Claire, There are a couple of things you can do to isolate who is connecting.
1) API log includes the "client type". This will tell you (for well behaved clients) what type of client it is. if it is 0, you have a client that has chosen not to identify themselves (rude behavior). 2) API log includes the IP Address of where the communication comes from. So, you should be able to take that and tell where things are from. Note that the IP address for things like the mid-tier are the mid-tier machine, but the client type does tell that it is mid-tier and that is not the type of thing you are trying to track down here. But, hopefully between the client type and the IP address, you can tell where things come from. Now, the User log tells you user connect attempts and bad password. So, you may want User and API logging on and direct to the same file then you can find the failed password stuff and the API call that includes the user using the call is right next to it and then you can find out where it is from…. Good luck isolating your errant connections, Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Sanford, Claire Sent: Tuesday, November 04, 2014 10:36 AM To: arslist@ARSLIST.ORG Subject: Re: Demo Login Name has been Changed ** Sort of along the same lines… At some point one of the consultants that graced us with their presence used Demo to install something. At some point afterwards, we actually gave Demo a password. We see a lot of “Demo” failed logins now. How do I determine what used Demo without a password so that I can correct it… From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ken Pritchard Sent: Tuesday, November 04, 2014 10:53 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Demo Login Name has been Changed ** Didn’t sound like this was a person’s, well, person record – was just the login. I think the bigger issue you’ll encounter is if/when you switch the login ID anything that currently runs with this ID may break. If you have a handle on anything that is running under this ID and can change it to whatever login ID you use, then you can basically change it to whatever you want it to be. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Rick Westbrock Sent: Tuesday, November 4, 2014 10:41 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Demo Login Name has been Changed ** Two other reasons to not use an individual’s login: 1. When the person leaves the company or transfers to another department/division their account either be locked or permissions changes which would break your install. 2. Security audits. In many cases if someone has left the company leaving their accounts active is a violation (which leads back to #1 in a way). Service accounts are definitely the way to go as mentioned by others. They will usually have different security policies, not be subject the same periodic password change requirements as individual accounts etc. -Rick From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Rick Cook Sent: Tuesday, November 04, 2014 6:20 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Demo Login Name has been Changed ** I'm with Ken. First thing I do is set up Service Accounts that aren't subject to people leaving, or passwords that expire, etc. Use them for system functions. I keep Demo (with a pw) as kind of a back door in for the Administrators. Rick Cook On Tue, Nov 4, 2014 at 6:17 AM, Ken Pritchard <pri...@ptd.net<mailto:pri...@ptd.net>> wrote: ** Not everyone gets overly concerned about ‘security’ when it comes to the Demo password in a Remedy environment. I personally don’t think it should be a personal login – so even if you don’t want it to be Demo (which I’ve always found a bit hokey anyway) I would make it a system acct / login. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>] On Behalf Of LJ LongWing Sent: Tuesday, November 4, 2014 9:15 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Demo Login Name has been Changed ** Sandra, Personally, I think it's a security risk to leave a 'Demo' account in place, even if you set the password. So, no....I don't personally think you should put it back. On Tue, Nov 4, 2014 at 7:08 AM, Hennigan, Sandra, CTR, DSS <sandra.hennigan....@dss.mil<mailto:sandra.hennigan....@dss.mil>> wrote: ** All, I have inherited an 8.1.01 new install, just about ready for UAT. The previous administrator renamed the "Demo user for startup" with her personal login name. This was recently discovered during troubleshooting when some of the integrations stopped working. Specifically, “Demo” was the user entry in a couple of the Configuration files. To resolve the issues with integrations, a new user was created and the services pointed to the new user. I am concerned that there may still be configuration files identifying Demo as the qualified user. Question: Do we leave well enough alone and keep the "Demo user for startup" with her personal login name or use DMT and change the "Demo user for startup" name. Any other ideas? Any concerns or follow up steps? As always, assistance from the list is priceless! Thanks. Sandra _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"