login failed for user 'sa'

Question

Hi All

Why the following errors logging in SQL errorlog for few only versions (ex, 10.50.6560) after renamed/disbaled SA account and how to stop them being logged

Logon              login failed for user 'sa'. Reason: Could not find a login matching the name provided. [CLIENT: local server ip address]

Thanks

Dave

Answer 1

Something on the system is trying to make that connection.  Use Trace/Extended events to see if you can find the application making the connection attempt.

---

22 years of database experience, most with SQL Server. Please 'Mark as answered' those posts that helped you.

• Kevin3NF on Twitter
• Dallas DBAs
• My first SQL DBA course on Pluralsight
• PocketDBA™

Answer 2

I do not see anything in profiler by filtering login name as sa

Answer 3

Did one of the errors occur while you had the trace running?  Its been so long since I used Profiler I cannot remember what events to trace or which version of SQL started capturing login failures

---

22 years of database experience, most with SQL Server. Please 'Mark as answered' those posts that helped you.

• Kevin3NF on Twitter
• Dallas DBAs
• My first SQL DBA course on Pluralsight
• PocketDBA™

Answer 4

There are no errors reported anyway now the logging has been stopped since last 1 hour but not sure how it stopped

Answer 5

But once we changed the sa name, all internal transaction should be changed as well right.

I can see some events using sa login under SQLTransaction and the applicationName is Microsoft SQL Server JDBC Driver in profiler but logging in errorlog stopped

Answer 6

If it starts again, you will want to have a trace ready to go.

I strongly recommend using Profiler to script out a trace file you can run (A Server side trace), which dumps results to wherever you specify.

I'm also a fan of Extended events over trace...I made this video to get people started:

SQL 101 Extended Events

---

22 years of database experience, most with SQL Server. Please 'Mark as answered' those posts that helped you.

• Kevin3NF on Twitter
• Dallas DBAs
• My first SQL DBA course on Pluralsight
• PocketDBA™

Answer 7

I agree, have a trace ready, and get into the habit of using Extended Events. You want to be on top of this situation. Something is trying to get into your SQL server as sa. Perhaps this is an attack!

---

Tibor Karaszi, SQL Server MVP (Web Blog)

Answer 8

I agree, have a trace ready, and get into the habit of using Extended Events. You want to be on top of this situation. Something is trying to get into your SQL server as sa. Perhaps this is an attack!

Nah, as I understand the original post, the client was the same machine on which SQL Server is running, so it does not sound like an attack from the outside.

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Answer 9

Nah, as I understand the original post, the client was the same machine on which SQL Server is running, so it does not sound like an attack from the outside.

Ah, I missed that part. Good eye. 

---

Tibor Karaszi, SQL Server MVP (Web Blog)