October 5, 2011 at 10:19 am
I have a vendor system where I see the ERRORLOG flooded with successful Logon events. Close to a half million a day. I used dbcc errorlog to start a new log because the current is almost useless. This started when sql server was last restarted. Prior was failed logins only.
I checked Server>Properties>Security but Login Auditing is set to Failed Only. I ran dbcc tracestatus to see if the vendor started any trace flags - none. I don't know where else to look. How can I find the source of the logging? Is it a trigger in one of their processes?
Thanks all.
October 5, 2011 at 2:37 pm
I figured out what's going on here. Somebody chose the option to audit all logins. Maybe on purpose, but most likely they were poking around where they shouldn't be. But it took effect when the clustered server was failed over.
Then they must have seen what was going on and changed it back to failed only in SSMS. So when I look at SSMS it says audit failed only. And when I look at the registry entry it = 2 (failed only). But look on the now passive node of the cluster and the registry key = 3 (audit all). Aha! Got you! You sneak! Whoever you are.
So I'm going to increase the number of logs to 15 and do a dbcc errorlog every day and this will get straightened out after the next failover.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply