Skip to content

Instantly share code, notes, and snippets.

@alivarzeshi

alivarzeshi/SQL_Server_Error_Logs_Part_05.txt

Created June 21, 2024 21:42
Show Gist options
  • Save alivarzeshi/1edb91d1addea0a1cc6a4070b3fd5611 to your computer and use it in GitHub Desktop.
Save alivarzeshi/1edb91d1addea0a1cc6a4070b3fd5611 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SQL_Server_Error_Logs_Part_05.txt
Date/Time: 2023-03-03 09:00:00
Log Level: Information
Source: SQL Server
Message: Login succeeded for user 'username'. Connection: Non-Trusted.
Date/Time: 2023-03-03 09:05:00
Log Level: Error
Source: SQL Server
Message: Login failed for user 'username'. Reason: Password did not match that for the login provided. [CLIENT: <local machine>]
Error Number: 18456
Severity: 14
State: 8
Date/Time: 2023-03-03 09:10:00
Log Level: Information
Source: SQL Server
Message: Granted SELECT on object 'dbo.MyTable' to user 'username'.
Date/Time: 2023-03-03 09:15:00
Log Level: Error
Source: SQL Server
Message: Login failed for user 'username'. Reason: The account is currently locked out. The system administrator can unlock it. [CLIENT: <local machine>]
Error Number: 18486
Severity: 14
State: 1
Date/Time: 2023-03-03 09:20:00
Log Level: Information
Source: SQL Server
Message: ALTER TABLE dbo.MyTable ADD COLUMN NewColumn INT.
@alivarzeshi
Copy link
Author

alivarzeshi commented Jun 21, 2024
edited
Loading

Tip

In-Depth Analysis of Security Events in SQL Server Error Logs

Overview

Security events in SQL Server error logs capture detailed information about authentication, authorization, and changes to security settings. Monitoring these events is crucial for maintaining a secure SQL Server environment, ensuring only authorized users have access, and detecting potential security breaches or misconfigurations.

Structure of Security Event Log Entries

Each log entry for security events typically includes the following components:

  1. Date/Time: The exact timestamp when the security event occurred.
  2. Log Level: The severity of the event (e.g., Information, Warning, Error).
  3. Source: The component or module that generated the log entry (e.g., SQL Server, Windows Security).
  4. Message: A detailed description of the security event.
  5. Error Number: A unique identifier for any errors encountered during the security event.
  6. Additional Data: Information such as the username, client IP address, and reason for the event (e.g., login failure, permission change).

Common Security Events

1. Login Success

  • Description: Indicates a successful authentication attempt.
  • Internal Process:
    • SQL Server receives a login request.
    • The request is validated against the security subsystem (e.g., Windows Authentication, SQL Server Authentication).
    • Upon successful validation, the user is granted access, and the event is logged.
  • Example Log Entry: 
    Date/Time: 2023-03-03 09:00:00
Log Level: Information
Source: SQL Server
Message: Login succeeded for user 'username'. Connection: Non-Trusted.

2. Login Failure

  • Description: Indicates a failed authentication attempt.
  • Internal Error: Error: 18456
  • Example Log Entry: 
    Date/Time: 2023-03-03 09:05:00
Log Level: Error
Source: SQL Server
Message: Login failed for user 'username'. Reason: Password did not match that for the login provided. [CLIENT: <local machine>]
Error Number: 18456
Severity: 14
State: 8
  • Notes:
    • The error state provides specific details about why the login failed (e.g., incorrect password, account locked).
    • Frequent login failures can indicate brute force attacks or misconfigured applications.

3. Role and Permission Changes

  • Description: Logs changes to user roles and permissions.
  • Internal Process:
    • An administrator modifies roles or permissions using T-SQL commands or management tools.
    • SQL Server updates the system catalog to reflect the changes.
    • The event is logged to track the change for auditing purposes.
  • Example Log Entry: 
    Date/Time: 2023-03-03 09:10:00
Log Level: Information
Source: SQL Server
Message: Granted SELECT on object 'dbo.MyTable' to user 'username'.

4. Account Lockouts

  • Description: Indicates that a user account has been locked due to multiple failed login attempts.
  • Internal Error: Error: 18486
  • Example Log Entry: 
    Date/Time: 2023-03-03 09:15:00
Log Level: Error
Source: SQL Server
Message: Login failed for user 'username'. Reason: The account is currently locked out. The system administrator can unlock it. [CLIENT: <local machine>]
Error Number: 18486
Severity: 14
State: 1
  • Notes:
    • Account lockouts are a security measure to prevent unauthorized access through repeated login attempts.
    • Administrators need to review and address the cause of lockouts, such as incorrect login credentials or potential attacks.

5. Schema Changes

  • Description: Logs changes to database schemas, including the creation, alteration, or dropping of database objects.
  • Internal Process:
    • Schema changes are initiated through T-SQL commands or management tools.
    • SQL Server updates the system catalog and logs the change for auditing.
  • Example Log Entry: 
    Date/Time: 2023-03-03 09:20:00
Log Level: Information
Source: SQL Server
Message: ALTER TABLE dbo.MyTable ADD COLUMN NewColumn INT.

Additional Relevant Information

Error Number Details

  • Error: 18456 (Login Failed)

    • Severity: 14
    • States: Various states indicating specific reasons for failure:
      • State 1: Generic error.
      • State 8: Incorrect password.
      • State 11: Login is valid but server access failed.
      • State 18: Password must be changed.

  • Error: 18486 (Account Locked)

    • Severity: 14
    • State: 1
    • Description: Indicates that the account is locked out due to multiple failed login attempts.

Importance of Security Event Monitoring

  • Detecting Unauthorized Access:
    • Regularly monitoring security events helps detect unauthorized access attempts and potential security breaches.
  • Auditing and Compliance:
    • Logs of role, permission, and schema changes are essential for auditing purposes and compliance with security policies.
  • Proactive Security Measures:
    • Identifying patterns in login failures and account lockouts can help in implementing proactive security measures, such as stronger password policies and account lockout thresholds.

Background Processes and Mechanisms

Authentication Process

  • Request Handling: SQL Server receives login requests from clients.
  • Validation: Login credentials are validated against the configured authentication mode (Windows or SQL Server Authentication).
  • Access Control: Upon successful authentication, SQL Server verifies the user’s permissions to access the requested resources.

Authorization Process

  • Permission Checks: SQL Server checks user permissions against the system catalog to determine access rights.
  • Role Assignments: User roles are evaluated to grant or restrict access to database objects and operations.
  • Audit Logging: Changes to roles and permissions are logged for security auditing.

Efficient Reading of Security Logs

  1. Using SQL Server Management Studio (SSMS):

    • Log File Viewer: Access and filter logs using the built-in Log File Viewer.
    • Filtering: Filter logs by date, log level, source, or specific keywords (e.g., "login", "permission").

  2. Using T-SQL Commands:

    • xp_readerrorlog: Use this system stored procedure to query security events directly. 
      EXEC xp_readerrorlog 0, 1, 'login';
EXEC xp_readerrorlog 0, 1, 'permission';

  3. Using Extended Events:

    • Setup: Create an Extended Events session to capture security-related events. 
      CREATE EVENT SESSION [SecurityEvents] ON SERVER
ADD EVENT sqlserver.security_audit_login_failed(
    ACTION(sqlserver.client_hostname, sqlserver.username))
ADD TARGET package0.event_file(SET filename=N'SecurityEvents.xel');
GO
ALTER EVENT SESSION [SecurityEvents] ON SERVER STATE = START;
GO

  4. Automating Log Monitoring:

    • SQL Server Alerts: Configure SQL Server Agent alerts to notify you of critical security events. 
      USE msdb;
GO
EXEC sp_add_alert
    @name = N'Login Failure',
    @message_id = 18456,
    @severity = 14,
    @enabled = 1,
    @delay_between_responses = 0,
    @include_event_description_in = 1,
    @notification_message = N'Login failure detected.',
    @job_name = N'NotifyDBA';
GO
EXEC sp_add_notification
    @alert_name = N'Login Failure',
    @operator_name = N'DBA',
    @notification_method = 1;

Conclusion

Security Events in SQL Server logs provide essential insights into the authentication and authorization activities within the SQL Server environment. By understanding the structure of these logs, common errors, and the internal processes behind them, administrators can effectively monitor, troubleshoot, and manage SQL Server security. Regularly reviewing these logs ensures that unauthorized access attempts are detected promptly, and security configurations are correctly maintained, thereby enhancing the overall security posture of the SQL Server instance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment