MSSQL Audit Log

Thatchinamoorthy Veeramani 21 Reputation points
2021-03-19T03:21:37.343+00:00

I renamed sa account and disabled. Why my audit log showing sa activities?

EventTime server_principal_name session_server_principal_name statement
14-11-20 0:56 sa

What is this entry for sa account because I don't have sa account

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,737 questions
0 comments
Accepted answer
  1. Ronen Ariely 15,096 Reputation points
    2021-03-19T03:54:02.78+00:00

    Good day,

    Please execute the following query to check if the sa account you see is the real original sa account: 

    SELECT name
FROM sys.sql_logins
WHERE sid = 0x01;

    The sa account always has 0x01

    Ensure no other logins are named sa 

    SELECT sid, name
FROM sys.sql_logins
WHERE name = 'sa';

    Next check in the audit log what this sa account is doing (maybe simply an attempt to connect by someone and it failed ?)

    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thatchinamoorthy Veeramani 21 Reputation points
    2021-03-25T04:56:51.643+00:00

    from the above log only some fields contain values all other fields are empty

    0 comments