March 31, 2003 at 7:02 am
I have an unthorized audit trace on one of my servers. I shutdown and restarted the server on Friday. It stopped for the rest of Friday, but just found out the trace is still running.
Whoever set the trace is storing the files in Program Files\Microsoft SQL Server\Data folder.
The trace files are growing at 10G A DAY. I keep deleting the trace files but it keeps reopening new ones.
Any ideas - this is a serious breach of security. HELP!!!!
I have no clue who is running it nor the source.
March 31, 2003 at 8:10 am
When you say that you have no idea of who is running the trace, are you saying you can't see the connection when you run a sp_who2?
If you can see the connection running the sp_who2 stored proc it should be fairly easy to kill and then deal appropriately with the user that is running it.
You could also set up your own trace to monitor connections as well to see who is starting the process. This may get overwhelming if you have a ton of connections.
Hope this helps.
David
David
@SQLTentmaker“He is no fool who gives what he cannot keep to gain that which he cannot lose” - Jim Elliot
March 31, 2003 at 12:26 pm
I think you have the C2 Audit Mode turned on. Check this with the command: sp_configure 'c2 audit mode'
and see the last column (run value) if this is 1 then set it to 0 and restart the server.
March 31, 2003 at 1:16 pm
Thanks.
The C2 mode was on.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply