Skip to Content

Neat little process that I created for my company is knowing when accounts lock, end user or system accounts (lots of issues with system accounts locking and breaking processes).  This is also an early detection method to know if someone is brute forcing your SAP accounts and may be useful for security teams or your help desk.

Items that you need:

  • Syslog – Event log forwarder – I have a Windows environment so I leveraged Snare.  For anyone else using Snare, you have to change what it monitors in the Event logs and set it up to monitor (I believe I set the ID to 42207)
  • Linux – Dealer’s choice which Linux distribution you want to leverage – I used Ubuntu Server 11.04
  • Syslog – Dealer’s choice which syslog  application you want to leverage – I used the builtin rsyslog
  • Swatch – – Installed via the default repositories, newer version of Ubuntu or a different Linux distribution may require compiling
  • mailx
  • postfix

Now if you start the swatch service it won’t do much of anything due to the lack of a configuration file.  The configuration file in most cases only requires a ‘watchfor regex‘; I found that SAP issues the following ‘locked due to incorrect logon‘ so this is what you want to set swatch to watchfor.

So now if your regex is correct you will be obtaining the logs needed, so now its time to setup the notifications…its at this point things went south for me, I had issues with the outbound email and adding new email address requires swatch to be restarted.

Here is what I did to solve both issues:

:~$cat /etc/swatch.SAP.conf


watchfor=/locked due to incorrect logon/

exec /home/user/

Now my swatch configuration stays the same and I can simply change the script it calls.  Changing the email addresses are now easily done, and as a bonus I can manipulate the message that is being sent out vs an ugly log file.

To avoid having to start swatch manually all the time after a reboot or be concerned with the daemon process failing:

:~$ more /etc/rc.local


swatch –config-file /etc/swatch.SAP.conf -t /var/log/syslog –daemon

And now for the script:

:~$ more


tail -n 2 /var/log/syslog | grep “locked due to incorrect logon” | awk ‘{$5=””;$6=””;$8=””;$9=””;$10=””;$11=””;$12=””;$13=””;$16=””;$17=””;$19=””;$20=””;$29=””;print}’ | mailx -s “SAP account locked” email@address

Tail is used to grab the last two lines from the syslog, grep will find the correct line, awk will only print relevant information in the email, mailx is the component to create and send the notification.  However this will require a mailing program to be able to trigger the outbound email, and is outside the scope of this topic.


  • Client numbers are not reported to the syslog (Could be specific to Windows SAP systems)
To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply