locked
SQL Server 2017 - Service account logging into SQL repeatedly? RRS feed

  • Question

  • I just noticed recently my box running SQL Server 2017 started logging successful logins to the SQL Server from the SQL Server, using it's service account identity. The log is getting 5 or 6 a second, so it was growing rather quickly.  This seems like either unusual behavior, or unusual logging, I'm not sure which. I've temporarily turned off logging of successful logins so I won't miss other activity in the log. Does that seem unusual to anyone else? Or have you seen it and know what it is?  Additionally, they don't seem like 'real' connections. I don't see them in the Activity Monitor, or in sp_who2. If I were to guess, I'd say it almost looks like somehow the logging is catching internal activity of the SQL server.

    Additionally, at what look like consistant times(like a job, but I can't see one that fits), the security event log of the server will show audit failures for the service account. These are usually "account locked out" along with one "account disabled".  However, I verified in AD, neither of those is the case.

    It's very odd. Any suggestions?

    Thank you!

    Thursday, April 19, 2018 1:19 PM

All replies

  • Hello,

    I guess that's the service (account) of SQL Server-Agent, which is looking if a job is scheduled to run.


    Olaf Helper

    [ Blog] [ Xing] [ MVP]

    Thursday, April 19, 2018 2:02 PM
  • Hello,

    I guess that's the service (account) of SQL Server-Agent, which is looking if a job is scheduled to run.


    Olaf Helper

    [ Blog] [ Xing] [ MVP]

    Interesting...but would that show up as the service account of the SQL Server? I have my agent configured to run as a different service account.

    Thursday, April 19, 2018 3:59 PM
  • Agent should show up at itself, not the database engine.

    I would do some tracing to see if these are "real" connections, or just some artifact of how SQL Server operates internally.


    Tibor Karaszi, SQL Server MVP (Web Blog)

    Monday, April 23, 2018 11:17 AM
  • Have a check with the DMVs to drill in a bit more to see what is connecting and from which application:

    SELECT * FROM sys.dm_exec_connections
    
    SELECT * FROM sys.dm_exec_sessions
    
    SELECT * FROM sys.dm_exec_requests
    OUTER APPLY sys.dm_exec_sql_text(sql_handle)


    Martin Cairney SQL Server MVP

    Monday, April 23, 2018 12:06 PM