Service Desk Practitioners Forum
cancel

Distinguishing failed logins from the Audit Log Table (SD.4.5)

Highlighted
Marco Antonio G
Super Contributor.

Distinguishing failed logins from the Audit Log Table (SD.4.5)

Greetings,

I was wondering if anyone knows if it is possible to distinguish the different entries in the SRVDSKREP.IFC_AUDITLOGS table to determine if a failed login is due to a wrong password, an app server problem or a concurrent user licence limit being reached?

I fiddled around a bit and noticed that the entries regarding failed logins all have SRVDSKREP.IFC_AUDITLOGS.AUL_RCD_OID = '633318752190548' and are seemingly set by SYSTEM.

Checking some old data from the server logs with lines about concurrent user limits, I ntoticed that the timestamps from that log match the failed login attemptes registered in SRVDSKREP.IFC_AUDITLOGS, but seeing as wrong password attempts are also logged in this table, I can't tell which is which from an Oracle Query.

Does anyone know of a way to do this? from some combinations of the columns on the aforementioned table?
2 REPLIES
Mike Bush
Acclaimed Contributor.

Re: Distinguishing failed logins from the Audit Log Table (SD.4.5)

Marco,

working from the client interface rather than the raw tables I can see that a failed attempt to login is recorded as :-

Login name = system
Log Entry = Failed login from user 'xxx', host 'yyyy'

If you can translate these fields into raw DB fields then this may be enough to go on

Mike
Marco Antonio G
Super Contributor.

Re: Distinguishing failed logins from the Audit Log Table (SD.4.5)

THanks Mike. There is a column called AUL_LOGENTRY which has a string value describing the log entry and they do in fact show the successful and failed logins.

However, this field doesn't seem to distinguish between failed logins due to incorrect passwords and the concurrent license limit being reached...which is exactly what I'm looking for...