How to discover how keys became deleted, by whom, when, etc.
In one recent scenario, a customer did not know why a number of keys were apparently missing, and who (if anyone) might have made the changes. There were worries that SES was somehow automatically deleting these keys. Since the actual keys are by this point missing from the database, it's not possible to right-click on the key to show the audit log for it, so one needs to do this through SQL.
To uncover precisely what his happening to the keys, the client was asked to run the following two SQL statements on the SES database.
Sample Queries into the Event_log and Hist_Event_Log tables to find events that refer to missing key names
SELECT *
FROM [dbo].[Event_Log]
WHERE [dbo].[Event_Log].[Object_Type_ID] = 3
AND [dbo].[Event_Log].[Object_ID] IN ('h1sns00l3 key', 'h1jca00l1 key', 'h1med01l1 key');
SELECT *
FROM [dbo].[Hist_Event_Log]
WHERE [dbo].[Hist_Event_Log].[Object_Type_ID] = 3
AND [dbo].[Hist_Event_Log].[Object_ID] IN ('h1sns00l3 key', 'h1jca00l1 key', 'h1med01l1 key');
These SQL statements extract from the two tables, Event_Log and Hist_Event_Log, all the logs related to the keys with the name in the list (sample key ids shown).
NOTE: Substitute the keys of interest if the customer needs to run the same queries.
One of the resulting log entries should show the event log that shows the move to the recycle bin.
NOTE: Removal of keys from the recycle bin (e.g. by clearing the Recycle bin) is similarly logged.