Undocumented T-SQL Tricks With Logs


An interesting feature added to SQL Server 7.0 and 2000 is the ability to purge

an error log through a stored procedure or DBCC command. In this article,

we are going to go over some of the undocumented stored procedures to detect, read and purge an SQL Server error log in T-SQL.

Before we move any further, we need to explain one quick point. Many of the stored procedures covered in this article need to be executed by

someone in the sysadmin role. As in most extended and system stored procedures, make sure the procedures mentioned in this article are well secured.

The error log provides some interesting details to a hacker that can be used against you. These procedures are used by Enterprise Manager mostly in its

internal workings and should not be tampered with.

The first extended stored procedure will allow you to see which

error logs are out there for you to see as well as see when

they were created.

The extended stored procedure xp_enumerrorlogs allows you to do just that. As in most xp_enum extended stored procedures, you don't need to pass it any parameters.

The results look like the following:

Archive #   Date
----------- -----------------
0           04/05/2000  20:00
1           04/05/2000  19:55
2           04/03/2000  01:00
3           04/02/2000  17:47
4           03/26/2000  11:53
5           03/24/2000  20:31
6           03/24/2000  19:47
(7 row(s) affected)

You can purge an error log in SQL Server 7.0+ by running sp_cycle_errorlog without any parameters.

The stored procedure uses DBCC ERRORLOG to cycle the log. This has the same effect to the error log as stopping and starting SQL Server, except you don't see all the transaction rollbacks.

The error log is only 9 lines long after the purge.

Finally, the last extended stored procedure is used to read the error log. Using

xp_readerrorlog without any parameters, will return the entire current error log.

Below is an example of a few lines:

2000-04-05 19:55:12.78 spid51   Errorlog has been reinitialized.  See
				previous log for older entries.
2000-04-05 20:00:55.60 spid51   Using 'xpstar.dll' version '1999.09.18'
				to execute extended stored procedure

Take notice to two points in the error log. The first line states that the error log has be purged.

If you see this line and a system administrator didn't stop or purge the log, then you may have a security problem. It could possibly mean

that someone has done something and doesn't want to leave a trace behind. The final line is also a good idea to watch for security. It shows that someone has executed

an extended stored procedure.

Theses are some cool procedures that can be run against a SQL Server 7.0 and 2000 database to read and purge the error logs. There are also some

handy stored procedures that you can use to write to and read from the NT event log as well. For a great book about the inners of SQL Server, check out Inside SQL Server


1 (1)




1 (1)