AS400 Security Log Searching

r_i_x:

FIRST step is to define what's meant by "logged on and off". Via FTP? the Signon server? telnet? ODBC? remote command (maybe REXEC, maybe RmtCmd/Distributed Program Call, maybe 'other')? via any of the other possibilities? If via telnet, do you need to track group jobs separately?

Once "logged on and off" is clearly defined, it will be easier to give good answers. The history log that's behind DSPLOG might be more or less sufficient.

When all the various connection methods started to explode, the whole thing got (often) much more complicated.

Tom

Signon server (if that's what you call it). I'm a Microsoft guy (not sure if I'm allowed to use that word in this Zone).

Users log on to a terminal connection using the iSeries Terminal Emulation. I guess the main question is how to filter the DSPLOG or is there a better method?

If you just need to log 'green-screen' access (TN5250).
1.  Create a log file <libl>/tblLog with three fields (usr varchar(10), ip varchar(15), dtstamp varchar(25)
2.  Create the following CL program.  Save/compile in a library accessible to all users.
---------------------------  Start of source ------------------------------------------------------PGM                                                
dcl  &cmd        *char    256                      
dcl  &lib        *char     10                      
dcl  &user       *char     10                      
dcl  &jNbr       *char      6                      
dcl  &ipAddr     *char     15                      
dcl  &sysDate    *char      6                      
dcl  &sysTime    *char     10                      
dcl  &fullDate   *char     25                      
dcl  &RcvVar     *char    892                      
dcl  &RcvVarLen  *char      4 X'0000037C'          
dcl  &format     *char      8 'DEVD0600'            
dcl  &devD       *char     10                      
dcl  &APIError   *char      8 X'0000000000000000'  
dclf TestLog                                        
monmsg cpf0000                                            
chgvar &lib value('DUGAN')                                
rtvjoba  job(&DevD) user(&User) nbr(&jNbr)                
rtvsysval  sysval(QTIME) rtnvar(&sysTime)                  
rtvsysval  sysval(QDATE) rtnvar(&sysDate)                  
chgvar &fullDate  value(%SST(&sysDate 1 2) *cat '/' *cat +
                  %SST(&sysDate 3 2) *cat '/' *cat +      
                  %SST(&sysDate 5 2) *bcat +              
                  %SST(&sysTime 1 2) *cat ':' *cat +      
                  %SST(&sysTime 3 2) *cat ':' *cat +              
                  %SST(&sysTime 5 2))                              
                                                                   
/* get IP Address */                                              
call pgm(QDCRDEVD) parm(&RcvVar &rcvVarLen &format &DevD &APIError)
chgvar &ipAddr value(%SST(&RcvVar 878 15))                        
                                                                   
/* Don't present a Qshell terminal session. */                    
addenvvar  envvar(QIBM_QSH_CMD_OUTPUT)     value('NONE')        
monmsg CPFA980                                                  
                                                                 
chgvar &cmd ('INSERT INTO' *bcat &lib *tcat '.TestLog VALUES (' +
        *cat '''' *cat &user *cat ''',' +                        
        *cat '''' *cat &ipAddr *cat ''',' +                      
        *cat '''' *cat &fullDate *cat ''')')                    
                                                                 
chgvar  &cmd ('db2 "'  *cat  &cmd *tcat '"')                    
qsh cmd(&cmd)                                                    
return
endpgm
---------------------------  End of source ------------------------------------------------------

Add to the users inital program to call:
chgusrprf usrprf(<username>) inlpgm(libr/pgm)

This way, you have a nice clean log file that you can query and generate reports.  Playing with QSH sucks and your stuck with every message that gets logged.  

Hope this helps !

 - j

I was hoping for something easy where I could CAT the file and GREP on the username or something like that. Any simple solutions available? I did output the DSPLOG for the SIGNON job but it only showed the past three days. I want to go back further.

The CLEANUP mentioned by j is an example of how AS/400s aren't configured to provide log info until after someone needs it. There's an excellent chance that the option was set to auto-delete history after three days.

Tom

Another chance could be to activate auditing on the system, setting up a journal, (QAUDJRN if i'm not wrong), then running any night the DSPJRN of the journal keying the right values; if i'm not wrong again should be JS (for job start) then selecting via a query the interactive job starts.
This way you have far more information than looking at the DSPLOG or QHST. The same journal can also give you a hint in finding the number of failed logons and the IP of the attempt.
It is a great tool, just take a look at the QAUD* values in the sysvalues.

Just my 2 cents.
Bye