question

ThatchinamoorthyVeeramani-3248 avatar image
0 Votes"
ThatchinamoorthyVeeramani-3248 asked ThatchinamoorthyVeeramani-3248 answered

MSSQL Audit Log

I renamed sa account and disabled. Why my audit log showing sa activities?

EventTime server_principal_name session_server_principal_name statement
14-11-20 0:56 sa

What is this entry for sa account because I don't have sa account

sql-server-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

pituach avatar image
0 Votes"
pituach answered

Good day,

Please execute the following query to check if the sa account you see is the real original sa account:

 SELECT name
 FROM sys.sql_logins
 WHERE sid = 0x01;

The sa account always has 0x01

Ensure no other logins are named sa

 SELECT sid, name
 FROM sys.sql_logins
 WHERE name = 'sa';


Next check in the audit log what this sa account is doing (maybe simply an attempt to connect by someone and it failed ?)





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThatchinamoorthyVeeramani-3248 avatar image
0 Votes"
ThatchinamoorthyVeeramani-3248 answered

Yes verified using the above query. no sa account

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThatchinamoorthyVeeramani-3248 avatar image
0 Votes"
ThatchinamoorthyVeeramani-3248 answered pituach commented

audit log all fields are empty except serer principle name and date

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Great ;-)

I am happy we could help a bit

Have a great day and stay safe

0 Votes 0 ·
ThatchinamoorthyVeeramani-3248 avatar image
0 Votes"
ThatchinamoorthyVeeramani-3248 answered pituach edited

Thanks for your reply. My problem not solved. I don't have sa account but audit log captured the sbove sa activity. I already verified no sa ac in my sqlserver

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you provide the log after you clean sensitive private information?

If not then at lease try to provide the exact messages including some messages before this report and obviously this exact message that you get

In theory the report in the lo0g might be that someone else try to use sa account even if this account not exists (for example an abuser - which is people re-name the sa account)

Note! It is almost impossible to follow threads in this forum since there is no option to get a list of threads which I participate in the discussion. I am trying to follow threads that I started to help using the limitted infomation in the profile activities but we cannot count on this.

0 Votes 0 ·
ThatchinamoorthyVeeramani-3248 avatar image
0 Votes"
ThatchinamoorthyVeeramani-3248 answered

79902-mylogpng.png



mylogpng.png (44.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThatchinamoorthyVeeramani-3248 avatar image
0 Votes"
ThatchinamoorthyVeeramani-3248 answered

from the above log only some fields contain values all other fields are empty

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.