Re: IP auditing for unsuccessful connections

From: Ivan Ricardo Schuster <ivanrs79_at_gmail.com>
Date: Thu, 28 Apr 2011 13:56:29 -0300
Message-ID: <BANLkTim-iaZxrQbxsd0zwa1VyoGkki5FjA_at_mail.gmail.com>



Dianna,

You can filter AUD$ table to show only "ORA-01017: invalid username/password; logon denied" errors:

select userid, userhost, terminal, returncode from sys.aud$ where returncode=1017;

regards

On 28 April 2011 13:27, Dianna Gibbs <DIANNA.GIBBS_at_childrens.com> wrote:
> We have a new application that is multi-tiered with connections coming from
> many different windows and websphere servers.
>
> Weve recently completed a new upgrade/install with several changes in
> servers. Each environment has four databases,
>
> so we have a total of 16 databases for this application (TST, DEV,STG,PRD).
>
>
>
> Oracle 11.1.0.7 on AIX.
>
>
>
> Something is constantly locking an oracle user account in two different
> databases (one prd, one tst).
>
>
>
> Im trying to troubleshoot which servers have the incorrect passwords.
> Weve looked at log files, etc. and vendor cannot determine.
>
>
>
> Im looking at AUDIT SESSION and understand it will show both successful and
> unsuccessful login attempts.
>
>
>
> I also saw the Login Trigger SYS_CONTEXT.
>
>
>
> I was wondering if someone had used either successful to catch unsuccessful
> logins or had another suggestion on best way to monitor and
>
> troubleshoot this issue? We dont need this turned on long-term, just until
> we can catch which server has incorrect password.
>
>
>
> Thanks in advance for any time and suggestions.
>
> Dianna G.
>
> Please consider the environment before printing this e-mail
>
> This e-mail, facsimile, or letter and any files or attachments transmitted
> with it contains
> information that is confidential and privileged. This information is
> intended only for the use of the
> individual(s) and entity(ies) to whom it is addressed. If you are the
> intended recipient, further
> disclosures are prohibited without proper authorization. If you are not the
> intended recipient, any
> disclosure, copying, printing, or use of this information is strictly
> prohibited and possibly a
> violation of federal or state law and regulations. If you have received this
> information in error,
> please notify Children's Medical Center Dallas immediately at 214-456-4444
> or via e-mail at
> privacy_at_childrens.com. Children's Medical Center Dallas and its affiliates
> hereby claim all
> applicable privileges related to this information.
>
>

-- 
Ivan Ricardo Schuster
OCP 10g/11g
OCE RAC 10g/Linux
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Apr 28 2011 - 11:56:29 CDT

Original text of this message