Probe Guide for iSeries Journal
Message Monitoring
v1.0 series
Copyright Notice
This online help system (the "System") is for your informational purposes only and is subject to change or withdrawal by CA at any time.
This System may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This System is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. This System may not be disclosed by you or used for any purpose other than as may be permitted in a separate agreement between you and CA governing your use of the CA software to which the System relates (the “CA Software”). Such agreement is not modified in any way by the terms of this notice. Notwithstanding the foregoing, if you are a licensed user of the CA Software you may make one copy of the System for internal use by you and your employees, provided that all CA copyright notices and legends are affixed to the reproduced copy.
The right to make a copy of the System is limited to the period during which the license for the CA Software remains in full force and effect. Should the license terminate for any reason, it shall be your responsibility to certify in writing to CA that all copies and partial copies of the System have been destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS SYSTEM “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS SYSTEM, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The manufacturer of this System is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.
Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Legal information on third-party and public domain software used in this product is documented in the Third-Party Licenses and Terms of Use
Contact CA
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:
■ Online and telephone contact information for technical assistance and customer
services
■ Information about user communities and forums ■ Product and documentation downloads
■ CA Support policies and guidelines
■ Other helpful resources appropriate for your product
Providing Feedback about Product Documentation
Send comments or questions about CA Technologies product documentation to
nimsoft.techpubs@ca.com.
To provide feedback about general CA Technologies product documentation, complete our short customer survey which is available on the support website at
Contents 5
Contents
Chapter 1: journal 1.0
7
journal Overview ... 7
Prerequisites and Supported Platforms ... 8
journal configuration ... 8
The Setup Tab ... 9
The Profiles Tab ... 14
Journal Messages Tab ... 21
Chapter 1: journal 1.0 7
Chapter 1: journal 1.0
This description applies to journal probe version 1.0
This section contains the following topics:
journal Overview (see page 7)
Documentation Changes (see page 8)
Prerequisites and Supported Platforms (see page 8)
journal configuration (see page 8)
How to enable auditing in iSeries (see page 24)
journal Overview
The journal probe monitors the journal messages on the iSeries (AS/400) computer hosting the probe.
The QAUDJRN journal is configured to be monitored, and additional journals may be specified for monitoring.
An example of a typical journal file to monitor is the Audit Journal (QAUDJRN in the QSYS library). A description on how to enable auditing is included in the ‘How to enable auditing in iSeries’ section below.
Prerequisites and Supported Platforms
8 Probe Guide for iSeries Journal Message Monitoring
Documentation Changes
This table describes the version history for this document.
Version Date What's New?
1.0 Sept 2014 Updated the product name to CA UIM. 1.0 March 2011 Added support for raw_journal_code and
raw_entry_type flags in the profile; added advanced option to allow the raw journal code and entry type filed values.
Related Documentation
Documentation for other versions of the journal probe The Release Notes for the journal probe
Monitor Metrics Reference Information for CA Unified Infrastructure Management Probes
(http://docs.nimsoft.com/prodhelp/en_US/Probes/ProbeReference/index.htm)
Prerequisites and Supported Platforms
Platform: IBM iSeries (AS/400) 5.1 or abovejournal configuration
The journal probe is configured by double-clicking the line representing the probe in the
Infrastructure Manager. This brings up the configuration tool for the probe.
The configuration user-interface shows the following tabs:
■ Setup Tab ■ Profiles Tab
journal configuration
Documentation Changes 9
The Setup Tab
The Setup tab contains three subtabs:
■ General ■ Messages
■ Journals
General Tab
Field Description
Check interval The Perform check each field specifies the frequency (in seconds) at which the journals will be scanned for new entries.
Log level Specifies the level of detail written to the probe log file.
Log size Specifies the maximum size (in KB) to which the probe log file can grow before it is renamed and a new log is started.
journal configuration
10 Probe Guide for iSeries Journal Message Monitoring
Field Description
Messages to Read Optional setting to limit the number of messages to be read on each fetch. You might want to use this option if the journal entry size varies greatly between journals being monitored. In most cases you can leave this field empty.
Repeated calls from configuration tool
When listing journal entries from the configuration tool, you can specify a time interval, and in many cases the internal message buffer will not be able to hold all these entries. This setting allows the configuration tool to repeatedly call the probe so that you can list all the entries for the time interval.
You can press Escape to abort listing. Save window size and
default journal messages setup
Pressing this button saves the current window size and the journal messages Journal,
Restrict to and Immediate fetch settings to the registry for the current user. These
settings are used as default settings each time the configuration tool is launched.
Messages Tab
This tab lists the alarm messages available for use in the monitoring profiles. On the initial configuration, there will be one default message. You can create your own messages with the message text and severity level as required. The following options are available in the right-click menu for the message list.
Field Description
journal configuration
Documentation Changes 11 Field Description
Edit Modify the fields of the alarm message.
Delete Remove the selected alarm message. You will be asked to confirm this operation.
journal configuration
12 Probe Guide for iSeries Journal Message Monitoring Field Description
Text The message text.
Variables available for the entry found situation are: profile description journal commit_cycle_identifier entry_count entry_type job_name job_number journal_identifier program_name sequence_number system_name time_stamp user_name journal_code user_profile object_name object_library object_member data JC ET
keys from the data field
Variables on journal read error situations are: error
journal_name journal_lib
Level Severity level of the alarm Subsystem Alarm subsystem
Usage Check one of Use as default or Use as error. If you want this message to be the default message for this alarm situation.
journal configuration
Documentation Changes 13
Journals Tab
List the journals to be monitored. On the initial configuration, there will be an entry for the Audit journal, with journal name QAUDJRN and library QSYS. You can add entries for additional journals.
Field Description
Configured journals
The list contains the journals which are currently being monitored. The following options are available in the right-click menu for the journal list.
New Create a new journal definition. You need to specify journal name and library.
Edit Modify fields of the journal definition.
Delete Remove the selected journal definition. You will be asked to confirm this operation.
Internal journal name
You can name the journal as you please. This name will be used to reference the journal from profiles and from the Journal messages list.
journal configuration
14 Probe Guide for iSeries Journal Message Monitoring
Field Description
Journal file library The library in which the journal resides.
journal configuration
Documentation Changes 15
The Profiles tab lists all the currently configured monitoring profiles. Each profile is matched against journal messages fetched from the configured journals. The properties dialog of a profile defines the criteria for when a message matches and an alarm message is sent.
Active profiles are indicated by the selected check-boxes. You can easily enable / disable monitoring of a specific profile checking / unchecking the profile.
The following commands are available when you right-click in the profile list:
■ New
Create a new profile, presenting you with the profile properties dialog described below.
■ Edit
Edit the profile properties.
■ Delete
Delete the profile. You will be asked to confirm this operation.
■ Move up and Move down
journal configuration
16 Probe Guide for iSeries Journal Message Monitoring
Profile Properties
Double-clicking on a profile (or right-clicking and selecting Edit) brings up the profile properties dialog. Generic profile properties are:
Field Description
Name The name of the profile.
Active Enables or disables the profile. Same as checking / unchecking the profile in the profiles list.
Description An optional user defined profile description. The profile description may be used as a variable in messages sent for the profile.
journal configuration
Documentation Changes 17
Message selection criteria are configured on the Message properties tab and alarm properties on the Actions tab.
Message recognition
These values are checked against all journal messages fetched to determine if the profile matches the message. All checked fields must match for the profile to match and an alarm to be sent.
Regular expressions are supported in all the fields.
Field Description
Journal code The primary category of the journal entry. This field has a distinct set of possible values. You may either select one of these from the drop down list or specify a regular expression.
In the Advanced tab you may select to change this field to Journal
code (raw). The dropdown list will reflect the change and the
current value is translated if possible.
Note: When a value is selected from the dropdown list, the tooltip
for the field is changed to show the code for the selected value. See also the ‘Journal code (code)’ field.
Entry type Further identifies the type of user-created or system-created entry. This field has a distinct set of possible value. You may either select one of these from the drop down list or specify a regular
expression.
In the Advanced tab you may select to change this field to Entry
type (raw). The dropdown list will reflect the change and the
current value is translated if possible.
Note: When a value is selected from the dropdown list, the tooltip
for the field is changed to show the code for the selected value. See also the ‘Entry type (code)’ field.
Job name The name of the job that added the entry.
Program name The name of the program that added the entry. If an application or CL program did not add the entry, the field contains the name of a system-supplied program such as QCMD or QPGMMENU.
If the program name is the special value *NONE, then one of the following is true:
The program name does not apply to this journal entry.
The program name was not available when the journal entry was made. For example, the program name is not available if the program was destroyed.
journal configuration
18 Probe Guide for iSeries Journal Message Monitoring
Field Description
System name The name of the system on which the entry is being retrieved, if the journal receiver was attached prior to installing V4R2M0 on the system.
If the journal receiver was attached while the system was running V4R2M0 or a later release, the system name refers to the system where the journal entry was actually deposited.
User name The user profile name of the user that started the job.
User profile The name of the effective user profile under which the job was running when the entry was created.
Object name The name of the object for which the journal entry was added. If the entry is not associated with a journaled object, this field is blank.
If the object associated with the journal entry is a file object this field contains file file name.
Object library If the object associated with the journal entry is a file object this field contains file file library name.
Object member If the object associated with the journal entry is a file object this field contains the member name of the object.
Data Exact match or regular expression to compare with journal entry field.
Only if not matched by other profile
Do not match this profile if the journal entry has already been matched by another profile. Note that you will need to observe the profile ordering.
Test The test button allows you to run a test query against existing entries in the journal. The Journal Messages tab in the main dialog is replaced with a Test Result tab. The same time restriction is used as for Journal messages.
journal configuration Documentation Changes 19 Actions Field Description Use alarm message
Determine which alarm message should be used when the alarm condition arises. If nothing is selected, the default message will be used.
Suppression key The suppression key is used by the nas to determine which messages describe the same alarm situation.
journal configuration
20 Probe Guide for iSeries Journal Message Monitoring Advanced
Field Description
Journal code field type
Determine if the Journal code field in the message recognition tab should display interpreted (Text) or uninterpreted (Raw)
information. Entry type field
type
journal configuration
Documentation Changes 21
Journal Messages Tab
The Journal messages tab will display the messages from one of the configured journals.
Fields displayed are:
■ Journal code
The primary category of the journal entry.
■ Entry type
Further identifies the type of user-created or system-created entry.
■ Job name
The name of the job that added the entry.
■ Program name
The name of the program that added the entry. If an application or CL program did not add the entry, the field contains the name of a system-supplied program such as QCMD or QPGMMENU. If the program name is the special value *NONE, then one of the following is true:
■ The program name does not apply to this journal entry.
■ The program name was not available when the journal entry was made. For example, the program name is not available if the program was destroyed. If the program that deposited the journal entry is an original program model program, this data will be complete. Otherwise, this data is unpredictable.
■ System name
The name of the system on which the entry is being retrieved, if the journal receiver was attached prior to installing V4R2M0 on the system. If the journal receiver was attached while the system was running V4R2M0 or a later release, the system name is the system where the journal entry was actually deposited.
■ Time stamp
The system date and time when the journal entry was added to the journal receiver.
■ User name
The user profile name of the user that started the job.
■ User profile
The name of the effective user profile under which the job was running when the entry was created.
journal configuration
22 Probe Guide for iSeries Journal Message Monitoring
The name of the object for which the journal entry was added. If the entry is not associated with a journal object, this field is blank.
If the object associated with the journal entry is a file object, the object name field contains the file name.
■ Object library
If the object associated with the journal entry is a file object the object library field contains the file library name
■ Object member
If the object associated with the journal entry is a file object the object member field contains the member name of the object.
■ Data
The data field will contain additional fields from the variable portion of the journal entry. Each field is represented as a <key>=<value> pair.
■ Journal code (raw)
This field contains the same information as the Journal code field above, but in the un-interpreted format.
■ Entry type (raw)
This field contains the same information as the Entry type field above, but in the un-interpreted format.
You may create profiles to match to the messages as they are fetched from the journals. All the above fields except Time stamp can be used for message recognition.
An alarm message is raised when a journal message is recognized. Note that the same journal message may be recognized by multiple profiles. Alarm message to use and suppression key may be configured for each profile.
journal configuration
Documentation Changes 23
The Test Result tab lists a number of messages. The number of entries is limited by the
message buffer size and messages to read parameters configured in the Setup tab. The
oldest messages are read and displayed first.
Use the Journal field to specify from which journal messages are to be displayed and the
Restrict to field to determine from what time messages are to be fetched. You can turn
How to enable auditing in iSeries
24 Probe Guide for iSeries Journal Message Monitoring
How to enable auditing in iSeries
The following information is taken from the security auditing section of the iSeries Information Center (version 5, revision 4) on the ibm.com website:
Setting up auditing requires *AUDIT special authority. To set up security auditing, follow these steps:
1. Create a journal receiver in a library of your choice by using the Create Journal Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB for journal receivers.
CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + TEXT(’Auditing Journal Receiver’)
■ Place the journal receiver in a library that is saved regularly. Do not place the journal receiver in library QSYS, even though that is where the journal will be.
■ Choose a journal receiver name that can be used to create a naming
convention for future journal receivers, such as AUDRCV0001. You can use the *GEN option when you change journal receivers to continue the naming convention. Using this type of naming convention is also useful if you choose to have the system manage changing your journal receivers.
■ Specify a receiver threshold appropriate to your system size and activity. The size you choose should be based on the number of transactions on your system and the number of actions you choose to audit. If you use system
change-journal management support, the journal receiver threshold must be at least 100 000 KB.
■ Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal.
2. Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command: CRTJRN JRN(QSYS/QAUDJRN) +
JRNRCV(JRNLIB/AUDRCV0001) + MNGRCV(*SYSTEM) DLTRCV(*NO) + AUT(*EXCLUDE) TEXT(’Auditing Journal’)
■ The name QSYS/QAUDJRN must be used.
■ Specify the name of the journal receiver you created in the previous step.
How to enable auditing in iSeries
Documentation Changes 25
■ Use the Manage receiver (MNGRCV) parameter to have the system change the journal receiver and attach a new one when the attached receiver exceeds the threshold specified when the journal receiver was created. If you choose this option, you do not have to use the CHGJRN command to detach receivers and create and attach new receivers manually.
■ Do not have the system delete detached receivers. Specify DLTRCV(*NO), which is the default. The QAUDJRN receivers are your security audit trail. Ensure that they are adequately saved before deleting them from the system. 3. Set the audit level (QAUDLVL) system value or the audit level extension (QAUDLVL2)
system value using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2 system values determine which actions are logged to the audit journal for all users on the system.
4. Set action auditing for individual users if necessary using the CHGUSRAUD command.
5. Set object auditing for specific objects if necessary using the CHGOBJAUD and 6. CHGDLOAUD commands.
7. Set object auditing for specific users if necessary using the CHGUSRAUD command. 8. Set the QAUDENDACN system value to control what happens if the system cannot
access the audit journal.
9. Set the QAUDFRCLVL system value to control how often audit records are written to auxiliary storage.
10. Start auditing by setting the QAUDCTL system value to a value other than *NONE.
Note: The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL