Manage Learn to apply best practices and optimize your operations.

Checking your history log for security events

Checking your history log routinely can help you identify possible security events before they become problems.

As I have explained in earlier tips, my wife and I live deep in the Adirondack Mountains of northern New York state....

We live six miles from the nearest town and are far away from anything resembling a streetlight. At night, when there is no moonlight and we turn out the lights, it is really dark in our house. So dark, in fact, that it takes some practice to navigate our familiar bedroom.

I was thinking about that when I realized that many of us in the iSeries-AS/400 world are navigating in the dark with security. A lot goes on in our systems that can easily be missed unless we keep some lights on. Today, I want to suggest that you periodically review your system history log for security events. This will shed a little more light on your security picture, hopefully keeping you from stumbling.

The history log is a file that contains information about the operation of the system and system status. This log tracks high-level activities such as the start and completion of jobs, device status changes, system operator messages, and attempted security violations. The information is recorded in the form of messages. Those messages are stored in files that are created by the system. The files are in the QSYS system library and are named with a QHST filename prefix.

More Information

You can examine information in the history log on your system using the Display Log (DSPLOG) command. By just keying in DSPLOG, it will default to the most recent entries in your log and you can scroll back in time to see what events have been recorded. Almost every time I do this (which is probably not often enough), I end up finding out about something that's going on that I was not aware of. Today, for example, I found an FTP batch activity log that kept filling up and extending. I found that there were more than 35,000 records in the log and building every day. This is all information that can be cleared on a regular basis.

For security objectives, you can apply filters to the DSPLOG to limit your inquiry. For starters, you should probably look at the log for "off hours" time periods and weekends. Scan the log entries for suspicious activity. Follow up on information and keep a log of what you find so that the next time you repeat this exercise you're not chasing the same events down. If you do see a suspicious entry, place the cursor on it and hit the HELP or F1 key. That will display the message information so you can note down the message ID. In my case, the file extension message was coming up as CPF4058. I was then able to enter this message ID in the MSGID parameter of the DSPLOG command and see all of the times that this message appears in the log.

Once you get a feel for this, you can develop a series of message IDs that you can then limit your review to. You can build these into a CL program to simplify your review task. When viewing using the MSGID filter, you can always return to a full display of the history log by simply pressing the F10 key. That action cancels the filter that you've specified.

The history log is typically kept for 30 days with the setup that comes from the factory. You can change the amount of information kept in the log, however, by updating the Cleanup Options on your system. To review how that is set on your system, go to the Cleanup Tasks menu (GO CLEANUP) and choose option #1. The last entry displayed shows how long the history logs will be kept on your system. Also, check the first entry to make sure automatic system cleanup is active on your system. If automatic cleanup is active on your system, you should see a job named QSYSSCD running in your controlling subsystem (normally QCTL).

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.

-----------------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.


Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close