Many clients are required to document or report to auditors when specific commands or user actions occur. On the IBM i (i5/OS) running on IBM Power Systems (System i, iSeries), this includes what commands were issued, who issued the command, and what was changed. The ability to monitor, alert and report on user activities exists today.
Even if you're not required to report to internal or external auditors, you may find monitoring what users are doing on your system both worthwhile and informative. This document provides an introduction to setting up this feature, where to go to generate reports, and how to automate the same.
User Auditing Setup
If you're looking for action monitoring, that is, if you plan to track what commands and parameters your users have run over a certain time period, typically daily, then this is the document for you.
Initially, ensure that you have User Auditing enabled for the users that you need to monitor.
Using profile WILKIND as an example, we would run the following:
This will monitor any kind of event related to this user profile for which tracking is supported by the operating system. Using the value *ALL for the “User action auditing” setting will create the maximum amount of information. You can configure the values in correspondence with the auditing requirements.
Note: For command monitoring to be active, ensure that the “User action auditing” values contain the value *CMD.
When user auditing is configured in this manner, any command run by the user profile will create “CD” (Command) entries in the security audit journal. The security audit journal monitoring facility in QMessage Monitor converts these entries into UCD0002 messages.
Customize QMessage Monitor Alerts Generated by AUDJRN
With QMessage Monitor you can customize the messages that are generated from the security audit journal entries.
Use the following option from within the Auto-Reply maintenance function (QMM menu, option 05, select the F6 Other option from the Auto Reply Specification screen):
This provides two features:
-
Real-time Command Monitoring. As soon as the command is executed it becomes visible as a message in the QMessage Monitor console. You can perform escalation to sensitive commands, so that you get immediate notification that somebody is doing something that they shouldn’t.
-
Audit Reporting. You can now use the QMessage Monitor Message Log Inquiry to generate displays and reports of the activity.
Generating Reports – IBM i Command Monitoring
Using QMessage Monitor’s Message Log Inquiry, you can now generate reports on the specific activities which have been logged. From the QMessage Monitor menu, select the Activity Log option.
Below is an example of a report that shows all the command activity for user WILKIND on production system USCCS003 for today.
This inquiry now generates the following:
From there, selecting F21 Print will generate a hard-copy report:
You can also use filter rules in QMessage Monitor to reduce the number of commands being monitored if required; for example, you may not be interested in a user just running the GO command to launch a menu.
Setting up this kind of filtering in QMessage Monitor is pretty straightforward. There are some handy Self-Service Resources on our website to assist with this, as well as extensive product help text and the product manuals.
Automate Report Creation
The final requirement would be to be able to automate the creation of this kind of report.
If the date is always going to be *CURRENT, then we can save the selection as shown:
After pressing F6 Save the following screen opens. Create a relevant description and then press Enter.
Now in order to automate the creation of the report, schedule the following command to be run by the job scheduler you use (for example, the built-in job scheduler, the Advanced Job Scheduler, or a third-party product):
This particular command creates a report for commands run on the current day (*CURRENT). For further customization, you can obtain the SQL query behind the above command. This is done by selecting F24 from the Message Log Inquiry definition screen:
This now shows the full SQL statement that we are running:
