You could also change the password back to blank -- let is succeed for awhile with the API logs on.
It might be very obvious what it is once you see what it is trying to access. Like -- possibly an integration to populate CMDB or something like that. (And then you go AHA -- now I know ….) -John On Wed, Dec 19, 2012 at 2:37 PM, Mueller, Doug <[email protected]> wrote: > Claire, > > Turn on API logging for a few minutes and capture some cases where the > user Demo > shows up. > > The API log will give you the client type of the client. If it is one of > the > components of the system from BMC or from some partner or your own > developers who > have set the client type, that will tell you what type of thing the access > is from. > If it says client-type of 0, that means it is probably a custom written > API program. > > The API log also will give you the IP address of where the call came from. > Now, > if you have a complex environment with firewalls that rewrite IP > addresses, that > may or may not help, but in many environments, it is the IP address of the > source > machine of the API call. That will tell you where to look for your > caller. If the > caller is a browser session, the IP address will be of the mid-tier rather > than the > actual browser, but if it is the mid-tier, it will tell you it is an > interactive > user logging in as Demo -- just not where from. > > This is at least a good starting point to work from. > > Good luck finding your rogue Demo users.... > > Doug Mueller > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto: > [email protected]] On Behalf Of Sanford, Claire > Sent: Wednesday, December 19, 2012 11:26 AM > To: [email protected] > Subject: Remedy ITSM - Demo gone wild! > > When our system was installed, Demo had no password since that is the > default. > > I reset the Demo password in the User form. > > Demo keeps trying to log into the system and of course the blank password > fails. Is there anywhere I can look to see where "Demo" has been put as > the admin user? Something is using Demo and failing. 12176 times in the > last 20 days. > > > > ITSM 7.6.04 SP2 > ARS 7.6.04 SP3 > Oracle 11.2.0.3.0 - 64bit Production > Win 2008 Server > > Claire Sanford > Information Systems Division > Memorial Hermann Healthcare System > [email protected] > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > -- *John Sundberg* Kinetic Data, Inc. "Your Business. Your Process." *Save The Date! *Second Annual KEG (Kinetic Enthusiasts Group) Feb. 25th - March 1st in Denver, CO. For more information click here - KEG<http://www.kineticdata.com/Events/KEG.html> 651-556-0930 I [email protected] www.kineticdata.com I community.kineticdata.com _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
