Question about Failed logins

  • Hi,

    I have set up an Audit to see failed logins. today it showed that there was a failed login at 12:57 am today.

    However, it does not show the PC (or user ) it came from; or maybe from some nightly process, though I have not found anything running at that time. Is there anything that I can do to trace what caused this further?

    Thank you

     

  • Are you sure it doesn't tell you? A Login Failure will definately have those values. it'll look like this:

    Login failed for user 'LoginName'. Reason: Could not find a login matching the name provided. [CLIENT: 10.10.10.10]

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk

  • Hi,

    That is what too.

    However, when I open the log file on I see this on for every line

    Date, Source, Severity, Event Time,

    10/25/2019 00:57:13, ,Success,

    And as you can see the space where the source should be is blank.

    Is there some table I can query or something?

    Thank you

     

  • That isn't a failed login event you've posted.

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk

  • Well, then I am lost. In the audit message, it had this file listed, and this is what was in the file.

    However, like I was asking before is there anything else I can query or look at?

    Thank you

  • Look at the SQL Server logs and filter them to where Message contains the text "Login failed".

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk

  • When I filter or look in there, for that date and time I get nothing. Yet in my Audit, it says it occurred at 12:57 am.

    Unless somehow I am misinterpreting this.

    Here are the detail that it diplaid (I took out the sever name)

    Event Time  00:57:13.9395072

    Server Instance Name

    Action ID  AUDIT SESSION CHANGED

    Class Type  SERVER AUDIT

    Sequence Number 1

    Succeeded  True

    Permission Bit Mask 0x00000000000000000000000000000000

    Column Permission False

    Session ID  8

    Server Principal ID 1

    Database Principal ID 0

    Target Server Principal ID 0

    Target Database Principal ID 0

    Object ID  0

    Session Server Principal Name

    Server Principal Name sa

    Server Principal SID 0x01

    Database Principal Name

    Target Server Principal Name

    Target Server Principal SID NULL

    Target Database Principal Name

    Database Name

    Schema Name

    Object Name

    Statement

    Additional Information <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><session><![CDATA[AuditFailedLogins$A]]></session><action>event enabled</action><startup_type>automatic</startup_type><object><![CDATA[audit_event]]></object></action_info>

    File Name  C:\Audits\AuditFailedLogins_48525CDE-13D5-494D-8841-5CE664DC2865_0_132164386349860000.sqlaudit

    File Offset 4608

    User Defined Event ID 0

    User Defined Information

    Message

  • you can try looking in the SQL Server error log like this:

    EXEC master.dbo.xp_readerrorlog 0, 1, N'Login Failed'
  • The audit times are UTC.

    The SQL Server log is in the server's time zone. Times will only match if the server's clock is UTC as well.

     

    Eddie Wuerch
    MCM: SQL

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply