Auditing SQL logins

  • I’m notcing a few login failure under SQL server Logs: these users are not part of any database on SQL Server A.  SQL server Logs doesn't provide any info besides ie: Login failed for user 'xyz'.  Is there any way to find out failed user’s hostname or IP or where they coming from?

     

    Thanks

  • Is there anything in the windows event log?

  • If it's a Windows based login and you've got the Local Security Policy (or a Group Policy) which has the Audit Policy set to Success, Failure for Audit account logon events and Audit logon events, you may see something in the Security event log for the OS. If it's a SQL Server login that's failing, if you run a server side trace (see the trace stored procedures) or Profiler where you explicitly trap for Audit Failure you can see a hostname. However, that hostname can be spoofed. About the only way to be 100% sure is to put a sniffer on the line, preferably one that understands TDS packets.

     

    K. Brian Kelley
    @kbriankelley

  • After running the tracer it shows hostname connections within the network, please advice how to capture TDS packets, is this is something needs to be done by the network team?  Thanks

  • What is the reason you want capture TDS packets?

    I don't think there is any way in sql server but you can use NETWORK tools...

     

    MohammedU
    Microsoft SQL Server MVP

  • please see the reason above

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply