You don't want unauthorized people accessing your iSeries, so it's a good idea to monitor invalid log-on attempts. By doing so you can see who simply mistyped and who had no business trying to log in.
If you have turned on auditing and have at least *SECURITY specified in the QAUDLVL system value, you can check the security audit journal for all log-in attempts.
The type of entry you want to look at are the "PW" entries. To make it easier to "harvest" this information from the audit journal, IBM ships a model outfile for each audit entry type. The files are in QSYS and have a naming convention of:
In that naming convention, xx is the entry type, in this case PW, and n is the journal type. (The higher the number, the more information in the entry.) If you're running V5R2, you can use type five, otherwise I recommend type four. The iSeries Security Reference manual, Appendix F contains the layout of each of the auditing model outfiles. The manual is available in PDF form on the IBM Information Center.
In this case, you'll want to create a duplicate object of the QSYS/QASYAFJ5 entry and then specify this on the OUTFILE parameter on the DSPJRN command as follows:
• CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
• DSPJRN JRN(QAUDJRN) FROMTIME('09/13/05' '17:30:00') JRNCDE((T)) ENTTYP(PW) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYPWJ5)
You can then look at the contents of the entire file or query to find the exact information you're looking for.
About the author: Carol Woodbury is president and co-founder of SkyView Partners Inc., a firm specializing in security consulting, remediation services and assessment software.