May 28, 2004 at 11:54 am
How can I track down the host_name or otherwise track the computer/user
for a failed SQL authenticated user login?
If the login were to succeed, profiler would be able to give me the
host_name, but it doesn't when the login fails. I think one way to
get this info is for the application to capture it and pass it on,
but I don't think I'm going to be able to modify the app.
The problem is that I just took over a production database that has a
SQL user set up for Crystal and I'm seeing a lot of login failures.
I'd like to know what is causing the failures/is it just one user,
etc.
Thanks
Bill
May 28, 2004 at 12:40 pm
Correct me if I am wrong, I think EventLog would show you the information you need. You won't be able to find it in Sql server errorlog.
mom
May 28, 2004 at 1:29 pm
You can also run profiler for specfically that event. I'm not sure that event log will show the hostname. Keep in mind that hostname is a field that is "sent" by the client, so it could easily be spoofed with incorrect data. I believe that Profiler can capture IP.
May 28, 2004 at 4:56 pm
mom - unfortunately, it doesn't appear in the event log - it has "User: N/A" for failures. I even tried setting up security logging in event viewer on the server, but the failures don't show up there (I suppose because the users aren't actually failing to log on to that machine).
Steve - I tried running profiler for the event, but because the login fails, SQL Server doesn't catch the hostname. Good point about the spoofing possibility. I looked in profiler again, but didn't see anything about capturing IPs. Could you provide more info about capturing IPs? Is there maybe something out there along the lines of the netstat cmd, but over time/with time info?
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply