locked
login failed for user 'sa' RRS feed

  • Question

  • Hi All

    Why the following errors logging in SQL errorlog for few only versions (ex, 10.50.6560) after renamed/disbaled SA account and how to stop them being logged

    Logon              login failed for user 'sa'. Reason: Could not find a login matching the name provided. [CLIENT: local server ip address]

    Thanks

    Dave

    Thursday, November 14, 2019 3:54 PM

Answers

All replies

  • Something on the system is trying to make that connection.  Use Trace/Extended events to see if you can find the application making the connection attempt.

    22 years of database experience, most with SQL Server. Please 'Mark as answered' those posts that helped you.

    • Marked as answer by SQL_Dave Thursday, November 14, 2019 4:52 PM
    Thursday, November 14, 2019 4:26 PM
  • I do not see anything in profiler by filtering login name as sa
    Thursday, November 14, 2019 4:43 PM
  • Did one of the errors occur while you had the trace running?  Its been so long since I used Profiler I cannot remember what events to trace or which version of SQL started capturing login failures

    22 years of database experience, most with SQL Server. Please 'Mark as answered' those posts that helped you.

    Thursday, November 14, 2019 4:48 PM
  • There are no errors reported anyway now the logging has been stopped since last 1 hour but not sure how it stopped
    Thursday, November 14, 2019 4:52 PM
  • But once we changed the sa name, all internal transaction should be changed as well right.

    I can see some events using sa login under SQLTransaction and the applicationName is Microsoft SQL Server JDBC Driver in profiler but logging in errorlog stopped



    • Edited by SQL_Dave Thursday, November 14, 2019 4:56 PM typo
    Thursday, November 14, 2019 4:54 PM
  • If it starts again, you will want to have a trace ready to go.

    I strongly recommend using Profiler to script out a trace file you can run (A Server side trace), which dumps results to wherever you specify.

    I'm also a fan of Extended events over trace...I made this video to get people started:

    SQL 101 Extended Events


    22 years of database experience, most with SQL Server. Please 'Mark as answered' those posts that helped you.

    Thursday, November 14, 2019 4:57 PM
  • I agree, have a trace ready, and get into the habit of using Extended Events. You want to be on top of this situation. Something is trying to get into your SQL server as sa. Perhaps this is an attack!

    Tibor Karaszi, SQL Server MVP (Web Blog)

    Friday, November 15, 2019 8:57 AM
  • I agree, have a trace ready, and get into the habit of using Extended Events. You want to be on top of this situation. Something is trying to get into your SQL server as sa. Perhaps this is an attack!
    Nah, as I understand the original post, the client was the same machine on which SQL Server is running, so it does not sound like an attack from the outside.

    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

    Sunday, November 17, 2019 9:39 PM

  • Nah, as I understand the original post, the client was the same machine on which SQL Server is running, so it does not sound like an attack from the outside.

    Ah, I missed that part. Good eye. 

    Tibor Karaszi, SQL Server MVP (Web Blog)

    Monday, November 18, 2019 1:32 PM