April 24, 2018 at 8:19 am
Hey Guys,
Any of you seen this message before "Login failed for user 'undefined'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>]" ? I'm getting this in the SQL log at various times through out the day. I'm pretty sure it's coming from a vendor service running on the server. Is there any way to determine which service this is coming from. This sql server is part of a Critical Care application in a hospital environment.
Thanks!
Lynn
April 24, 2018 at 11:24 am
Lynn.Davis - Tuesday, April 24, 2018 8:19 AMHey Guys,
Any of you seen this message before "Login failed for user 'undefined'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>]" ? I'm getting this in the SQL log at various times through out the day. I'm pretty sure it's coming from a vendor service running on the server. Is there any way to determine which service this is coming from. This sql server is part of a Critical Care application in a hospital environment.
Thanks!
Lynn
You can capture the client app if you use extended events, Use the error_reported event and you can capture client_app_name.
Sue
April 24, 2018 at 12:14 pm
Thanks Sue,
Never used extended events, but another DBA here has. We'll give that a shot.
Thanks!
Lynn
April 24, 2018 at 12:38 pm
I saw that error the other day. The messages started appearing in the sql server log across all servers. It resulted from a misconfiguration in the server side component of Octopus Deployment. Someone made a change and rolled it out to all servers. This can also be caused by network monitoring tools, something like a penetration test that's periodically hitting the server to test the firewall and account authentication.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
April 24, 2018 at 1:50 pm
Thanks Erik,
Our security team does periodically probe our SQL servers, but the error is different and it's usually from another server. It looks like this one came from the local server, but that gives me another avenue to look into.
Thanks for the info!
Lynn
April 24, 2018 at 2:00 pm
Lynn.Davis - Tuesday, April 24, 2018 1:50 PMThanks Erik,
Our security team does periodically probe our SQL servers, but the error is different and it's usually from another server. It looks like this one came from the local server, but that gives me another avenue to look into.
Thanks for the info!
Lynn
That's what I was seeing the other day, connections originated locally on the server, and login failure wasn't giving me an account name. What I did to track down what service was making the connections, I ran Sysinternals Process Monitor locally on the server and set filter to include only events where the operation type contains ‘Connect’.
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Whatever team is responsible for automated software deployments, ask them if they recently installed something like Octopus, Puppet, etc. One component of these solutions is typically a service running locally on each server that facilitates deployment of scripts and packages.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply