Kisco Systems

Kisco U

Monitoring for IBM i security events

Home : Kisco U : Monitoring for IBM i security events

Depending on the size of your shop and the number of users, there could be hundreds or even thousands of security decisions being made by your security setup on a minute by minute, hour by hour, day by day basis. How do you know when a security violation has occurred?

As always, you can look to the Audit Journal (DSPAUDJRNE). This contains more events with more detail than the message queue, but will not provide real-time alerts.

The system operator message queue (QSYSOPR) is a better source of information. Error notices for critical violations are posted into that queue. However, there are so many message in the queue that is's easy to miss the important ones.

To get around this issue, the IBM i OS has an alternate message queue capability. Check your system to see of the QSYSMSG message queue exists in QSYS library. If you don't see one, just create it:

CRTMSGQ MSGQ(QSYS/QSYSMSG) TEXT('IBM i OS Security Message Queue')

Or, in IBM i navigator...

Once the QSYSMSG message queue is on your system, all critical security related messages will also be posted to this message queue along with your system operator queue.

Click here to see how IBM i OS routes messages between QSYSOPR and QSYSMSG.

Run the following command to display QSYSMSG alerts as break messages:

CHGMSGQ MSGQ(QSYS/QSYSMSG) DLVRY(*BREAK)

To receieve alerts when you're not logged in (and can't see break messages) you will need to write a CL program to forward critical alerts.

iEventMonitor is a remote monitoring software solution that will handle all these message queues and alerts for you.