September 25, 2015 at 12:27 pm
I think this is possible, but if someone can create a technique, I'd like it.
Can you track failed logins, perhaps every five minutes, and if there are 3 failed logins for a user in that time, send an email?
I'm guessing extended events is the way to do this, with some trigger that queries the session, looking for a count()>3 in the time period? Maybe an OVER() with the user and time period, getting a row_number() in the partition >= 3?
Let me know if someone can tackle this and make it work.
September 25, 2015 at 1:43 pm
I can probably tackle this rather quickly. I already did part of this for a client last week, minus the alerting it was just to capture failed logins.
Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton
September 25, 2015 at 2:15 pm
That would be cool if you have something. It's a neat idea, especially as using something like SCOM is more like a .44 against houseflies.
September 26, 2015 at 12:47 am
Presumably reading the SQL Error Log to find the failed logins is completely unrealistic in practice? (i.e. using xp_readerrorlog and having turned on Failed Login auditing for the instance)
P.S. I stumbled over this "Using SQL Server Extended Events to capture failed logins" half way down the page
http://www.sqlshack.com/using-extended-events-review-sql-server-failed-logins/[/url]
September 26, 2015 at 11:53 am
The error log is impractical. You'd be reading the entire log every 5 mninutes, trying to sort through text entries.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply