SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,999 questions
Why is Event ID 4624 with LogonType=8 Logged by lsass.exe on My SQL Server?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 19%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Ali Refahiati
20
Reputation points
Hi,
I am observing Event ID 4624 with LogonType=8 being logged on my SQL Server, and it appears that the lsass.exe process is responsible for this logon. This occurrence is triggering a rule in our Splunk tool, causing some issues.
- Why is the lsass.exe process generating Event ID 4624 with LogonType=8 on my SQL Server?
- How can I resolve or prevent this from happening?
Any insights or recommendations on how to fix this issue would be greatly appreciated.
This log is related to this service:
LogName=Security
EventCode=4624
EventType=0
ComputerName=******
SourceName=Microsoft Windows security auditing.
Type=Information
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: ***
Account Domain: ****
Logon ID: 0x3E7
Logon Information:
Logon Type: 8
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: ****
Account Name: ****
Account Domain: *****
Logon ID: 0x98178
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x3e8
Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: *****
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: ClusAuth
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Thank you!
{count} votes
-
Erland Sommarskog 112.7K Reputation points MVP2024-07-27T09:18:22.39+00:00 But this is a log on to Windows and not to SQL Server, isn't it? Or am I missing something?
-
Ali Refahiati 20 Reputation points
2024-07-27T09:24:03.89+00:00 No, this log is not related to SQL server, but I guessed that it might be related to this tool. What other reason can this happen?
-
Erland Sommarskog 112.7K Reputation points MVP
2024-07-27T09:40:32.59+00:00 I believe that lsass is a regular Windows component, and there is no particular relation to SQL Server. But I leave it to the Windows people to contribute with further information.
Sign in to comment
Sign in to answer