Skip to content

Instantly share code, notes, and snippets.

Last active Apr 3, 2020
What would you like to do?
Show BADLOGON attempts
-- category: bryan.dietz
-- description: Look for BADLOGONS
SELECT Entry_Timestamp, current server as System_name
,Job_Number CONCAT '/' CONCAT RTRIM(Job_User) CONCAT '/' CONCAT RTRIM(Job_Name) AS Job_Name
,RTRIM(Program_Library) CONCAT '/' CONCAT RTRIM(Program_Name) AS Program_Name
,RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) AS User_Id
,CASE RTRIM(CAST(SUBSTR(Entry_Data, 1, 1) AS CHAR(1)))
WHEN 'A' THEN 'APPC bind failure-(A)'
WHEN 'C' THEN 'User authentication with CHKPWD failed-(C)'
WHEN 'D' THEN 'Service tools user ID name not valid-(D)'
WHEN 'E' THEN 'Service tools user ID password not valid-(E)'
WHEN 'P' THEN 'Password not valid-(P)'
WHEN 'Q' THEN 'User profile is disabled-(Q)'
WHEN 'R' THEN 'User password was expired-(R)'
WHEN 'S' THEN 'SQL Decryption password is not valid-(S)'
WHEN 'U' THEN 'User name not valid-(U)'
WHEN 'X' THEN 'Service tools user ID is disabled-(X)'
WHEN 'Y' THEN 'Service tools user ID not valid-(Y)'
WHEN 'Z' THEN 'Service tools user ID password not valid-(Z)'
END Violation_Type
Starting_Receiver_Name => '*CURAVLCHN', Journal_Entry_Types => 'PW',
Starting_Timestamp => CURRENT TIMESTAMP - 1 days -- Time period
) I
-- WHERE RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) = 'User_Name'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment