CA Unified Infrastructure Management Probe Guide for iseries Journal Message Monitoring journal v1.0 series
Contact CA Contact CA Support For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product Providing Feedback about Product Documentation Send comments or questions about CA Technologies product documentation to nimsoft.techpubs@ca.com. To provide feedback about general CA Technologies product documentation, complete our short customer survey which is available on the support website at http://ca.com/docs.
Copyright Notice This online help system (the "System") is for your informational purposes only and is subject to change or withdrawal by CA at any time. This System may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This System is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. This System may not be disclosed by you or used for any purpose other than as may be permitted in a separate agreement between you and CA governing your use of the CA software to which the System relates (the CA Software ). Such agreement is not modified in any way by the terms of this notice. Notwithstanding the foregoing, if you are a licensed user of the CA Software you may make one copy of the System for internal use by you and your employees, provided that all CA copyright notices and legends are affixed to the reproduced copy. The right to make a copy of the System is limited to the period during which the license for the CA Software remains in full force and effect. Should the license terminate for any reason, it shall be your responsibility to certify in writing to CA that all copies and partial copies of the System have been destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS SYSTEM AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS SYSTEM, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The manufacturer of this System is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Legal information on third-party and public domain software used in this product is documented in the Third-Party Licenses and Terms of Use (http://docs.nimsoft.com/prodhelp/en_us/library/legal.html).
Contents Chapter 1: Overview 7 About This Guide... 7 Related Documentation... 7 Preconfiguration Requirements... 8 Software Requirements... 8 Supported Platforms... 8 Chapter 2: Configuration Details 9 journal Node... 10 <Host Name> Node... 11 Configure a Node... 15 Add Profile... 15 Delete Profile... 15 Chapter 3: How to enable auditing in iseries 16 Contents 5
Documentation Changes This table describes the version history for this document. Version Date What's New? 1.0 Sept 2014 Documentation on the first web-based GUI version of the iseries Journal Message Monitoring probe. (Previous versions of this probe are configured using Infrastructure Manager). 6 Probe Guide for iseries Journal Message Monitoring
Chapter 1: Overview The iseries Journal Message Monitoring probe monitors the journal messages and journal files on the iseries (AS/400) computer hosting the probe. The journal probe enables you to configure specific journals for monitoring. Alarm messages can be generated when specific messages appear. The Audit Journal (QAUDJRN in the QSYS library) is an example of a typical journal file which the probe monitors. The section How to enable auditing in iseries includes a description on how to enable auditing. This section contains the following topics: About This Guide (see page 7) Related Documentation (see page 7) About This Guide This guide is for the CA UIM Administrator to help understand the configuration of the iseries Journal Message Monitoring probe and provides the following information: Overview of the iseries Journal Message Monitoring probe and related documentation for previous probe versions. Configuration details of the probe. Field information and common procedures for configuring the probe. Important! Description for the intuitive GUI fields is not included in the document. Related Documentation For related information, see the following material: Related Documentation Documentation for other versions of the journal probe The Release Notes for the journal probe User documentation for the Admin Console Monitor Metrics Reference Information for CA Unified Infrastructure Management Probes (http://docs.nimsoft.com/prodhelp/en_us/probes/probereference/index.htm) Chapter 1: Overview 7
Related Documentation Preconfiguration Requirements This section contains the preconfiguration requirements for the CA UIM iseries Journal Message Monitoring probe. NMS 7.6, or CA UIM version 8.0, or later. Probe Provisioning Manager (PPM) probe version 2.38, or later. Software Requirements IBM iseries (AS/400) 5.1 or above. Supported Platforms Refer to the Compatibility Support Matrix for the latest information on supported platforms. See also the Support Matrix for Probes for additional specific information on the journal probe. 8 Probe Guide for iseries Journal Message Monitoring
Chapter 2: Configuration Details This section contains configuration details specific to iseries Journal Message Monitoring probe. This section contains the following topics: journal Node (see page 10) Configure a Node (see page 15) Add Profile (see page 15) Delete Profile (see page 15) Chapter 2: Configuration Details 9
journal Node journal Node The journal node lets you view the probe details, the alarm message details and configure the log properties. Navigation: journal Set or modify the following values as required: journal> Probe Information This section provides information about the probe name, probe version, start time of the probe, and the probe vendor. journal> Setup Configuration This section lets you configure the detail level of the log file. Check Interval (Perform Each Check): specifies the frequency (in seconds) after which the probe scans the journals for new entries. Default: 60 Log Level: specifies the level of detail written to the probe log file. Default: 3 - Info Log Size: specifies the size of the file in which the internal log messages of the journal probe are saved. Default: 100 KB Message Buffer Size: specifies the internal buffer size in which the probe fetches the journal entries. Default: 102400 Note: The buffer size should be large enough to hold the entries that are expected to be added to one of the monitored journals within one check interval. Messages to Read: specifies the number of messages to be read on each fetch operation. Note: You must select this option if the journal entry size varies greatly between journals being monitored. Repeated Calls from Configuration Tool: enables you to configure the configuration tool to list all the journal entries for the specified time interval. Default: Selected Note: When listing journal entries from the configuration tool for a specific time interval, the internal message buffer is not always able to hold all these entries. This setting allows the configuration tool to repeatedly call the probe so that you can list all the entries for the specified time interval. journal > Alarm Messages 10 Probe Guide for iseries Journal Message Monitoring
journal Node This section lets you view the alarm messages defined on the journal probe. Name: identifies the name of the alarm message. Text: identifies the content of the alarm message. Level: indicates the alarm which is raised. Subsystem: indicates the subsystem id. Default: indicates the default value of the alarm message. journal > Configured Journals This section displays a list of all the journals which are currently being monitored. The New and Delete options are also available to enable you to create a new journal or delete an existing journal. Journal: specifies the journal type. Name: specifies the journal name. Library: specifies the library to which this journal belongs. <Host Name> Node The host name node is used to identify the host of the system, on which the journal probe is deployed. This node does not contain any field or section and is used for displaying the journal messages and classifying the monitoring profiles. Chapter 2: Configuration Details 11
journal Node journal Messages Node The journal Messages node displays the message details of the configured journals. Navigation: journal > journal Messages Note: This node is named as journal Messages node throughout this document. journal Messages > Message Configuration This section enables you to select the journal for fetching the journal messages. It also enables you to restrict the fetch operation. Journal: specifies the name of the journal for fetching the journal messages. Restrict To: enables you to select from what time the messages are to be fetched. Note: This option enables you to turn off the immediate fetch operation so that messages are fetched only on explicit fetch operations. journal Messages > journal Messages This section displays the journal messages available for the configured journal in a tabular form. You can select any one message from the table to configure its properties. The parameters that are used for recognizing a specific journal message are: Journal Code: specifies the primary category of the journal entry. Entry Type: specifies whether the entry is user-created or system-created. Job Name: specifies the name of the job that added the entry. Program Name: specifies the name of the program that added the entry. System Name: specifies the name of the system on which the entry is being retrieved, if the journal receiver was attached prior to installing V4R2M0 on the system. If the journal receiver was attached while the system was running V4R2M0 or a later release, the system name is the system where the journal entry was actually deposited. Time Stamp: specifies the system date and time when the journal entry was added to the journal receiver. User Name: specifies the user profile name that started the job. User Profile: specifies the name of the effective user profile under which the job was running when the entry was created. Object Name: specifies the name of the object for which the journal entry was added. If the entry is not associated with a journal object, this field is blank. If the object associated with the journal entry is a file object, this field contains the file name. Object Library: specifies the library file name, if the object associated with the journal entry is a file object. 12 Probe Guide for iseries Journal Message Monitoring
journal Node Object Member: specifies the member name of the object if the object associated with the journal entry is a file object. Data: specifies additional fields from the variable portion of the journal entry. Each field is represented as a <key>=<value> pair. Journal code (raw): specifies the same information as the Journal Code field above, but in un-interpreted format. Entry type (raw): specifies the same information as the Entry Type field above, but in un-interpreted format. The Create Profile option under the Actions drop-down list enables you to create a monitoring profile. This section also displays a brief description of the profile. Profiles Node The Profiles node is used to create a monitoring profile. You can create multiple monitoring profiles with different criteria to monitor the journals. The journal probe matches each profile with the journal messages that are fetched from the configured journals. Note: This node does not contain any sections or fields. Chapter 2: Configuration Details 13
journal Node <profile name> Node The profile name node represents a monitoring profile of the iseries Journal Message Monitoring probe. This node lets you define the monitoring criteria of the journal messages which generate the alarms for this probe. Note: The monitoring profile is added as a child node under the Profiles node. This node is referred to as the profile name node in the document and is user-configurable. Navigation: journal > Profiles > profile name profile name > Profile General Configuration This section allows you to configure the properties of the monitoring profile. Active: enables you to activate the profile. Journal: enables you to select a journal. The monitoring profile uses messages from the specified journal. profile name > Message Recognition This section lets you monitor the journal messages by adding the message matching parameters such as Journal Code, Entry Type and Job Name. The probe evaluates the matching criteria and selects all journal messages matching the criteria specified in the message properties. Refer to the journal Messages section of the journal Node topic for field description. Note: Regular expressions are supported in all the fields. Only if not Matched By Other Profile: enables you to select this profile only if its journal entry does not match any other profile. profile name > Actions This section lets you specify the threshold values and configure the alarm properties for the selected profile. Use Alarm Message: specifies the alarm message to be used when the alarm condition arises. Suppression Key: specifies the suppression key to be used by the Alarm Server to determine which messages describe the same alarm situation. profile name > Advanced This section lets you specify the advanced settings for displaying the type of information in the Journal Code and Entry Type fields in the journal Messages section under the journal Node. Journal Code Field Type: indicates whether the Journal Code field should display interpreted information (Text) or uninterpreted (Raw) information. 14 Probe Guide for iseries Journal Message Monitoring
Configure a Node Entry Type Field Type: indicates whether the Entry Type field should display interpreted information (Text) or uninterpreted (Raw) information. Configure a Node This procedure provides the information to configure a section within a node. Each section within a node lets you configure the properties of the probe to monitor the journal messages. Follow these steps: 1. Navigate to the section within a node that you want to configure. 2. Update the field information and click Save. The specified section of the iseries Journal Message Monitoring probe is configured. Add Profile You can add a performance profile, which is displayed under the Profiles node. You can then configure the profile to monitor the journal messages. Follow these steps: 1. Click the Options icon beside the Profiles node. 2. Click Add Profile. 3. Update the field information and click Submit. The profile is saved. Delete Profile You can delete a monitoring profile when it no longer requires monitoring. Follow these steps: 1. Click the Options icon beside the Profile Name node. 2. Click Delete. 3. Click Save. The profile is deleted. Chapter 2: Configuration Details 15
Delete Profile Chapter 3: How to enable auditing in iseries 16 Probe Guide for iseries Journal Message Monitoring
Delete Profile The following information is taken from the security auditing section of the iseries Information Center (version 5, revision 4) on the ibm.com website: Setting up auditing requires *AUDIT special authority. To set up security auditing, follow these steps: 1. Create a journal receiver in a library of your choice by using the Create Journal Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB for journal receivers. CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + TEXT( Auditing Journal Receiver ) Place the journal receiver in a library that is saved regularly. Do not place the journal receiver in library QSYS, even though that is where the journal will be. Choose a journal receiver name that can be used to create a naming convention for future journal receivers, such as AUDRCV0001. You can use the *GEN option when you change journal receivers to continue the naming convention. Using this type of naming convention is also useful if you choose to have the system manage changing your journal receivers. Specify a receiver threshold appropriate to your system size and activity. The size you choose should be based on the number of transactions on your system and the number of actions you choose to audit. If you use system change-journal management support, the journal receiver threshold must be at least 100 000 KB. Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal. 2. Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command: CRTJRN JRN(QSYS/QAUDJRN) + JRNRCV(JRNLIB/AUDRCV0001) + MNGRCV(*SYSTEM) DLTRCV(*NO) + AUT(*EXCLUDE) TEXT( Auditing Journal ) The name QSYS/QAUDJRN must be used. Specify the name of the journal receiver you created in the previous step. Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal. You must have authority to add objects to QSYS to create the journal. Use the Manage receiver (MNGRCV) parameter to have the system change the journal receiver and attach a new one when the attached receiver exceeds the threshold specified when the journal receiver was created. If you choose this option, you do not have to use the CHGJRN command to detach receivers and create and attach new receivers manually. Chapter 3: How to enable auditing in iseries 17
Delete Profile Do not have the system delete detached receivers. Specify DLTRCV(*NO), which is the default. The QAUDJRN receivers are your security audit trail. Ensure that they are adequately saved before deleting them from the system. 3. Set the audit level (QAUDLVL) system value or the audit level extension (QAUDLVL2) system value using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2 system values determine which actions are logged to the audit journal for all users on the system. 4. Set action auditing for individual users if necessary using the CHGUSRAUD command. 5. Set object auditing for specific objects if necessary using the CHGOBJAUD and 6. CHGDLOAUD commands. 7. Set object auditing for specific users if necessary using the CHGUSRAUD command. 8. Set the QAUDENDACN system value to control what happens if the system cannot access the audit journal. 9. Set the QAUDFRCLVL system value to control how often audit records are written to auxiliary storage. 10. Start auditing by setting the QAUDCTL system value to a value other than *NONE. Note: The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL system value to a value other than *NONE. When you start auditing, the system attempts to write a record to the audit journal. If the attempt is not successful, you receive a message and auditing does not start. 18 Probe Guide for iseries Journal Message Monitoring