Post reply

SQL server login succeed many times in log

  • August 17, 2015 at 9:38 am

    #398906

    I tried to test login security audit on my local instance.

    I setup like this yesterday: go to server, property- security- enable both login succeed and failed. Restart server.

    I see a lot of login succeed recorded in SQL log, actually too many, for my own account I see every 7 minutes there is a login succeed log since it started. I do have a SSMS query open.

    But this is for login succeed.

    How this works?

    Thanks !

  • August 17, 2015 at 9:41 am

    #1820475

    Is there a service or an application running under your account? The entry in the errorlog tells you the IP address from which the connection was made - this will tell you where to look.

    John

  • August 17, 2015 at 9:46 am

    #1820480

    Thank you,

    It is from my local machine:

    Date8/17/2015 5:34:19 AM

    LogSQL Server (Current - 8/17/2015 8:21:00 AM)

    SourceLogon

    Message

    Login succeeded for user 'mydomain\myname'. Connection made using Windows authentication. [CLIENT: <local machine>]

    Same thing happened to the account:

    Login succeeded for user 'NT AUTHORITY\SYSTEM'. Connection made using Windows authentication. [CLIENT: <local machine>]

  • August 17, 2015 at 9:47 am

    #1820483

    And I don't see a service that using my own account.

    There is no SQL agent job runs in my account.

    Thanks

  • August 18, 2015 at 2:02 am

    #1820636

    Try running a trace, just capturing login events from your user accounts. That'll give you a bit more information, such as the application that's making the connection (provided the application passes its name to the database in the connection string, that is).

    John

  • August 18, 2015 at 5:43 am

    #1820669

    also, think about any items you might have installed, whether running in the background or as a service, that are running under your credentials, maybe something like RedGate lighthouse , or some monitoring service.(spotlight/ polymonitor/sqlmonitor etc)

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • August 18, 2015 at 9:39 am

    #1820795

    Thank you! I do intall a lot of staff using my account. Including redgate developer suit. I will do an investigation

  • August 18, 2015 at 9:54 am

    #1820804

    Lowell (8/18/2015)

    also, think about any items you might have installed, whether running in the background or as a service, that are running under your credentials, maybe something like RedGate lighthouse , or some monitoring service.(spotlight/ polymonitor/sqlmonitor etc)

    THAT has been a major problem where I work. I don't know what the hell it is about some of these products but they cause the desktop machine to try logging into the SQL Servers all by themselves and they are bloody relentless and it's always a chore to figure out precisely what is doing it on each box and then figuring out how to stop it.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply