04-22-2008 8:32 AM
hi,
my system will lock ID after 3 failed login attempts. if there is one id always got locked up but the failed login attempts was not done by the owner itself, how do we check from which IP or terminal is trying to access to that id and make it locked ?
comment and advice will be appreciated.
thanks.
Regards,
kent
04-22-2008 10:07 AM
Hello Kent,
You can check this using the audit transaction SM21.
You should find a record telling the user was locked and will also show you the terminal where the logon was attempted.
Regards, Jose
04-22-2008 10:11 AM
hi jose,
i don't think i can find fail login record in SM21. i have tried to make a failed login attempt, but it is not captured.
SM21 is System Log not an Audit Transaction.
regards,
kent
04-22-2008 11:33 AM
Hi Jose,
You are right. Locked id will be captured in SM21.
Early on I was trying with wrong password only but the ID still not locked yet that's why not captured in SM21.
If on the third failed attempts only it locked the ID, that means the first and second failed attempts will not be captured in SM21.
Anyway, thanks.
regards,
kent
04-22-2008 12:23 PM
Hi Kent,
I'm pretty sure this info is recorded in the security audit log (SM20) if you have it activated.