select *

  from (select os_username, userhost, terminal, username, count(*) cnt

          from dba_audit_trail

         where returncode = 1017

           and timestamp >= date '2015-12-13'

         group by os_username, userhost, username, terminal

         order by 5 desc)

 where rownum < 10;

create table tmp_logon_denied

(

   id varchar2(36),

   ip varchar2(50),

   osuser varchar2(100),

   loginuser varchar2(100),

   machine varchar2(100),

   program varchar2(100),

   timestamp date,

   primary key (id)

);

/

CREATE OR REPLACE TRIGGER logon_denied_to_alert

  AFTER servererror ON DATABASE

DECLARE

  message   VARCHAR2(168);

  ip        VARCHAR2(15);

  v_os_user VARCHAR2(80);

  v_module  VARCHAR2(50);

  v_action  VARCHAR2(50);

  v_pid     VARCHAR2(10);

  v_sid     NUMBER;

  v_program VARCHAR2(48);

BEGIN

  IF (ora_is_servererror(1017)) THEN

    -- get ip FOR remote connections :

    IF upper(sys_context('userenv', 'network_protocol')) = 'TCP' THEN

      ip := sys_context('userenv', 'ip_address');

    END IF;

    SELECT sid INTO v_sid FROM sys.v_$mystat WHERE rownum < 2;

    SELECT p.spid, v.program

      INTO v_pid, v_program

      FROM v$process p, v$session v

     WHERE p.addr = v.paddr

       AND v.sid = v_sid;

    v_os_user := sys_context('userenv', 'os_user');

    dbms_application_info.read_module(v_module, v_action);

    message := to_char(SYSDATE, 'YYYYMMDD HH24MISS') ||

               ' logon denied from ' || nvl(ip, 'localhost') || ' ' ||

               v_pid || ' ' || v_os_user || ' with ' || v_program || ' – ' ||

               v_module || ' ' || v_action;

    --sys.dbms_system.ksdwrt(2, message);

    insert into tmp_logon_denied(id, ip, osuser, loginuser, machine, program, timestamp)

    select sys_guid(), ip, t.OSUSER, t.USERNAME, t.MACHINE, t.PROGRAM, sysdate

    from v$session t

    where t.SID = v_sid;

  END IF;

END;

/