Q
Manage Learn to apply best practices and optimize your operations.

Check for invalid log-on attempts

Is there a command I could use to check for invalid log-on attempts. I know I could use DSPLOG for MSGID CPF1393, but is there a way of passing info such as user, device and subsystem to an outfile to query later on?

Is there a command I could use to check for invalid log-on attempts. I know I could use DSPLOG for MSGID CPF1393, but is there a way of passing info such as user, device and subsystem to an outfile to query later on?
The information you're looking for is in the security audit journal (assuming that you've turned on auditing and have at least *SECURITY specified in the QAUDLVL system value.) The type of entry you want to look at are the "PW" entries. To make it easier to "harvest" this information from the audit journal, IBM ships a model outfile for each audit entry type. The files are in QSYS and have a naming convention of:

QASYxxJn where xx is the entry type, in this case PW, and n is the journal type – the higher the number, the more information in the entry. If you're running V5R2, you can use type five otherwise I recommend type four. The iSeries Security Reference manual, Appendix F contains the layout of each of the auditing model outfiles. The manual is available in PDF form on the IBM Information Center.

In this case, you'll want to create a duplicate object of the QSYS/QASYAFJ5 entry and then specify this on the OUTFILE parameter on the DSPJRN command as follows:

  • CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP) 
  • DSPJRN JRN(QAUDJRN) FROMTIME('09/13/05' '17:30:00') JRNCDE((T)) ENTTYP(PW) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYPWJ5)

    You can then look at the contents of the entire file or query to find the exact information you're looking for.

  • This was last published in October 2005

    Dig Deeper on iSeries system and application security

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchDataCenter

    Close