Interrogating the Security Audit Journal
As of Argent XT Agent for iSeries8.0A-1011, Argent now supports retrieving information from the iSeries security audit journal QAUDJRN.
The iSeries security audit journal can now be interrogated by Argent Data Consolidator to retrieve information about security failures such as failed logon and object authorization failures.
Displaying iSeries Security Auditing Settings
To display the current iSeries security audit settings, use the iSeries DSPSECAUD command.
The output will appear similar to the following:
Configuring iSeries Security Auditing Settings
To configure iSeries security audit settings, use the iSeries CHGSECAUD command. A sample configuration display is shown below:
To enable Argent Data Consolidator to retrieve information about logon failures and object authorization failures, the *AUTFAIL audit value must be selected.
Important Notes:
- Implementing iSeries security auditing requires careful planning as it imposes an operational requirement on the customer to manage the security audit journal and journal receivers
-
Depending on the values selected for the CHGSECAUD command, implementing iSeries security auditing can result is enormous volumes of data
Example of Configuring iSeries XT Agent Security Audit Journal Support
The following display is an example of an Argent Data Consolidator iSeries Security Audit Journal rule:
In the example, the rule is configure to retrieve iSeries logon failures (Journal Entry Type “PW”).
The following display is an example of an Argent Data Consolidator Relator definition that contains the sample rule:
When the Argent Data Consolidator relator runs, the following can be seen in the XT Agent for iSeries log file:
Note that Argent Data Consolidator calculates the timeframe for which journal entries are selected from the iSeries security audit journal.
If there are no journal entries that match the rule configured in the relator, no records are returned.
If a logon failure occurs during timeframe calculated by Argent Data Consolidator, the Argent XT Agent for iSeries returns all of the journal entries that meet the selection criteria, as shown below in a log file configured for maximum debug tracing:
The returned journal entry data contains detailed information about the “PW” journal entry.