When a user is locked out of a ServiceNow instance, it's crucial to determine the cause—whether it's due to failed login attempts, a security issue, or a misconfiguration. Here's how you can investigate locked out users by examining relevant logs.
Steps to Investigate Locked Out Users
1. Identify Relevant Logs:
Navigate to the transaction log table, [syslog_transaction], to review activities related to the locked-out user.
Access this table by navigating to System Logs > Transactions at https://<instance_name>.service-now.com/syslog_transaction_list.do.
2. Filter Transaction Logs:
Created by: Set the filter to the username of the locked-out user to isolate their activities.
Message: Look for messages indicating failed login attempts, which can be filtered using "contains 'failed login'" or a similar keyword.
Briefly review the transaction log entries for any unusual patterns such as multiple failed login attempts in a short period. This could indicate either user error or an attempted security breach.
3. Examine Event Logs for Login Attempts:
Navigate to System Logs > Events and use the URL: https://<instance_name>.service-now.com/sysevent_list.do
Apply filters such as:
Name: Use "STARTSWITH SNC.Auth.DB" to specifically focus on authentication logs.
Created by: Filter by the username to see events related to the locked-out user.
4. Confirm the Cause of Lockout:
Determine if the lockout was due to failed logins or other reasons by examining both the transaction and event logs.
This process helps in pinpointing the reason behind user lockouts and assists in making informed decisions regarding user account management and security policies in ServiceNow.
By following these steps, you can effectively investigate the reasons behind a user’s lockout, providing clarity and direction for resolving potential security or operational issues related to user access.
For more detailed guidance on resolving this issue, please contact us at support@dt-advisory.ch.