---
title: "Audit Addlogin Event Class | Microsoft Docs"
ms.custom: ""
ms.date: "03/14/2017"
ms.prod: sql
ms.reviewer: ""
ms.technology: supportability
ms.topic: conceptual
helpviewer_keywords:
- "Audit Addlogin event class"
ms.assetid: 6e0633dc-889e-49ef-bace-3c50958db2dd
author: "stevestein"
ms.author: "sstein"
monikerRange: "=azuresqldb-current||>=sql-server-2016||=sqlallproducts-allversions||>=sql-server-linux-2017||=azuresqldb-mi-current"
---
# Audit Addlogin Event Class
[!INCLUDE[appliesto-ss-asdb-xxxx-xxx-md](../../includes/appliesto-ss-asdb-xxxx-xxx-md.md)]
The **Audit Addlogin** event class occurs when a [!INCLUDE[msCoName](../../includes/msconame-md.md)] [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] login is added or removed.
If you set additional properties when the login is added, such as default database, the information about these properties will be found in the **TextData** column of this event. If you set these properties while adding a login, the **Audit Login Change Property Event** will not occur.
This audit event is for the **sp_addlogin** and **sp_droplogin** stored procedures.
This event class may be removed in a future version of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. It is recommended that you use the **Audit Server Principal Management** event class instead.
## Audit Addlogin Event Class Data Columns
|Data column name|Data type|Description|Column ID|Filterable|
|----------------------|---------------|-----------------|---------------|----------------|
|**ApplicationName**|**nvarchar**|Name of the client application that created the connection to an instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. This column is populated with the values passed by the application rather than the displayed name of the program.|10|Yes|
|**ClientProcessID**|**int**|ID assigned by the host computer to the process where the client application is running. This data column is populated if the client provides the client process ID.|9|Yes|
|**DatabaseID**|**int**|ID of the database specified by the USE *database* statement or the default database if no USE *database* statement has been issued for a given instance. [!INCLUDE[ssSqlProfiler](../../includes/sssqlprofiler-md.md)] displays the name of the database if the **ServerName** data column is captured in the trace and the server is available. Determine the value for a database by using the DB_ID function.|3|Yes|
|**DatabaseName**|**nvarchar**|Name of the database in which the user statement is running.|35|Yes|
|**EventClass**|**int**|Type of event = 104.|27|No|
|**EventSequence**|**int**|Sequence of a given event within the request.|51|No|
|**EventSubClass**|**int**|Type of event subclass.
1=Add
2=Drop|21|Yes|
|**HostName**|**nvarchar**|Name of the computer on which the client is running. This data column is populated if the client provides the host name. To determine the host name, use the HOST_NAME function.|8|Yes|
|**IsSystem**|**int**|Indicates whether the event occurred on a system process or a user process. 1 = system, 0 = user.|60|Yes|
|**LoginName**|**nvarchar**|Name of the login of the user (either the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] security login or the [!INCLUDE[msCoName](../../includes/msconame-md.md)] Windows login credentials in the form of DOMAIN\username).|11|Yes|
|**LoginSid**|**image**|Security identification number (SID) of the logged-in user. You can find this information in the **sys.server_principals** catalog view. Each SID is unique for each login in the server.|41|Yes|
|**NTDomainName**|**nvarchar**|Windows domain to which the user belongs.|7|Yes|
|**NTUserName**|**nvarchar**|Windows user name.|6|Yes|
|**RequestID**|**int**|ID of the request containing the statement.|49|Yes|
|**ServerName**|**nvarchar**|Name of the instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] being traced.|26|No|
|**SessionLoginName**|**Nvarchar**|Login name of the user who originated the session. For example, if you connect to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] using Login1 and execute a statement as Login2, **SessionLoginName** shows Login1 and **LoginName** shows Login2. This column displays both [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] and Windows logins.|64|Yes|
|**SPID**|**int**|ID of the session on which the event occurred.|12|Yes|
|**StartTime**|**datetime**|Time at which the event started, if available.|14|Yes|
|**Success**|**int**|1 = success. 0 = failure. For example, a value of 1 indicates success of a permissions check and a value of 0 indicates a failure of that check.|23|Yes|
|**TargetLoginName**|**nvarchar**|The name of the login to be added or dropped.|42|Yes|
|**TargetLoginSid**|**image**|The security identification number (SID) of the targeted login (if passed in as a parameter).|43|Yes|
|**TransactionID**|**bigint**|System-assigned ID of the transaction.|4|Yes|
|**XactSequence**|**bigint**|Token used to describe the current transaction.|50|Yes|
## See Also
[Extended Events](../../relational-databases/extended-events/extended-events.md)
[sp_trace_setevent (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-trace-setevent-transact-sql.md)
[Audit Login Change Property Event Class](../../relational-databases/event-classes/audit-login-change-property-event-class.md)
[sp_addlogin (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-addlogin-transact-sql.md)
[sp_droplogin (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-droplogin-transact-sql.md)
[Audit Server Principal Management Event Class](../../relational-databases/event-classes/audit-server-principal-management-event-class.md)