Article ID: 2187161 - View products that this article applies to.
A key part of any data security strategy is the ability to track who has accessed, or attempted to access, your data. This provides the ability to detect unauthorized access attempts or, if necessary, to piece together the actions of malicious insiders who misused their legitimate access. Auditing Login attempts to SQL Server is very important piece of overall Auditing strategy. In SQL Server 2008 and later, auditing failed login attempts is enabled by default. You can also specify to audit all logins. Although auditing all logins increases overhead, you may be able to deduce patterns of multiple failed logins followed by a successful login, and use this information to detect a possible login security breech.
On a failed login attempt, a message similar to the following is written to the SQL Server errorlog. The message provides additional information which can be used to determine the reason behind failed Login Attempt.
Error: 18456, Severity: 14, State: 8.
When auditing failed login attempts is enabled, the database administrator can use the information written to the errolog as a result of failed login attempt to determine the reason for the failed login. For more information refer to Understanding "login failed" (Error 18456) error messages
SQL Server 2008 and later also offers a complete Auditing solution that offers a number of attractive advantages that may help DBAs more easily achieve their goals such as meeting regulatory compliance requirements. These include the ability to provide centralized storage of audit logs and integration with System Center, as well as noticeably better performance. Perhaps most significantly, SQL Server Audit permits fine-grained auditing whereby an audit can be targeted to specific actions by a principal against a particular object. Fore more information, refer to the Whitepaper Auditing in SQL Server 2008
For more information about the products or tools that automatically check for this condition on your instance of SQL Server and on the versions of the SQL Server product, see the following table:
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2187161 - Last Review: April 3, 2012 - Revision: 2.0