cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alerting on a rapid user count increase

Former Member

on ‎07-21-2015 6:20 PM

0 Kudos

Greetings all,

Yesterday, we saw the user count on our production ecc system jump from 500 to over 2,000 within three minutes.

As the logons were via "/sap/bc/gui/sap/its/webgui", and from a single workstation, we're assuming browser-based

malware. Until we perform some forensic studies on the box we will not know for sure.

I am looking for a way, in real time, to get alerted to a rapid increase in user logons.

Does anyone know if this can be done, through CCMS or other methods?

Something like "alert on user count if rate of user-logon > 10% / minute" would be a good starting point.

Any tips, tricks, advice, will be greatly appreciated. I have started looking at CCMS but...nothing obvious as yet.

Best Regards to all,

mike

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member230159
Contributor
‎07-21-2015 8:46 PM
0 Kudos

Hi Mike,

Firstly you need to analyse why there was sudden increase in the number of users.You can check in transaction SM04. You can see under users>technical information.

You can increase the value of parameter 'rdisp/tm_max_no' in order to avoid any issues.
Please see http://wiki.scn.sap.com/wiki/display/NWTech/Maximum+number+of+connected+terminals+reached

Regards,

Show replies
Show replies
Former Member
‎07-21-2015 9:19 PM
0 Kudos

Again, we're confident this was due to malware embedded in a user's browser. SM04 is not required. AL08 demonstrated, quite nicely, the number of users logged in to all ECC servers in the group.

Again, I need something to alert me when this uptick in user count occurs the next time. I don't want to rely on checking AL08 every 5 minutes; especially with 66 servers running 15 SIDs.

thanks for the reply though.

mike

Ask a Question