July 31, 2012 at 1:07 pm
My sys admin found this error message in the logs:
Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 18456
Date: 7/31/2012
Time: 12:09:09 PM
User: N/A
Computer: WSISQL4
Description:
Login failed for user 'sa'. [CLIENT: 10.190.1.223]
Data:
0000: 18 48 00 00 0e 00 00 00 .H......
0008: 08 00 00 00 57 00 53 00 ....W.S.
0010: 49 00 53 00 51 00 4c 00 I.S.Q.L.
0018: 34 00 00 00 07 00 00 00 4.......
0020: 6d 00 61 00 73 00 74 00 m.a.s.t.
0028: 65 00 72 00 00 00 e.r...
He tracked back the user by her IP. She is an authorized user but has dbowner rights (I know...not my call) He's asking me why this person shows up as 'sa' in the above error.
sa account is active
Does anyone know why?
July 31, 2012 at 1:18 pm
she must have tried to connect with the sa id. Look in the SQL errorlog for the same time, if you have failure auditing on you should see the logon failure there with a state code, which will tell you exactly why the login failed (bad password etc)
---------------------------------------------------------------------
July 31, 2012 at 1:24 pm
got it thanks!!
July 31, 2012 at 1:28 pm
if she is not meant to be using the sa account, go and ask her why she tried to 🙂
---------------------------------------------------------------------
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply