Admin account kicked off a SQL Trace

  • SQL 2005 Profiler

    --------------------------------------------------------------------------------

    From: "Jonathan Chong" <j0nathon@xxxxxxxxxxx>

    Date: Tue, 29 Apr 2008 15:25:48 +0800

    --------------------------------------------------------------------------------

    I found below entries in Event Viewer's Application Log and System Log which

    worries me as I know for sure that

    there is no one login to SQL and use profiler on that time. There are only

    two of us have the access to the SQL server and it is firewalled to only

    allow office's IP to SQL 2005 server (on Windows 2003 server).

    Application Log:

    7:24:39 Login failed for user 'sa'. [CLIENT: <local machine>]

    7:29:03 SQL Trace ID 2 was started by login "sa".

    7:30:56 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.

    7:46:07 SQL Trace ID 2 was started by login "sa".

    7:46:35 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.

    7:49:03 SQL Trace ID 2 was started by login "sa".

    7:49:12 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.

    7:49:31 SQL Trace ID 2 was started by login "sa".

    7:49:46 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.

    Since both of us are not in office and for sure neither one of us that uses

    profiler as shown in the log. My question is: Is there any possibility that

    the logs is triggered by SQL itself besides human?

    If it is an intruder works, where can I look for more traces leave behind by

    intruder?

    MCSE SQL Server 2012\2014\2016

  • Found it!

    select SessionLoginName, * from FN_TRACE_GETTABLE ('C:\Program Files\Microsoft SQL server\MSSQL.1\MSSQL\LOG\LOG_382.trc',default)

    MCSE SQL Server 2012\2014\2016

  • Thanks for the update. All traces are in SQL Server so you can determine what is active.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply