October 25, 2019 at 1:58 pm
Hi,
I have set up an Audit to see failed logins. today it showed that there was a failed login at 12:57 am today.
However, it does not show the PC (or user ) it came from; or maybe from some nightly process, though I have not found anything running at that time. Is there anything that I can do to trace what caused this further?
Thank you
October 25, 2019 at 2:41 pm
Are you sure it doesn't tell you? A Login Failure will definately have those values. it'll look like this:
Login failed for user 'LoginName'. Reason: Could not find a login matching the name provided. [CLIENT: 10.10.10.10]
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
October 25, 2019 at 3:06 pm
Hi,
That is what too.
However, when I open the log file on I see this on for every line
Date, Source, Severity, Event Time,
10/25/2019 00:57:13, ,Success,
And as you can see the space where the source should be is blank.
Is there some table I can query or something?
Thank you
October 25, 2019 at 3:58 pm
Well, then I am lost. In the audit message, it had this file listed, and this is what was in the file.
However, like I was asking before is there anything else I can query or look at?
Thank you
October 25, 2019 at 4:37 pm
When I filter or look in there, for that date and time I get nothing. Yet in my Audit, it says it occurred at 12:57 am.
Unless somehow I am misinterpreting this.
Here are the detail that it diplaid (I took out the sever name)
Event Time 00:57:13.9395072
Server Instance Name
Action ID AUDIT SESSION CHANGED
Class Type SERVER AUDIT
Sequence Number 1
Succeeded True
Permission Bit Mask 0x00000000000000000000000000000000
Column Permission False
Session ID 8
Server Principal ID 1
Database Principal ID 0
Target Server Principal ID 0
Target Database Principal ID 0
Object ID 0
Session Server Principal Name
Server Principal Name sa
Server Principal SID 0x01
Database Principal Name
Target Server Principal Name
Target Server Principal SID NULL
Target Database Principal Name
Database Name
Schema Name
Object Name
Statement
Additional Information <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><session><![CDATA[AuditFailedLogins$A]]></session><action>event enabled</action><startup_type>automatic</startup_type><object><![CDATA[audit_event]]></object></action_info>
File Name C:\Audits\AuditFailedLogins_48525CDE-13D5-494D-8841-5CE664DC2865_0_132164386349860000.sqlaudit
File Offset 4608
User Defined Event ID 0
User Defined Information
Message
October 25, 2019 at 6:08 pm
you can try looking in the SQL Server error log like this:
EXEC master.dbo.xp_readerrorlog 0, 1, N'Login Failed'
October 25, 2019 at 6:41 pm
The audit times are UTC.
The SQL Server log is in the server's time zone. Times will only match if the server's clock is UTC as well.
Eddie Wuerch
MCM: SQL
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply