I renamed sa account and disabled. Why my audit log showing sa activities?
EventTime server_principal_name session_server_principal_name statement
14-11-20 0:56 sa
What is this entry for sa account because I don't have sa account
I renamed sa account and disabled. Why my audit log showing sa activities?
EventTime server_principal_name session_server_principal_name statement
14-11-20 0:56 sa
What is this entry for sa account because I don't have sa account
Good day,
Please execute the following query to check if the sa account you see is the real original sa account:
SELECT name
FROM sys.sql_logins
WHERE sid = 0x01;
The sa account always has 0x01
Ensure no other logins are named sa
SELECT sid, name
FROM sys.sql_logins
WHERE name = 'sa';
Next check in the audit log what this sa account is doing (maybe simply an attempt to connect by someone and it failed ?)
audit log all fields are empty except serer principle name and date
Thanks for your reply. My problem not solved. I don't have sa account but audit log captured the sbove sa activity. I already verified no sa ac in my sqlserver
Can you provide the log after you clean sensitive private information?
If not then at lease try to provide the exact messages including some messages before this report and obviously this exact message that you get
In theory the report in the lo0g might be that someone else try to use sa account even if this account not exists (for example an abuser - which is people re-name the sa account)
Note! It is almost impossible to follow threads in this forum since there is no option to get a list of threads which I participate in the discussion. I am trying to follow threads that I started to help using the limitted infomation in the profile activities but we cannot count on this.
from the above log only some fields contain values all other fields are empty
9 people are following this question.