CA Unified Infrastructure Management

(1)

Probe Guide for iSeries Journal

Message Monitoring

v1.0 series

(2)

Copyright Notice

This online help system (the "System") is for your informational purposes only and is subject to change or withdrawal by CA at any time.

This System may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This System is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. This System may not be disclosed by you or used for any purpose other than as may be permitted in a separate agreement between you and CA governing your use of the CA software to which the System relates (the “CA Software”). Such agreement is not modified in any way by the terms of this notice. Notwithstanding the foregoing, if you are a licensed user of the CA Software you may make one copy of the System for internal use by you and your employees, provided that all CA copyright notices and legends are affixed to the reproduced copy.

The right to make a copy of the System is limited to the period during which the license for the CA Software remains in full force and effect. Should the license terminate for any reason, it shall be your responsibility to certify in writing to CA that all copies and partial copies of the System have been destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS SYSTEM “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS SYSTEM, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The manufacturer of this System is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

Legal information on third-party and public domain software used in this product is documented in the Third-Party Licenses and Terms of Use

(3)

Contact CA

Contact CA Support

For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:

■ _{Online and telephone contact information for technical assistance and customer}

services

■ _{Information about user communities and forums} ■ _{Product and documentation downloads}

■ CA Support policies and guidelines

■ Other helpful resources appropriate for your product

Providing Feedback about Product Documentation

Send comments or questions about CA Technologies product documentation to

nimsoft.techpubs@ca.com.

To provide feedback about general CA Technologies product documentation, complete our short customer survey which is available on the support website at

(4)

(5)

Contents 5

Chapter 1: journal 1.0

7

journal Overview ... 7

Prerequisites and Supported Platforms ... 8

journal configuration ... 8

The Setup Tab ... 9

The Profiles Tab ... 14

Journal Messages Tab ... 21

(6)

(7)

Chapter 1: journal 1.0 7

Chapter 1: journal 1.0

This description applies to journal probe version 1.0

This section contains the following topics:

journal Overview (see page 7)

Documentation Changes (see page 8)

Prerequisites and Supported Platforms (see page 8)

journal configuration (see page 8)

How to enable auditing in iSeries (see page 24)

journal Overview

The journal probe monitors the journal messages on the iSeries (AS/400) computer hosting the probe.

The QAUDJRN journal is configured to be monitored, and additional journals may be specified for monitoring.

An example of a typical journal file to monitor is the Audit Journal (QAUDJRN in the QSYS library). A description on how to enable auditing is included in the ‘How to enable auditing in iSeries’ section below.

(8)

Prerequisites and Supported Platforms

8 Probe Guide for iSeries Journal Message Monitoring

Documentation Changes

This table describes the version history for this document.

Version Date What's New?

1.0 Sept 2014 Updated the product name to CA UIM. 1.0 March 2011 Added support for raw_journal_code and

raw_entry_type flags in the profile; added advanced option to allow the raw journal code and entry type filed values.

Related Documentation

Documentation for other versions of the journal probe The Release Notes for the journal probe

Monitor Metrics Reference Information for CA Unified Infrastructure Management Probes

(http://docs.nimsoft.com/prodhelp/en_US/Probes/ProbeReference/index.htm)

Prerequisites and Supported Platforms

Platform: IBM iSeries (AS/400) 5.1 or above

journal configuration

The journal probe is configured by double-clicking the line representing the probe in the

Infrastructure Manager. This brings up the configuration tool for the probe.

The configuration user-interface shows the following tabs:

■ _{Setup Tab} ■ Profiles Tab

(9)

journal configuration

Documentation Changes 9

The Setup Tab

The Setup tab contains three subtabs:

■ _General ■ Messages

■ Journals

General Tab

Field Description

Check interval The Perform check each field specifies the frequency (in seconds) at which the journals will be scanned for new entries.

Log level Specifies the level of detail written to the probe log file.

Log size Specifies the maximum size (in KB) to which the probe log file can grow before it is renamed and a new log is started.

(10)

Messages to Read Optional setting to limit the number of messages to be read on each fetch. You might want to use this option if the journal entry size varies greatly between journals being monitored. In most cases you can leave this field empty.

Repeated calls from configuration tool

When listing journal entries from the configuration tool, you can specify a time interval, and in many cases the internal message buffer will not be able to hold all these entries. This setting allows the configuration tool to repeatedly call the probe so that you can list all the entries for the time interval.

You can press Escape to abort listing. Save window size and

default journal messages setup

Pressing this button saves the current window size and the journal messages Journal,

Restrict to and Immediate fetch settings to the registry for the current user. These

settings are used as default settings each time the configuration tool is launched.

Messages Tab

This tab lists the alarm messages available for use in the monitoring profiles. On the initial configuration, there will be one default message. You can create your own messages with the message text and severity level as required. The following options are available in the right-click menu for the message list.

(11)

Documentation Changes 11 Field Description

Edit Modify the fields of the alarm message.

Delete Remove the selected alarm message. You will be asked to confirm this operation.

(12)

12 Probe Guide for iSeries Journal Message Monitoring Field Description

Text The message text.

Variables available for the entry found situation are: profile description journal commit_cycle_identifier entry_count entry_type job_name job_number journal_identifier program_name sequence_number system_name time_stamp user_name journal_code user_profile object_name object_library object_member data JC ET

keys from the data field

Variables on journal read error situations are: error

journal_name journal_lib

Level Severity level of the alarm Subsystem Alarm subsystem

Usage Check one of Use as default or Use as error. If you want this message to be the default message for this alarm situation.

(13)

Journals Tab

List the journals to be monitored. On the initial configuration, there will be an entry for the Audit journal, with journal name QAUDJRN and library QSYS. You can add entries for additional journals.

Configured journals

The list contains the journals which are currently being monitored. The following options are available in the right-click menu for the journal list.

New Create a new journal definition. You need to specify journal name and library.

Edit Modify fields of the journal definition.

Delete Remove the selected journal definition. You will be asked to confirm this operation.

Internal journal name

You can name the journal as you please. This name will be used to reference the journal from profiles and from the Journal messages list.

(14)

Journal file library The library in which the journal resides.

(15)

The Profiles tab lists all the currently configured monitoring profiles. Each profile is matched against journal messages fetched from the configured journals. The properties dialog of a profile defines the criteria for when a message matches and an alarm message is sent.

Active profiles are indicated by the selected check-boxes. You can easily enable / disable monitoring of a specific profile checking / unchecking the profile.

The following commands are available when you right-click in the profile list:

■ New

Create a new profile, presenting you with the profile properties dialog described below.

■ Edit

Edit the profile properties.

■ Delete

Delete the profile. You will be asked to confirm this operation.

■ _{Move up and Move down}

(16)

Profile Properties

Double-clicking on a profile (or right-clicking and selecting Edit) brings up the profile properties dialog. Generic profile properties are:

Name The name of the profile.

Active Enables or disables the profile. Same as checking / unchecking the profile in the profiles list.

Description An optional user defined profile description. The profile description may be used as a variable in messages sent for the profile.

(17)

Message selection criteria are configured on the Message properties tab and alarm properties on the Actions tab.

Message recognition

These values are checked against all journal messages fetched to determine if the profile matches the message. All checked fields must match for the profile to match and an alarm to be sent.

Regular expressions are supported in all the fields.

Journal code The primary category of the journal entry. This field has a distinct set of possible values. You may either select one of these from the drop down list or specify a regular expression.

In the Advanced tab you may select to change this field to Journal

code (raw). The dropdown list will reflect the change and the

current value is translated if possible.

Note: When a value is selected from the dropdown list, the tooltip

for the field is changed to show the code for the selected value. See also the ‘Journal code (code)’ field.

Entry type Further identifies the type of user-created or system-created entry. This field has a distinct set of possible value. You may either select one of these from the drop down list or specify a regular

expression.

In the Advanced tab you may select to change this field to Entry

type (raw). The dropdown list will reflect the change and the

current value is translated if possible.

Note: When a value is selected from the dropdown list, the tooltip

for the field is changed to show the code for the selected value. See also the ‘Entry type (code)’ field.

Job name The name of the job that added the entry.

Program name The name of the program that added the entry. If an application or CL program did not add the entry, the field contains the name of a system-supplied program such as QCMD or QPGMMENU.

If the program name is the special value *NONE, then one of the following is true:

The program name does not apply to this journal entry.

The program name was not available when the journal entry was made. For example, the program name is not available if the program was destroyed.

(18)

System name The name of the system on which the entry is being retrieved, if the journal receiver was attached prior to installing V4R2M0 on the system.

If the journal receiver was attached while the system was running V4R2M0 or a later release, the system name refers to the system where the journal entry was actually deposited.

User name The user profile name of the user that started the job.

User profile The name of the effective user profile under which the job was running when the entry was created.

Object name The name of the object for which the journal entry was added. If the entry is not associated with a journaled object, this field is blank.

If the object associated with the journal entry is a file object this field contains file file name.

Object library If the object associated with the journal entry is a file object this field contains file file library name.

Object member If the object associated with the journal entry is a file object this field contains the member name of the object.

Data Exact match or regular expression to compare with journal entry field.

Only if not matched by other profile

Do not match this profile if the journal entry has already been matched by another profile. Note that you will need to observe the profile ordering.

Test The test button allows you to run a test query against existing entries in the journal. The Journal Messages tab in the main dialog is replaced with a Test Result tab. The same time restriction is used as for Journal messages.

(19)

journal configuration Documentation Changes 19 Actions Field Description Use alarm message

Determine which alarm message should be used when the alarm condition arises. If nothing is selected, the default message will be used.

Suppression key The suppression key is used by the nas to determine which messages describe the same alarm situation.

(20)

20 Probe Guide for iSeries Journal Message Monitoring Advanced

Journal code field type

Determine if the Journal code field in the message recognition tab should display interpreted (Text) or uninterpreted (Raw)

information. Entry type field

type

(21)

Journal Messages Tab

The Journal messages tab will display the messages from one of the configured journals.

Fields displayed are:

■ Journal code

The primary category of the journal entry.

■ _{Entry type}

Further identifies the type of user-created or system-created entry.

■ Job name

The name of the job that added the entry.

■ _{Program name}

The name of the program that added the entry. If an application or CL program did not add the entry, the field contains the name of a system-supplied program such as QCMD or QPGMMENU. If the program name is the special value *NONE, then one of the following is true:

■ The program name does not apply to this journal entry.

■ The program name was not available when the journal entry was made. For example, the program name is not available if the program was destroyed. If the program that deposited the journal entry is an original program model program, this data will be complete. Otherwise, this data is unpredictable.

■ System name

The name of the system on which the entry is being retrieved, if the journal receiver was attached prior to installing V4R2M0 on the system. If the journal receiver was attached while the system was running V4R2M0 or a later release, the system name is the system where the journal entry was actually deposited.

■ _{Time stamp}

The system date and time when the journal entry was added to the journal receiver.

■ _{User name}

The user profile name of the user that started the job.

■ User profile

The name of the effective user profile under which the job was running when the entry was created.

(22)

The name of the object for which the journal entry was added. If the entry is not associated with a journal object, this field is blank.

If the object associated with the journal entry is a file object, the object name field contains the file name.

■ Object library

If the object associated with the journal entry is a file object the object library field contains the file library name

■ Object member

If the object associated with the journal entry is a file object the object member field contains the member name of the object.

■ Data

The data field will contain additional fields from the variable portion of the journal entry. Each field is represented as a <key>=<value> pair.

■ Journal code (raw)

This field contains the same information as the Journal code field above, but in the un-interpreted format.

■ Entry type (raw)

This field contains the same information as the Entry type field above, but in the un-interpreted format.

You may create profiles to match to the messages as they are fetched from the journals. All the above fields except Time stamp can be used for message recognition.

An alarm message is raised when a journal message is recognized. Note that the same journal message may be recognized by multiple profiles. Alarm message to use and suppression key may be configured for each profile.

(23)

The Test Result tab lists a number of messages. The number of entries is limited by the

message buffer size and messages to read parameters configured in the Setup tab. The

oldest messages are read and displayed first.

Use the Journal field to specify from which journal messages are to be displayed and the

Restrict to field to determine from what time messages are to be fetched. You can turn

(24)

How to enable auditing in iSeries

The following information is taken from the security auditing section of the iSeries Information Center (version 5, revision 4) on the ibm.com website:

Setting up auditing requires *AUDIT special authority. To set up security auditing, follow these steps:

1. Create a journal receiver in a library of your choice by using the Create Journal Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB for journal receivers.

CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + TEXT(’Auditing Journal Receiver’)

■ Place the journal receiver in a library that is saved regularly. Do not place the journal receiver in library QSYS, even though that is where the journal will be.

■ Choose a journal receiver name that can be used to create a naming

convention for future journal receivers, such as AUDRCV0001. You can use the *GEN option when you change journal receivers to continue the naming convention. Using this type of naming convention is also useful if you choose to have the system manage changing your journal receivers.

■ Specify a receiver threshold appropriate to your system size and activity. The size you choose should be based on the number of transactions on your system and the number of actions you choose to audit. If you use system

change-journal management support, the journal receiver threshold must be at least 100 000 KB.

■ Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal.

2. Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command: CRTJRN JRN(QSYS/QAUDJRN) +

JRNRCV(JRNLIB/AUDRCV0001) + MNGRCV(*SYSTEM) DLTRCV(*NO) + AUT(*EXCLUDE) TEXT(’Auditing Journal’)

■ The name QSYS/QAUDJRN must be used.

■ Specify the name of the journal receiver you created in the previous step.

(25)

How to enable auditing in iSeries

■ Use the Manage receiver (MNGRCV) parameter to have the system change the journal receiver and attach a new one when the attached receiver exceeds the threshold specified when the journal receiver was created. If you choose this option, you do not have to use the CHGJRN command to detach receivers and create and attach new receivers manually.

■ Do not have the system delete detached receivers. Specify DLTRCV(*NO), which is the default. The QAUDJRN receivers are your security audit trail. Ensure that they are adequately saved before deleting them from the system. 3. Set the audit level (QAUDLVL) system value or the audit level extension (QAUDLVL2)

system value using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2 system values determine which actions are logged to the audit journal for all users on the system.

4. Set action auditing for individual users if necessary using the CHGUSRAUD command.

5. Set object auditing for specific objects if necessary using the CHGOBJAUD and 6. CHGDLOAUD commands.

7. Set object auditing for specific users if necessary using the CHGUSRAUD command. 8. Set the QAUDENDACN system value to control what happens if the system cannot

access the audit journal.

9. Set the QAUDFRCLVL system value to control how often audit records are written to auxiliary storage.

10. Start auditing by setting the QAUDCTL system value to a value other than *NONE.

Note: The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL