec_sql_text(qs.sql_handle) AS qt
WHERE 
    qt.text LIKE '%YourViewName%'
ORDER BY 
    qs.last_execution_time DESC;

This method depends on the plan cache, so it may help identify recent usage. However, please note that the data is volatile—entries are lost after a server restart or when the cache is cleared.

As an alternative, you could consider setting up Extended Events or using SQL Server Profiler to monitor access to the view in real time.

Unfortunately, Netwrix Auditor is not designed to detect or report on view usage in this context, as it focuses on auditing actions against actual data structures like tables.

Best regards,
Evgenii

3 Likes