October 9, 2009 at 11:16 am
SQL 2005 Profiler
--------------------------------------------------------------------------------
From: "Jonathan Chong" <j0nathon@xxxxxxxxxxx>
Date: Tue, 29 Apr 2008 15:25:48 +0800
--------------------------------------------------------------------------------
I found below entries in Event Viewer's Application Log and System Log which
worries me as I know for sure that
there is no one login to SQL and use profiler on that time. There are only
two of us have the access to the SQL server and it is firewalled to only
allow office's IP to SQL 2005 server (on Windows 2003 server).
Application Log:
7:24:39 Login failed for user 'sa'. [CLIENT: <local machine>]
7:29:03 SQL Trace ID 2 was started by login "sa".
7:30:56 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.
7:46:07 SQL Trace ID 2 was started by login "sa".
7:46:35 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.
7:49:03 SQL Trace ID 2 was started by login "sa".
7:49:12 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.
7:49:31 SQL Trace ID 2 was started by login "sa".
7:49:46 SQL Trace stopped. Trace ID = '2'. Login Name = 'sa'.
Since both of us are not in office and for sure neither one of us that uses
profiler as shown in the log. My question is: Is there any possibility that
the logs is triggered by SQL itself besides human?
If it is an intruder works, where can I look for more traces leave behind by
intruder?
MCSE SQL Server 2012\2014\2016
October 9, 2009 at 11:48 am
Found it!
select SessionLoginName, * from FN_TRACE_GETTABLE ('C:\Program Files\Microsoft SQL server\MSSQL.1\MSSQL\LOG\LOG_382.trc',default)
MCSE SQL Server 2012\2014\2016
October 9, 2009 at 11:50 am
Thanks for the update. All traces are in SQL Server so you can determine what is active.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply