Kisco Systems
iEventMonitor : Support : Frequently Asked Questions

The following is a list of frequently asked questions about iEventMonitor. If you have a question that is not covered here, ask us via E-mail and we'll answer your question.

Register your E-mail address to receive automatic notification when this product is updated.

iEventMonitor Frequently Asked Questions:

What system audit values control the functions available to the iEventMonitor Audit Monitor feature?

The system audit value QAUDLVL (or QAUDLVL2 depending on your system configuration) will be need to set for the various audit functions to work. Here is a list of the Audit Codes in iEventMonitor along with the system audit values that will cause them to be activated:

AD - Auditing changes - *SECURITY or *SECCFG
AF - Authority failures - *AUTFAIL
AX - Row and column access control - *SECURITY or *SECRUN
CD - Command line use for registered user profiles - Controlled by iEventMonitor, no system audit value needed.
CP - User profiles changed, created or restored - *SECURITY or *SECCFG
DO - Object Deletes - *SECURITY or *DELETE set for individual object auditing
DS - DST password reset - *SECURITY or *SECCFG
EV - System environment variables - *SECURITY or *SECCFG
OW - Object ownership changes - *SECURITY, *SECDIRSRV, *SECRUN or *CHANGE set for individual object auditing
PS - Profile swaps - *SECURITY or *SECVFY
PW - Invalid passwords - *AUTFAIL
SK - Secure socket connections - *NETCMN, *NETFAIL, *NETSCK, *NETSECURE, *NETTELSVR or *NETUDP
SO - Server security user information actions - *SECURITY or *SECCFG
ST - Use of service tools - *SERVICE
SV - System value changes - *SECURITY or *SECCFG

Why am I getting a "Cannot activate file monitor at this time" error when I try to activate a file monitor?

The message indicates that the file is not available to be activated. The file monitor feature uses IBM i OS trigger programs. In order to set a trigger in place for a file, that file must not be in use by any users on your system. This is a restriction in the IBM i OS and we cannot work around it. The file can only be activated for the file monitor feature when it is not in use.

You can check to see who is using it using the WRKOBJLCK command.

Can I generate the SIEM feed file to a different path using a different filename?


The path and filename are stored in a data area named IEMCONTROL in library IEMLIB. Use the 50 characters there starting in position 940. The default value shipped with the software is:


Using this default, the SIEM file will be generated as follows:


You can change the path (/tmp) or the file name (iem_siem_) or both. iEventMonitor will append a unique 5 digit number and the ".txt" file qualifier.

I have two systems and I want the watches and monitors used on both to be exactly the same. When I get it set up on one system, how can I easily duplicate that on the other system?

This answer assumes that you already have iEventMonitor installed on both systems and that they are at the same software level.

Check the software level by running option #5 on the INSTALL menu on each system to make sure that the release level for iEventMonitor is the same. Do not proceed if the release levels do not match.

The active monitors on a system are stored in a database file named TWCHLOGF in library IEMLIB. While iEventMonitor is inactive on both systems, you can save this file on your source system and then restore it on your target system. Once done, the monitors will all be available on the target system.

For the message queue monitor, you will also have to copy the following three additional control files:


If you are running other features in iEventMonitor, contact for possible additional details.

The global settings in iEventMonitor are all stored in a data area named IEMCONTROL in library IEMLIB. To copy the global settings, this data area (*DTAARA) object must also be saved on your source system and restored on your target system. After restoring on your target system, you should run option #9 on the INSTALL menu and check the "Default Alert Subject" setting and the "IEM Respond Page Heading". We recommend that this be unique for each system so that when an alert is issued, you can easily determine which system issued the alert.

How can I perform a full reset of all of the active monitors and watches in iEventMonitor?

Sometimes you may need to do a full reset of the monitors and watches running in iEventMonitor. The recommended way to do this is as follows:

  • Run the command: IEMLIB/ENDIEM
  • Run the IBM command WRKACTJOB and verify that the IEMONITOR subsystem has ended.
  • Run the command: IEMLIB/STRIEM

When the STRIEM command runs and the IEMONITOR subsystem is inactive, a complete reset of all internal settings is done.

When the message queue monitor starts, an existing message does not issue an alert. Is this normal?

Older versions of iEventMonitor would sometimes pickup an outstanding message, but as of release 5.12, iEventMonitor's message queue monitor will only issue alerts on messages that are posted to the monitored message queue after the time when the monitor is started.

I am seeing a signficant increase in system audit journal activity since installing iEventMonitor. Can we control this?

Starting with Release 5.12, iEventMonitor uses an internal IBM i OS exit point for message queue monitoring. This feature of the IBM i OS generates a lot of profile swap activity which can be captured by the system audit journal as Type T, Code JS journal entries. Please see the following link for more of an explanation and a way to configure your system to significantly reduce this extra logging.


How can I move iEventMonitor to another system or partition?

You can transfer iEventMonitor from one system to another by moving the application library named IEMLIB to the new system. Before you load the library on the new system, you will need to run the following series of commands:


CRTAUTL AUTL(IEMONITOR) TEXT('iEventMonitor Authorization List') AUT(*USE)






After you have loaded the IEMLIB library on the new system, run option #1 on the INSTALL menu. Then, run option #2 on the INSTALL menu to confirm that the software is now installed on trial. If so, you can now use the software in trial mode.

If you decide that you want to license the software on this alternate system, contact Kisco Information Systems for details.

Can we send email through SMTP using a port number other than 25?


As installed, iEventMonitor defaults to using the standard port number 25. You can change the port number to a different port number. Before making the change, make sure that all monitors and watches have been stopped (ENDIEM).

The port number being used for outbound SMTP is stored in hexadecimal in positions 796-800 of the data area named IEMCONTROL in library IEMLIB. As shipped from Kisco Information Systems, this is set to X'0000000019' which is the hex equivalent of 25. After all monitors and watches have been stopped, you can change this value.

For example, if you want to change iEventMonitor to use port 24, you would use the following instruction:


After the change has been posted, go to the INSTALL menu in library IEMLIB and use option #12 to send a test email using this new setting. Confirm that the test email is delivered successfully before you resume normal use of the monitors and watches. You can restart everything using the STRIEM command.

We are upgrading our IBM/i OS. Are there any special considerations for iEventMonitor?

If you have implemented the browser option for responding to error messages, IEM Respond, then the answer is yes.

After the upgrade to the new IBM/i OS level has been completed, please run the following two commands on your system:


This will reset the browser interface to use the current abilities in the new IBM/i OS levels.

Can we change the graphic at the top of the web page in IEM Respond to show our company logo and name?


The graphic file for this is named "header.gif" and it is located the the htdocs folder for the IEVENTMON server instance. You will find this in the www folder off the IFS root directory on your system.

The graphic file is 600 pixels by 60 pixels. We recommend that you keep these dimensions for your own graphic file.

Before you install your own file, make sure that you save the current one by renaming it. This is for your safety should a problem develop and you need to restore the Kisco version of the file. Also, make a note for yourself that any future install of a version upgrade for iEventMonitor will result in the graphic file being reset back to the Kisco version. Make sure that you keep a copy of your new graphic file separate from the server instance objects in the IFS.

IEM Respond uses port#8077. Can we change the port# for our system?


You will need to update the HTTP Server Instance on your system. To use a different port#, do the following:

  1. Make sure that the server instance named IEVENTMON is not running on your system.
  2. Start the HTTP Server Administration Tool on your system.
    This process can take up to several minutes on some systems.
  3. Log on to the HTTP Server Admin tool and select the IEVENTMON server instance.
  4. Select the "General Server Configuration" area in the panel on the left hand side of the page.
  5. From this detail, you can change the port number from 8077 to whatever port number that you may want to use.
  6. Note: Some customer may have upgraded the server instance to use HTTPS. If you have done this, you will also need to make a change in port number using the "Security" area in the panel on the left hand side of the page.
  7. Make sure that you apply all changes and then review the changes before you end the Admin session.
  8. Run option #9 on the INSTALL menu in library IEMLIB and update the "IEM Browser Respond IP" to change the port#.
  9. You can now restart the IEVENTMON server instance and start using the feature using the new port number.

We want to use iEventMonitor on our DR system. Are there any special considerations for DR testing?

When you transfer iEventMonitor to a DR site, the software will not work since it is only licensed to run on the system with your registered serial number and partition number. To conduct a DR test, contact Kisco Information Systems support and provide the serial number, partition number and date range for your testing. A temporary code will be provided to you in advance of your test.

If you use the iEventMonitor message queue reminder alerts feature, this will register an exit program on your DR system during your test. When you are done with your test, make sure that you run option #15 on the INSTALL menu in library IEMLIB to remove the exit point registration. Failure to do this may result in unpredictable processing on the DR system when the trial period for your DR test expires.

When we specify reminder alerts for the QSYSOPR message queue, the reminders get issued even after the message was answered. Why?

Some customers may choose to use multiple monitoring software products concurrently. The reminder alert process uses the QIBM_QMH_REPLY_INQ exit point. If another software product has a program already registered to this point, iEventMonitor will not register its own exit program and, as a result, the reminder logic will not work correctly.

You can verify this by running the following command:


Place an 8 next to the displayed exit point to view the program(s) currently registered. If you find a program there in a library other than IEMLIB, then this is why the iEventMonitor reminder is not working correctly.

To correct for this, shut down your message queue monitor in iEventMonitor for the message queue in question. Review the jobs running in the IEMONITOR subsystem and cancel any jobs shown with a job name that starts with REMxxxxxx. Then, run the following command from the command line:


This will change iEventMonitor to register its exit program in the second seat for the exit point. Once this change has been made, you can restart the message queue monitor with the reminder option active. If you view the exit point programs again, you will see two programs registered to the exit point.

Can I allow someone without *SECOFR authority use the features of iEventMonitor?

You can grant permission to non-*SEFCOFR users using option #8 on the INSTALL menu'

Can I use iEventMonitor to check for user profiles that become disabled?

Yes, you can.

When a user profile becomes disabled, the IBM i OS sends a status message to the special message queue named QSYSMSG in library QSYS. If your system does not have this message queue, you can create it as it is a user optional message queue. To create it, use the following command:

CRTMSGQ MSGQ(QSYS/QSYSMSG) TEXT('System Security Message Queue')

Once the message queue has been created, set up a monitor for it in iEventMonitor and check for all messages from severity level zero and higher. All important security events will be reported to this message queue including user profiles that become disabled due to using incorrect passwords too many times.

After an IPL, the Watch Tasks that I set are no longer active. How can I restart them automatically?

Watch tasks end when you do an IPL or when you bring your system into restricted state. Following either of these events, they need to be restarted. You can do this, for both situations, by updating your system startup up program (system value QSTRUPPGM). In your startup program, you will need to add the following command:


This will restart all monitors and watches that were running when the IPL was performed.

Can I send an alert as a text message to my smartphone?


Check with your cell phone provider to find out the email address format that you should use and then just configure iEventMonitor to use that email address. For example, we use Verizon Wireless here at Kisco Information Systems. Verizon supports sending an email to a Verizon Wireless smartphone by using the email address format of: [areacode+phonenumber] If your phone number is 518-555-1111, then the email address at Verizon Wireless would be "". Just use this email address in iEventMonitor and you will get a text message for the alert notification.

Here are the email to text formats currently available for the most common cell carriers available in the USA:


Can I code my own alerts?


iEventMonitor includes a built-in command that you can call from your own applications to issue alerts using the methods and delivery implemented by iEventMonitor.