on 07-21-2015 6:20 PM
Greetings all,
Yesterday, we saw the user count on our production ecc system jump from 500 to over 2,000 within three minutes.
As the logons were via "/sap/bc/gui/sap/its/webgui", and from a single workstation, we're assuming browser-based
malware. Until we perform some forensic studies on the box we will not know for sure.
I am looking for a way, in real time, to get alerted to a rapid increase in user logons.
Does anyone know if this can be done, through CCMS or other methods?
Something like "alert on user count if rate of user-logon > 10% / minute" would be a good starting point.
Any tips, tricks, advice, will be greatly appreciated. I have started looking at CCMS but...nothing obvious as yet.
Best Regards to all,
mike
Hi Mike,
Firstly you need to analyse why there was sudden increase in the number of users.You can check in transaction SM04. You can see under users>technical information.
You can increase the value of parameter 'rdisp/tm_max_no' in order to avoid any issues.
Please see http://wiki.scn.sap.com/wiki/display/NWTech/Maximum+number+of+connected+terminals+reached
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Again, we're confident this was due to malware embedded in a user's browser. SM04 is not required. AL08 demonstrated, quite nicely, the number of users logged in to all ECC servers in the group.
Again, I need something to alert me when this uptick in user count occurs the next time. I don't want to rely on checking AL08 every 5 minutes; especially with 66 servers running 15 SIDs.
thanks for the reply though.
mike
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.