It's all about the answers!

Ask a question

Identify IP of the client machine that sends invalid login request

Kot T. (1.5k11219) | asked Jun 21 '13, 5:38 p.m.
Looking for a mechanism to identify where the failing request is coming from. Specifically, the information that will help identify which machine is sending the request that results in the user ID to get locked out.

One answer

permanent link
Kot T. (1.5k11219) | answered Jun 21 '13, 5:42 p.m.
edited Jun 21 '13, 5:44 p.m.
To find out the IP address of the client that sends requests to WebSphere, you can enable the NCSA access log. This log provides IP address, request URL with status code:
http_access.log will be created in the same directory as systemOut.log.
If you have IHS/plugin infront of WebSphere, you can take a look at the access_log the IHS logs directory. It provides similar details as the http_access.log.

A sample output from a 401 environment. IHS on a different Linux box than WAS. The use case is trying to log in to jts/admin using web UI (Firefox). A failed login shows the following errors:

[6/21/13 12:06:45:195 EDT] 00000028 FormLoginExte E   SECJ0118E: Authentication error during authentication for user wasadmin

IHS access_log: - - [21/Jun/2013:12:06:42 -0400] "POST /jts/authenticated/j_security_check HTTP/1.1" 302 - - - [21/Jun/2013:12:06:43 -0400] "GET /jts/auth/authfailed HTTP/1.1" 200 1197 - - [21/Jun/2013:12:06:43 -0400] "GET /jts/_theming/resource/html/loginFooter.html HTTP/1.1" 200 -

A successful login shows up as the following in IHS access_log: - - [21/Jun/2013:11:58:44 -0400] "POST /jts/authenticated/j_security_check HTTP/1.1" 302 - - - [21/Jun/2013:11:58:45 -0400] "GET /jts/authenticated/identity HTTP/1.1" 200 112 - - [21/Jun/2013:11:58:45 -0400] "GET /jts/authenticated/identity HTTP/1.1" 200 112

"POST /jts/authenticated/j_security_check" is when the request for authentication is submitted.

Your answer

Register or to post your answer.