Failure Audit event "Login failed for user 'Recover' event ID 18456 using Oracle SQL Client Transport Gateway

I have Windows 2003 Enterprise service running MS SQL 2005.  The server has replication installed but the snapthot only runs at midnight.
We also have an Oracle SQL Client transport Gateway to allow an external Oracle application to query the SQL database.
I have noticed many\failure audt events in the application at different times during the day and night.
Category 4
Type Failure Audit
Description: Login failed for user 'RECOVER'.[CLIENT: Ip Address]
Could this account be related to SQL or Oracle?
The SQL installation does not show the existance of the Recover user account.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This message indicates that some user/application has tried to logon to your SQL Server instance using SQL Server login named RECOVER. Either the login itself does not exist on the instance, or the password provided was incorrect. You can try to find out what application is trying to logon with using the RECOVER principal. Use SQL Server Profiler to catch Audit Login Failed event in Security Audit event category. There is an Application Name column for this event class captured so you will find out the name of the program used for failed login tries. Unfortunately, there is no guarantee that the name of the application is not fake (it can be easily changed in connection string or additional connection options).
iidseAuthor Commented:
I have setup the trace, but so far it has not listed it.
I found that the Recover account might be part of the Oracle Transparent Gateway for SQL, but I am still trying to see where is that configured.

Does anybody know this gateway configuration?
iidseAuthor Commented:
The trace showed the Audit Login Failed as:
Login Failed for user 'Recover'/
Login name Recover.
Client Process ID 8900 and 9376.

Unfortunately it did not show the application name, but I am sure it is related to the Oracle Transparent Gateway.
Perhaps you will find some more information in OTG documentation. I believe there is a configuration file where the name of the login name used for SQL Server connection is defined.
iidseAuthor Commented:
By default the Oracle Transparent Gateway configures COMMIT_CONFIRM, but since my application just needed to query a SQL database, I just had to use the READ_ONLY value.
There are two files on the folder:

To make the it read only the had to be set:

# This is a sample agent init file that contains the HS parameters that are
# needed for the Transparent Gateway for SQL Server

# HS init parameters

# Comment out the next two parameters - not needed when running in READ_ONLY transaction mode

# Add parameter for READ_ONLY transaction mode

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2005

From novice to tech pro — start learning today.