I'm working on creating a robust login auditing system for sql server 2005 and 2008.  Part of that process is scraping the error log for Error 18456 to keep counts and provide reports on failing logins.  Works great, but it depends on the two line entry in the error log of the following:

2009-10-01 00:02:00.34 Logon     Error: 18456, Severity: 14, State: 8.

2009-10-01 00:02:00.34 Logon     Login failed for user '<user name>'. [CLIENT: <ip address>]

Suddenly the process fails today, which is ok, that's why we test, test and soak test.

Seems it is possible to generate a 18456 error that is not followed by login failed for user message.

Good coding practices would have avoided an error (by checking to ensure the next line did contain a login failed message).  We were working on the assumption that the two entries always happen together.  Not so.  Kind of makes me wonder where it went!

This happened on a SQL Server 2005, EE, 64 Bit, SP3, CU 4.

The specific entry is below:

Error: 18456, Severity: 14, State: 16.
CHECKDB for database '<removed>' finished without errors on 2009-10-01 04:05:02.370 (local time). This is an informational message only; no user action is required.