My Oracle Support Banner

Finding the source of failed login attempts. (Doc ID 352389.1)

Last updated on APRIL 23, 2020

Applies to:

Oracle Database - Enterprise Edition - Version 9.0.1.4 to 11.2.0.4 [Release 9.0.1 to 11.2]
Information in this document applies to any platform.
Oracle Server Enterprise Edition - Version: 9.0.1.4 to 11.2.0.4
Checked for relevance on 24-Mar-2014

Purpose

This troubleshooting guide is aimed at providing information on how to trace suspect logins that have failed with ora-1017, logon denied during database authentication. Note that a malicious origin is in most cases not the cause of an unsuccessful login. It can be simply a typo in the username or password, a cron job with an invalid password in it or even an Oracle client program that was badly configured (for example see referenced note 267401.1). Anyway these unsuccessful connect attempts can be a nuisance, especially when a password management policy is in place that has a limit on failed_login_attempts and cause the ora-28000 "the account is locked" error.

Troubleshooting Steps

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
Troubleshooting Steps
 Check DBA_USERS
 Audit unsuccessful logins
 Set an event in the "init.ora" parameter file
 Use a trigger to capture additional information
 Use SQLNET Tracing to gather detailed information
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.