MSSQL Audit Log

Thatchinamoorthy Veeramani 21 Reputation points
2021-03-19T03:21:37.343+00:00

I renamed sa account and disabled. Why my audit log showing sa activities?

EventTime server_principal_name session_server_principal_name statement
14-11-20 0:56 sa

What is this entry for sa account because I don't have sa account

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,619 questions
0 comments
Accepted answer
  1. Ronen Ariely 15,096 Reputation points
    2021-03-19T03:54:02.78+00:00

    Good day,

    Please execute the following query to check if the sa account you see is the real original sa account: 

    SELECT name
FROM sys.sql_logins
WHERE sid = 0x01;

    The sa account always has 0x01

    Ensure no other logins are named sa 

    SELECT sid, name
FROM sys.sql_logins
WHERE name = 'sa';

    Next check in the audit log what this sa account is doing (maybe simply an attempt to connect by someone and it failed ?)

    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thatchinamoorthy Veeramani 21 Reputation points
    2021-03-19T04:17:57.3+00:00

    Yes verified using the above query. no sa account

    0 comments
  2. Thatchinamoorthy Veeramani 21 Reputation points
    2021-03-19T04:32:28.023+00:00

    audit log all fields are empty except serer principle name and date

  3. Thatchinamoorthy Veeramani 21 Reputation points
    2021-03-19T09:15:55.07+00:00

    Thanks for your reply. My problem not solved. I don't have sa account but audit log captured the sbove sa activity. I already verified no sa ac in my sqlserver

  4. Thatchinamoorthy Veeramani 21 Reputation points
    2021-03-25T04:55:15.937+00:00

    79902-mylogpng.png

    0 comments