CA Unified Infrastructure Management Probe Guide for iseries Journal Message Monitoring v1.0 series
Copyright Notice This online help system (the "System") is for your informational purposes only and is subject to change or withdrawal by CA at any time. This System may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This System is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. This System may not be disclosed by you or used for any purpose other than as may be permitted in a separate agreement between you and CA governing your use of the CA software to which the System relates (the CA Software ). Such agreement is not modified in any way by the terms of this notice. Notwithstanding the foregoing, if you are a licensed user of the CA Software you may make one copy of the System for internal use by you and your employees, provided that all CA copyright notices and legends are affixed to the reproduced copy. The right to make a copy of the System is limited to the period during which the license for the CA Software remains in full force and effect. Should the license terminate for any reason, it shall be your responsibility to certify in writing to CA that all copies and partial copies of the System have been destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS SYSTEM AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS SYSTEM, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The manufacturer of this System is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Legal information on third-party and public domain software used in this product is documented in the Third-Party Licenses and Terms of Use (http://docs.nimsoft.com/prodhelp/en_us/library/legal.html).
Contact CA Contact CA Support For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product Providing Feedback about Product Documentation Send comments or questions about CA Technologies product documentation to nimsoft.techpubs@ca.com. To provide feedback about general CA Technologies product documentation, complete our short customer survey which is available on the support website at http://ca.com/docs.
Contents Chapter 1: journal 1.0 7 journal Overview... 7 Prerequisites and Supported Platforms... 8 journal configuration... 8 The Setup Tab... 9 The Profiles Tab... 14 Journal Messages Tab... 21 How to enable auditing in iseries... 24 Contents 5
Chapter 1: journal 1.0 This description applies to journal probe version 1.0 This section contains the following topics: journal Overview (see page 7) Documentation Changes (see page 8) Prerequisites and Supported Platforms (see page 8) journal configuration (see page 8) How to enable auditing in iseries (see page 24) journal Overview The journal probe monitors the journal messages on the iseries (AS/400) computer hosting the probe. The QAUDJRN journal is configured to be monitored, and additional journals may be specified for monitoring. An example of a typical journal file to monitor is the Audit Journal (QAUDJRN in the QSYS library). A description on how to enable auditing is included in the How to enable auditing in iseries section below. The journal probe can monitor a set of journal files. By default only the Audit Journal is configured, but you can add other journals as required. Chapter 1: journal 1.0 7
Prerequisites and Supported Platforms Documentation Changes This table describes the version history for this document. Version Date What's New? 1.0 Sept 2014 Updated the product name to CA UIM. 1.0 March 2011 Added support for raw_journal_code and raw_entry_type flags in the profile; added advanced option to allow the raw journal code and entry type filed values. Related Documentation Documentation for other versions of the journal probe The Release Notes for the journal probe Monitor Metrics Reference Information for CA Unified Infrastructure Management Probes (http://docs.nimsoft.com/prodhelp/en_us/probes/probereference/index.htm) Prerequisites and Supported Platforms Platform: IBM iseries (AS/400) 5.1 or above journal configuration The journal probe is configured by double-clicking the line representing the probe in the Infrastructure Manager. This brings up the configuration tool for the probe. The configuration user-interface shows the following tabs: Setup Tab Profiles Tab Journal Messages Tab 8 Probe Guide for iseries Journal Message Monitoring
The Setup Tab The Setup tab contains three subtabs: General Messages Journals General Tab Field Check interval Log level Log size Message Buffer Size The Perform check each field specifies the frequency (in seconds) at which the journals will be scanned for new entries. Specifies the level of detail written to the probe log file. Specifies the maximum size (in KB) to which the probe log file can grow before it is renamed and a new log is started. The internal buffer size used in the probe into which journal entries are fetched. The buffer size should be large enough to hold at least as many entries as you would expect to be added to one of the monitored journals within one check interval. Documentation Changes 9
Field Messages to Read Repeated calls from configuration tool Save window size and default journal messages setup Optional setting to limit the number of messages to be read on each fetch. You might want to use this option if the journal entry size varies greatly between journals being monitored. In most cases you can leave this field empty. When listing journal entries from the configuration tool, you can specify a time interval, and in many cases the internal message buffer will not be able to hold all these entries. This setting allows the configuration tool to repeatedly call the probe so that you can list all the entries for the time interval. You can press Escape to abort listing. Pressing this button saves the current window size and the journal messages Journal, Restrict to and Immediate fetch settings to the registry for the current user. These settings are used as default settings each time the configuration tool is launched. Messages Tab This tab lists the alarm messages available for use in the monitoring profiles. On the initial configuration, there will be one default message. You can create your own messages with the message text and severity level as required. The following options are available in the right-click menu for the message list. Field New Create a new alarm message. Default values are set in the fields, which can be modified. 10 Probe Guide for iseries Journal Message Monitoring
Field Edit Delete Modify the fields of the alarm message. Remove the selected alarm message. You will be asked to confirm this operation. Name Unique message name. This name will be used from the profiles to reference the particular message. Documentation Changes 11
Field Text Level Subsystem Usage The message text. Variables available for the entry found situation are: profile description journal commit_cycle_identifier entry_count entry_type job_name job_number journal_identifier program_name sequence_number system_name time_stamp user_name journal_code user_profile object_name object_library object_member data JC ET keys from the data field Variables on journal read error situations are: error journal_name journal_lib Severity level of the alarm Alarm subsystem Check one of Use as default or Use as error. If you want this message to be the default message for this alarm situation. Only one message can be the default for each usage type. 12 Probe Guide for iseries Journal Message Monitoring
Journals Tab List the journals to be monitored. On the initial configuration, there will be an entry for the Audit journal, with journal name QAUDJRN and library QSYS. You can add entries for additional journals. Field Configured journals New Edit Delete The list contains the journals which are currently being monitored. The following options are available in the right-click menu for the journal list. Create a new journal definition. You need to specify journal name and library. Modify fields of the journal definition. Remove the selected journal definition. You will be asked to confirm this operation. Internal journal name Journal file name You can name the journal as you please. This name will be used to reference the journal from profiles and from the Journal messages list. The file name of the journal. Documentation Changes 13
Field Journal file library The library in which the journal resides. The Profiles Tab 14 Probe Guide for iseries Journal Message Monitoring
The Profiles tab lists all the currently configured monitoring profiles. Each profile is matched against journal messages fetched from the configured journals. The properties dialog of a profile defines the criteria for when a message matches and an alarm message is sent. Active profiles are indicated by the selected check-boxes. You can easily enable / disable monitoring of a specific profile checking / unchecking the profile. The following commands are available when you right-click in the profile list: New Create a new profile, presenting you with the profile properties dialog described below. Edit Edit the profile properties. Delete Delete the profile. You will be asked to confirm this operation. Move up and Move down These options allow you to change the profile ordering. The ordering you see will also be the ordering used when processing new journal entries. Documentation Changes 15
Profile Properties Double-clicking on a profile (or right-clicking and selecting Edit) brings up the profile properties dialog. Generic profile properties are: Field Name Active Journal The name of the profile. Enables or disables the profile. Same as checking / unchecking the profile in the profiles list. An optional user defined profile description. The profile description may be used as a variable in messages sent for the profile. Specifies which journal from which messages are used to match the message criteria. You may leave this field empty to match against messages from all defined journals. 16 Probe Guide for iseries Journal Message Monitoring
Message selection criteria are configured on the Message properties tab and alarm properties on the Actions tab. Message recognition These values are checked against all journal messages fetched to determine if the profile matches the message. All checked fields must match for the profile to match and an alarm to be sent. Regular expressions are supported in all the fields. Field Journal code Entry type Job name Program name The primary category of the journal entry. This field has a distinct set of possible values. You may either select one of these from the drop down list or specify a regular expression. In the Advanced tab you may select to change this field to Journal code (raw). The dropdown list will reflect the change and the current value is translated if possible. Note: When a value is selected from the dropdown list, the tooltip for the field is changed to show the code for the selected value. See also the Journal code (code) field. Further identifies the type of user-created or system-created entry. This field has a distinct set of possible value. You may either select one of these from the drop down list or specify a regular expression. In the Advanced tab you may select to change this field to Entry type (raw). The dropdown list will reflect the change and the current value is translated if possible. Note: When a value is selected from the dropdown list, the tooltip for the field is changed to show the code for the selected value. See also the Entry type (code) field. The name of the job that added the entry. The name of the program that added the entry. If an application or CL program did not add the entry, the field contains the name of a system-supplied program such as QCMD or QPGMMENU. If the program name is the special value *NONE, then one of the following is true: The program name does not apply to this journal entry. The program name was not available when the journal entry was made. For example, the program name is not available if the program was destroyed. If the program that deposited the journal entry is an original program model program, this data will be complete. Otherwise, this data is unpredictable. Documentation Changes 17
Field System name User name User profile Object name Object library Object member Data The name of the system on which the entry is being retrieved, if the journal receiver was attached prior to installing V4R2M0 on the system. If the journal receiver was attached while the system was running V4R2M0 or a later release, the system name refers to the system where the journal entry was actually deposited. The user profile name of the user that started the job. The name of the effective user profile under which the job was running when the entry was created. The name of the object for which the journal entry was added. If the entry is not associated with a journaled object, this field is blank. If the object associated with the journal entry is a file object this field contains file file name. If the object associated with the journal entry is a file object this field contains file file library name. If the object associated with the journal entry is a file object this field contains the member name of the object. Exact match or regular expression to compare with journal entry field. Only if not matched by other profile Do not match this profile if the journal entry has already been matched by another profile. Note that you will need to observe the profile ordering. Test The test button allows you to run a test query against existing entries in the journal. The Journal Messages tab in the main dialog is replaced with a Test Result tab. The same time restriction is used as for Journal messages. Press F5 in the result list to revert back to Journal messages. 18 Probe Guide for iseries Journal Message Monitoring
Actions Field Use alarm message Suppression key Determine which alarm message should be used when the alarm condition arises. If nothing is selected, the default message will be used. The suppression key is used by the nas to determine which messages describe the same alarm situation. Leave this field empty if you want the nas to just use the alarm message text. Documentation Changes 19
Advanced Field Journal code field type Entry type field type Determine if the Journal code field in the message recognition tab should display interpreted (Text) or uninterpreted (Raw) information. Determine if the Entry type field in the message recognition tab should display interpreted (Text) or uninterpreted (Raw) information. 20 Probe Guide for iseries Journal Message Monitoring
Journal Messages Tab The Journal messages tab will display the messages from one of the configured journals. Fields displayed are: Journal code The primary category of the journal entry. Entry type Further identifies the type of user-created or system-created entry. Job name The name of the job that added the entry. Program name The name of the program that added the entry. If an application or CL program did not add the entry, the field contains the name of a system-supplied program such as QCMD or QPGMMENU. If the program name is the special value *NONE, then one of the following is true: The program name does not apply to this journal entry. The program name was not available when the journal entry was made. For example, the program name is not available if the program was destroyed. If the program that deposited the journal entry is an original program model program, this data will be complete. Otherwise, this data is unpredictable. System name The name of the system on which the entry is being retrieved, if the journal receiver was attached prior to installing V4R2M0 on the system. If the journal receiver was attached while the system was running V4R2M0 or a later release, the system name is the system where the journal entry was actually deposited. Time stamp The system date and time when the journal entry was added to the journal receiver. User name The user profile name of the user that started the job. User profile The name of the effective user profile under which the job was running when the entry was created. Object Name Documentation Changes 21
The name of the object for which the journal entry was added. If the entry is not associated with a journal object, this field is blank. If the object associated with the journal entry is a file object, the object name field contains the file name. Object library If the object associated with the journal entry is a file object the object library field contains the file library name Object member If the object associated with the journal entry is a file object the object member field contains the member name of the object. Data The data field will contain additional fields from the variable portion of the journal entry. Each field is represented as a <key>=<value> pair. Journal code (raw) This field contains the same information as the Journal code field above, but in the un-interpreted format. Entry type (raw) This field contains the same information as the Entry type field above, but in the un-interpreted format. You may create profiles to match to the messages as they are fetched from the journals. All the above fields except Time stamp can be used for message recognition. An alarm message is raised when a journal message is recognized. Note that the same journal message may be recognized by multiple profiles. Alarm message to use and suppression key may be configured for each profile. The Journal Messages/Test Result tab 22 Probe Guide for iseries Journal Message Monitoring
The Test Result tab lists a number of messages. The number of entries is limited by the message buffer size and messages to read parameters configured in the Setup tab. The oldest messages are read and displayed first. Use the Journal field to specify from which journal messages are to be displayed and the Restrict to field to determine from what time messages are to be fetched. You can turn off the Immediate fetch option so that messages are only fetched on explicit fetch operations (pressing the Fetch button, pressing F5 or pressing the Test button from the profile dialog). Documentation Changes 23
How to enable auditing in iseries How to enable auditing in iseries The following information is taken from the security auditing section of the iseries Information Center (version 5, revision 4) on the ibm.com website: Setting up auditing requires *AUDIT special authority. To set up security auditing, follow these steps: 1. Create a journal receiver in a library of your choice by using the Create Journal Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB for journal receivers. CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + TEXT( Auditing Journal Receiver ) Place the journal receiver in a library that is saved regularly. Do not place the journal receiver in library QSYS, even though that is where the journal will be. Choose a journal receiver name that can be used to create a naming convention for future journal receivers, such as AUDRCV0001. You can use the *GEN option when you change journal receivers to continue the naming convention. Using this type of naming convention is also useful if you choose to have the system manage changing your journal receivers. Specify a receiver threshold appropriate to your system size and activity. The size you choose should be based on the number of transactions on your system and the number of actions you choose to audit. If you use system change-journal management support, the journal receiver threshold must be at least 100 000 KB. Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal. 2. Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command: CRTJRN JRN(QSYS/QAUDJRN) + JRNRCV(JRNLIB/AUDRCV0001) + MNGRCV(*SYSTEM) DLTRCV(*NO) + AUT(*EXCLUDE) TEXT( Auditing Journal ) The name QSYS/QAUDJRN must be used. Specify the name of the journal receiver you created in the previous step. Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal. You must have authority to add objects to QSYS to create the journal. 24 Probe Guide for iseries Journal Message Monitoring
How to enable auditing in iseries Use the Manage receiver (MNGRCV) parameter to have the system change the journal receiver and attach a new one when the attached receiver exceeds the threshold specified when the journal receiver was created. If you choose this option, you do not have to use the CHGJRN command to detach receivers and create and attach new receivers manually. Do not have the system delete detached receivers. Specify DLTRCV(*NO), which is the default. The QAUDJRN receivers are your security audit trail. Ensure that they are adequately saved before deleting them from the system. 3. Set the audit level (QAUDLVL) system value or the audit level extension (QAUDLVL2) system value using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2 system values determine which actions are logged to the audit journal for all users on the system. 4. Set action auditing for individual users if necessary using the CHGUSRAUD command. 5. Set object auditing for specific objects if necessary using the CHGOBJAUD and 6. CHGDLOAUD commands. 7. Set object auditing for specific users if necessary using the CHGUSRAUD command. 8. Set the QAUDENDACN system value to control what happens if the system cannot access the audit journal. 9. Set the QAUDFRCLVL system value to control how often audit records are written to auxiliary storage. 10. Start auditing by setting the QAUDCTL system value to a value other than *NONE. Note: The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL system value to a value other than *NONE. When you start auditing, the system attempts to write a record to the audit journal. If the attempt is not successful, you receive a message and auditing does not start. Documentation Changes 25