Post reply

Failed Login Source

  • December 18, 2003 at 8:24 am

    #59049

    How can I tell the source of a failed login? The login is an SQL login. I would like to be able to see what host it is coming from. I am running SQL 2000 EE. My audit level is set to failure.

    Daniel Mosmeyer


    Daniel Mosmeyer

  • December 18, 2003 at 9:03 am

    #486972

    If you have a trace running, you can capture the hostname the source passed, but this isn't guaranteed to be accurate. You could also use network traces or an IDS product like Snort or Cisco's version to key on packets that tell of a failure... SQL Server will send back a login failure response and the destination host is what you'll be looking to capture. Information on what to look for can be found here:

    http://www.freetds.org/tds.html

    K. Brian Kelley, GSEC

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/

    K. Brian Kelley
    @kbriankelley

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply