Audit Journal Events
Understanding the MSG ID
For Audit Journal events, message IDs are numbered according to the following scheme:
The first letter in the message ID:
T = Audit trail journal entries from QAUDJRN.
The second two letters in the message ID:
Corresponds to the two-letter audit journal code (e.g., AF = Authority Failure).
The four-digit number at the end of the message ID:
For type T entries, the four digits represent the subcode of the journal entry. The final digits correspond to the letter of the alphabet for the journal entry code.
The following illustrates the message numbering of common Audit Journal event messages:
Message ID | MSG |
---|---|
TPW0016 |
Password not valid. |
TCO0014 |
Create of new object |
TCP0001 |
Change to a user profile |
TSV0001 |
Change to system values |
IP address of the originating client for audit journal entries
SIEM Agent events that begin with the letter T are entries that have been written to the security audit journal by the operating system.
In version 3.0 the originating client IP address for all audit journal events, where it is provided in the journal entry, is now presented:
- Src = Always shows the IP address of the IBM i on which the event was generated and written to the journal.
- Dst = Where applicable, shows the IP address of an associated client.
This is most useful in password failure entries. Knowing the originating IP address can help you track down where attempts to hack the system or crack passwords are coming from.
Let's look at an example:
May 8 13:27:58 MYAS400 CEF:0|PowerTech|SIEM Agent|3.0|TPW0016|An invalid password was entered for user profile JERRYB.|2|src=10.0.1.185 dst=10.0.1.38 msg=TYPE:JRN CLS:IDS JJOB:QBASE JUSER:QSYS JNBR:003752 PGM:QWTMCMNL OBJECT: LIBRARY: MEMBER: DETAIL:P JERRYB QPADEV000B
- Src= 10.0.1.85 shows the IP address of the IBM i where this event was written to the journal.
- Dst= 10.0.1.38 shows the IP address of the personal computer that was connected to the IBM i.