r_i_x
asked on
AS400 Security Log Searching
I need to get a report of when users have logged on and off our AS400. Any thoughts on how to filter the DSPLOG or is that even the correct approach?
ASKER
Signon server (if that's what you call it). I'm a Microsoft guy (not sure if I'm allowed to use that word in this Zone).
Users log on to a terminal connection using the iSeries Terminal Emulation. I guess the main question is how to filter the DSPLOG or is there a better method?
Users log on to a terminal connection using the iSeries Terminal Emulation. I guess the main question is how to filter the DSPLOG or is there a better method?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you just need to log 'green-screen' access (TN5250).
1. Create a log file <libl>/tblLog with three fields (usr varchar(10), ip varchar(15), dtstamp varchar(25)
2. Create the following CL program. Save/compile in a library accessible to all users.
-------------------------- - Start of source -------------------------- ---------- ---------- --------PG M
dcl &cmd *char 256
dcl &lib *char 10
dcl &user *char 10
dcl &jNbr *char 6
dcl &ipAddr *char 15
dcl &sysDate *char 6
dcl &sysTime *char 10
dcl &fullDate *char 25
dcl &RcvVar *char 892
dcl &RcvVarLen *char 4 X'0000037C'
dcl &format *char 8 'DEVD0600'
dcl &devD *char 10
dcl &APIError *char 8 X'0000000000000000'
dclf TestLog
monmsg cpf0000
chgvar &lib value('DUGAN')
rtvjoba job(&DevD) user(&User) nbr(&jNbr)
rtvsysval sysval(QTIME) rtnvar(&sysTime)
rtvsysval sysval(QDATE) rtnvar(&sysDate)
chgvar &fullDate value(%SST(&sysDate 1 2) *cat '/' *cat +
%SST(&sysDate 3 2) *cat '/' *cat +
%SST(&sysDate 5 2) *bcat +
%SST(&sysTime 1 2) *cat ':' *cat +
%SST(&sysTime 3 2) *cat ':' *cat +
%SST(&sysTime 5 2))
/* get IP Address */
call pgm(QDCRDEVD) parm(&RcvVar &rcvVarLen &format &DevD &APIError)
chgvar &ipAddr value(%SST(&RcvVar 878 15))
/* Don't present a Qshell terminal session. */
addenvvar envvar(QIBM_QSH_CMD_OUTPUT ) value('NONE')
monmsg CPFA980
chgvar &cmd ('INSERT INTO' *bcat &lib *tcat '.TestLog VALUES (' +
*cat '''' *cat &user *cat ''',' +
*cat '''' *cat &ipAddr *cat ''',' +
*cat '''' *cat &fullDate *cat ''')')
chgvar &cmd ('db2 "' *cat &cmd *tcat '"')
qsh cmd(&cmd)
return
endpgm
-------------------------- - End of source -------------------------- ---------- ---------- --------
Add to the users inital program to call:
chgusrprf usrprf(<username>) inlpgm(libr/pgm)
This way, you have a nice clean log file that you can query and generate reports. Playing with QSH sucks and your stuck with every message that gets logged.
Hope this helps !
- j
1. Create a log file <libl>/tblLog with three fields (usr varchar(10), ip varchar(15), dtstamp varchar(25)
2. Create the following CL program. Save/compile in a library accessible to all users.
--------------------------
dcl &cmd *char 256
dcl &lib *char 10
dcl &user *char 10
dcl &jNbr *char 6
dcl &ipAddr *char 15
dcl &sysDate *char 6
dcl &sysTime *char 10
dcl &fullDate *char 25
dcl &RcvVar *char 892
dcl &RcvVarLen *char 4 X'0000037C'
dcl &format *char 8 'DEVD0600'
dcl &devD *char 10
dcl &APIError *char 8 X'0000000000000000'
dclf TestLog
monmsg cpf0000
chgvar &lib value('DUGAN')
rtvjoba job(&DevD) user(&User) nbr(&jNbr)
rtvsysval sysval(QTIME) rtnvar(&sysTime)
rtvsysval sysval(QDATE) rtnvar(&sysDate)
chgvar &fullDate value(%SST(&sysDate 1 2) *cat '/' *cat +
%SST(&sysDate 3 2) *cat '/' *cat +
%SST(&sysDate 5 2) *bcat +
%SST(&sysTime 1 2) *cat ':' *cat +
%SST(&sysTime 3 2) *cat ':' *cat +
%SST(&sysTime 5 2))
/* get IP Address */
call pgm(QDCRDEVD) parm(&RcvVar &rcvVarLen &format &DevD &APIError)
chgvar &ipAddr value(%SST(&RcvVar 878 15))
/* Don't present a Qshell terminal session. */
addenvvar envvar(QIBM_QSH_CMD_OUTPUT
monmsg CPFA980
chgvar &cmd ('INSERT INTO' *bcat &lib *tcat '.TestLog VALUES (' +
*cat '''' *cat &user *cat ''',' +
*cat '''' *cat &ipAddr *cat ''',' +
*cat '''' *cat &fullDate *cat ''')')
chgvar &cmd ('db2 "' *cat &cmd *tcat '"')
qsh cmd(&cmd)
return
endpgm
--------------------------
Add to the users inital program to call:
chgusrprf usrprf(<username>) inlpgm(libr/pgm)
This way, you have a nice clean log file that you can query and generate reports. Playing with QSH sucks and your stuck with every message that gets logged.
Hope this helps !
- j
ASKER
I was hoping for something easy where I could CAT the file and GREP on the username or something like that. Any simple solutions available? I did output the DSPLOG for the SIGNON job but it only showed the past three days. I want to go back further.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The CLEANUP mentioned by j is an example of how AS/400s aren't configured to provide log info until after someone needs it. There's an excellent chance that the option was set to auto-delete history after three days.
Tom
Tom
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another chance could be to activate auditing on the system, setting up a journal, (QAUDJRN if i'm not wrong), then running any night the DSPJRN of the journal keying the right values; if i'm not wrong again should be JS (for job start) then selecting via a query the interactive job starts.
This way you have far more information than looking at the DSPLOG or QHST. The same journal can also give you a hint in finding the number of failed logons and the IP of the attempt.
It is a great tool, just take a look at the QAUD* values in the sysvalues.
Just my 2 cents.
Bye
This way you have far more information than looking at the DSPLOG or QHST. The same journal can also give you a hint in finding the number of failed logons and the IP of the attempt.
It is a great tool, just take a look at the QAUD* values in the sysvalues.
Just my 2 cents.
Bye
FIRST step is to define what's meant by "logged on and off". Via FTP? the Signon server? telnet? ODBC? remote command (maybe REXEC, maybe RmtCmd/Distributed Program Call, maybe 'other')? via any of the other possibilities? If via telnet, do you need to track group jobs separately?
Once "logged on and off" is clearly defined, it will be easier to give good answers. The history log that's behind DSPLOG might be more or less sufficient.
When all the various connection methods started to explode, the whole thing got (often) much more complicated.
Tom