January 16, 2008 at 7:40 am
I have been getting the following events on an Information Security box, does anyone have any insight into what they mean? I I'm completely lost and don't even know where to start.
Event Type: Information
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 17055
Date: 1/14/2008
Time: 11:00:46 PM
User: N/A
Computer:
Description:
18456 :
Login failed for user 'NT AUTHORITY\SYSTEM'.
Data:
0000: 18 48 00 00 0e 00 00 00 .*......
0008: 0e 00 00 00 50 00 46 00 ....*.*.
0010: 47 00 44 00 53 00 4d 00 *.*.*.*.
0018: 42 00 41 00 4e 00 4b 00 *.*.*.*.
0020: 30 00 31 00 37 00 00 00 *.*.*...
0028: 07 00 00 00 6d 00 61 00 ....*.*.
0030: 73 00 74 00 65 00 72 00 *.*.*.*.
0038: 00 00
-The *'s stand for the server name
None The Volume Shadow Copy service entered the running state. 2673
None The Volume Shadow Copy service was successfully sent a start control. 2672
None Next Scheduled Event Obtained from Server TSMWIN401 (AIX-RS/6000): ----------------------------------------------------------------------------- Schedule Name: 2300_SUN-FRI Action: Incremental Objects: (none) Options: (none) Server Window Start: 23:00:00 on 01/14/2008 ----------------------------------------------------------------------------- 5160
None 0000: 2d 20 43 6f 64 65 3a 20 0008: 53 51 4c 43 4f 4e 4e 43 0010: 30 30 30 30 30 34 39 31 0018: 2d 20 43 61 6c 6c 3a 20 0020: 53 51 4c 43 4f 4e 4e 43 0028: 30 30 30 30 30 33 39 37 0030: 2d 20 50 49 44 3a 20 20 0038: 30 30 30 30 35 36 39 36 0040: 2d 20 54 49 44 3a 20 20 0048: 30 30 30 30 34 31 31 36 0050: 2d 20 43 4d 44 3a 20 20 0058: 43 3a 5c 57 49 4e 44 4f 0060: 57 53 5c 53 79 73 74 65 0068: 6d 33 32 5c 76 73 73 76 0070: 63 2e 65 78 65 20 20 20 0078: 2d 20 55 73 65 72 3a 20 0080: 4e 54 20 41 55 54 48 4f 0088: 52 49 54 59 5c 53 59 53 0090: 54 45 4d 20 20 20 20 20 0098: 2d 20 53 69 64 3a 20 20 00a0: 53 2d 31 2d 35 2d 31 38 Sqllib error: OLEDB Error encountered calling IDBInitialize::Initialize. hr = 0x80040e4d. SQLSTATE: 42000, Native Error: 18456 Error state: 1, Severity: 14 Source: Microsoft OLE DB Provider for SQL Server Error message: Login failed for user 'NT AUTHORITY\SYSTEM'. 5179
Services 0000: 18 48 00 00 0e 00 00 00 ....... 0008: 0e 00 00 00 50 00 46 00 ...... 0010: 47 00 44 00 53 00 4d 00 .... 0018: 42 00 41 00 4e 00 4b 00 .... 0020: 30 00 31 00 37 00 00 00 ..... 0028: 07 00 00 00 6d 00 61 00 ...... 0030: 73 00 74 00 65 00 72 00 .... 0038: 00 00 80 00 78 30 00 00 ...... 18456 : Login failed for user 'NT AUTHORITY\SYSTEM'. 5178
January 16, 2008 at 7:48 am
Disable VSS (Volume Shadow Copy Service). More information on VSS -
Tommy
Follow @sqlscribeJanuary 16, 2008 at 8:03 am
Is that needed for TSM or any other critical functions? Also...
Around that time there are multiple failed logins for "Login failed for user 'NT AUTHORITY\SYSTEM'.". I remove the 'BUILTIN adminstrators' for each server for security reasons, is 'NT AUTHORITY\SYSTEM' needed for something?
-Kyle
January 16, 2008 at 8:14 am
What account are the SQL service(s) running under?
Tommy
Follow @sqlscribeJanuary 16, 2008 at 8:27 am
Is there some sort of script I use to figure this out?
-Kyle
January 16, 2008 at 8:49 am
Just go to start -> run -> services.msc and look at the SQL Server service, SQL Server Agent service, etc. You could also view this on the properties page for both SQL Server and the SQL Server agent within SQL Server Management studio.
I suspect VSS is enabled on your data volume which is generating the first error. Also sounds like SQL server is running under local system which could account for the second error. Run the services under a domain account which has permissions in MSSQL.
Tommy
Follow @sqlscribeJanuary 16, 2008 at 9:04 am
Both of the SQLSERVER* work under a domain account. However, Microsoft Shadow copy Provider is running under Local System, could that be what is causing the error?
-Kyle
January 16, 2008 at 9:08 am
Likely - this is VSS. I would disable VSS if you aren't using it. At a minimum ensure that your SQL directories are excluded.
Tommy
Follow @sqlscribeViewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply