Confession: I have not been using OEM for decades since there was never a real need for it and it’s starting to take its toll on me.
Throughout the day, I keep getting paged from OEM – Message=Number of failed login attempts exceeds threshold value.
The information provided is utterly useless, e.g. what is the threshold value and what’s the error code.
What would be useful is to provide the SQL used for the check for ease of troubleshooting.
Then I found Finding the source of failed login attempts. (Doc ID 352389.1)
SQL> @pr "select username,os_username,userhost,client_id,trunc(timestamp),count(*) failed_logins from dba_audit_trail where returncode=1017 and timestamp>trunc(sysdate) group by username,os_username,userhost, client_id,trunc(timestamp) order by 5";
USERNAME : JANE
OS_USERNAME : oracle
FAILED_LOGINS : 1
That wasn’t it.
SQL> @pr "select username,os_username,RETURNCODE,userhost,trunc(timestamp),count(*) failed_logins from dba_audit_trail where returncode<>0 and timestamp>trunc(sysdate) group by username,os_username,RETURNCODE,userhost,trunc(timestamp) order by 5"; USERNAME : OS_USERNAME : tomcat RETURNCODE : 28000 FAILED_LOGINS : 1065 ------------------------- USERNAME : JANE OS_USERNAME : oracle RETURNCODE : 1017 FAILED_LOGINS : 1 $ oerr ora 28000 28000, 00000, "the account is locked" // *Cause: The user has entered wrong password consequently for maximum // number of times specified by the user's profile parameter // FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account // *Action: Wait for PASSWORD_LOCK_TIME or contact DBA $ oerr ora 1017 01017, 00000, "invalid username/password; logon denied" // *Cause: // *Action:
1065 failed logins and no one even knows about this?
Lesson learned, there are many types of failed logins.
