Lookout

cancel
Showing results for 
Search instead for 
Did you mean: 

Constant event log of SQL Login attempts

Hi, running Lookout 6.7.1 in Win 8.1 and MSSQL 2008 R2. Have noticed several MSSQL login attempts a minute in the Event Log. Windows Defender and Avira have not detected any unusual activity. Although there was a recent crash of Lookout due to a SQL related error, Lookout appears to operate normaly. Trend screens behave and display the historical data fine. The login attempts will stop as soon as I kill the 'citadel5.exe' service. Very concerned about this activity and would like to stop it. Any ideas? Would appreciate any input.

 

The two reccuring event logs:

 

Date  12/31/2014 1:58:48 PM
Log  SQL Server (Current - 12/31/2014 10:49:00 AM)

Source  Logon

Message
Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.1.5.99]

 

Date  12/31/2014 1:58:48 PM
Log  SQL Server (Current - 12/31/2014 10:49:00 AM)

Source  Logon

Message
Error: 18456, Severity: 14, State: 38.

 

Thank you.

 

Neil

0 Kudos
Message 1 of 2
(6,118 Views)

I think I have this solved.  I'm running and old LV 8.5.1 with DSC module. This same issue (login failed for user 'NT AUTHORITY\SYSTEM) has plagued me for years, and I have seen it on many different versions of Windows, including Windows Server 2008 R2. In my case it added a new entry to Windows Event log at a rate of once every 10 seconds.

 

I found a recent post on Stack Exchange, followed it exactly, and it worked.

 

Use the command: SQLCMD -S {computer name}\CITADEL and follow the instructions from there

  

Fix SQL login error.png

 

0 Kudos
Message 2 of 2
(2,946 Views)