iSeries Security AgentUser Guide
6.0VMC-SEC
VISUAL Message Center iSeries Security Agent User Guide
The software described in this book is furnished under a license agreement and may be used only in
accordance with the terms of the agreement.
Copyright Notice
Copyright © 2013 Tango/04 All rights reserved.
Document date: June 2012
Document version: 2.31
Product version: 6.0
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic mechani-cal, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Tango/04.
Trademarks
Any references to trademarked product names are owned by their respective companies.
Technical Support
For technical support visit our web site at www.tango04.com.
Tango/04 Computing Group S.L.
Avda. Meridiana 358, 5 A-B
Barcelona, 08027
Spain
Tel: +34 93 274 0051
Table of Contents
Table of Contents
Table of Contents .............................................................................. iii
How to Use this Guide........................................................................vi
Chapter 1
Introduction ..................................................................................... 11.1. Protecting Your Systems with iSeries Security Agent.....................................1
1.2. System Security Objectives ............................................................................2
1.3. Project Examples ............................................................................................2
1.4. The Importance of a Security Policy ...............................................................3
1.5. Deploying Security Policies using OS/400 tools .............................................4
1.6. Real-Time and Historical Security Auditing.....................................................4
1.7. Unique Features of the iSeries Security Agent ...............................................6
Chapter 2
OS/400 Auditing Mechanism.............................................................. 82.1. OS/400 Security Auditing ...............................................................................8
2.2. OS/400 Auditing Issues ..................................................................................8
2.3. Action Auditing ................................................................................................9
2.4. Object Auditing................................................................................................9
2.5. OS/400 References ........................................................................................9
© 2013 Tango/04 Computing Group Page iii
Table of Contents
Chapter 3
Working with the iSeries Security Agent ............................................. 103.1. Installing the iSeries Security Agent .............................................................10
3.2. Configuring Security Auditing: Main Menu....................................................10
3.3. Starting the Security Monitor.........................................................................11
3.3.1. Checking Security Monitor Jobs..............................................................11
Chapter 4
Configuring Action Auditing .............................................................. 124.1. Main Menu ....................................................................................................12
4.2. Entry Types...................................................................................................13
4.3. Send to Journal, System-Wide .....................................................................14
4.4. Send to Journal, per-User.............................................................................14
4.5. Send to VISUAL Message Center SmartConsole.........................................14
4.6. Select Users to Audit ....................................................................................15
4.7. Working with Action Auditing Filtering ..........................................................15
4.8. General Considerations ................................................................................15
Chapter 5
Configuring Object Auditing .............................................................. 165.1. Main Menu ....................................................................................................16
5.2. Object Actions to be Audited.........................................................................17
5.2.1. Object Auditing State in System .............................................................17
5.2.2. Option......................................................................................................17
5.2.3. Entry Type...............................................................................................18
5.2.4. Text .........................................................................................................18
5.2.5. Send to VMC Console.............................................................................18
5.2.6. Filtered ....................................................................................................18
5.3. Work with Libraries .......................................................................................19
5.4. Work with Objects .........................................................................................20
5.5. Work with Users............................................................................................21
5.6. Work with Object Auditing Filters ..................................................................22
Chapter 6
Working with Audit Filters................................................................. 246.1. Defining Filter Conditions..............................................................................25
6.2. Filter Conditions ............................................................................................25
© 2013 Tango/04 Computing Group Page iv
Table of Contents
6.3. Logical Expressions ......................................................................................25
6.4. Examples ......................................................................................................27
6.4.1. Example 1 ...............................................................................................27
6.4.2. Example 2 ...............................................................................................28
6.4.3. Example 3 ...............................................................................................28
6.4.4. Example 4 ..............................................................................................28
Chapter 7
Monitoring Your System Security with VISUAL Message Center SmartConsole ......................................................... 29
7.1. Example - Monitoring Changes to System Values........................................30
7.2. Example - Checking Spool File Access ........................................................33
7.3. Example – Creating New User Profiles.........................................................38
Chapter 8
Security Agent Express...................................................................... 42Appendices
Appendix A: OS/400 Auditing Categories ........................................... 44
Appendix B: OS/400 Entry Types....................................................... 54
Appendix C: Complete List of Messages for V7R1................................. 58
Appendix D: Notes Regarding Audit Journal Management.................... 83D.1. Disk Space Management .............................................................................83
D.2. Locks ............................................................................................................83
D.3. Damaged Journals .......................................................................................83
D.4. More Information ..........................................................................................83
Appendix E: Working with SmartConsole Messages ............................. 84
Appendix F: Contacting Tango/04...................................................... 85
About Tango/04 Computing Group .................................................... 87
Legal Notice .................................................................................... 88
© 2013 Tango/04 Computing Group Page v
How to Use this Guide
© 2013 Tango/04 Computing Group Page vi
How to Use this Guide
This chapter explains how to use Tango/04 User Guides and understand the typographical conventions
used in all Tango/04 documentation.
Typographical Conventions
The following conventional terms, text formats, and symbols are used throughout Tango/04 printed
documentation:
Convention Description
Boldface Commands, on-screen buttons and menu options.
Blue Italic References and links to other sections in the manual or further documentation containing relevant information.
Italic Text displayed on screen, or variables where the user must substitute their own details.
Monospace Input commands such as System i commands or code, or text that users must type in.
UPPERCASEKeyboard keys, such as CTRL for the Control key and F5 for the function key that is labeled F5.
Notes and useful additional information.
Tips and hints that will improve the users experience of working with this product.
Important additional information that the user is strongly advised to note.
Warning information. Failure to take note of this information could potentially lead to serious problems.
Introduction
Chapter 11 Introduction
In this document, you will learn how to work with the VISUAL Message Center iSeries Security Agent.
First, we will define the scope of the product and its uses; then, you will learn how to configure and work
with the product.
In this manual, any changes from the last version of the manual are indicated with a bar in the left
margin, as shown here.
1.1 Protecting Your Systems with iSeries Security AgentSecurity is a very wide topic in IT. Threats to system security can come from internal and external
sources, they can be physical or virtual, and they can use any form of network protocol. Many products
on the market claim to be security products, so it is important to define what each product will do to
protect the security of your systems and data.
You should consider the iSeries Security Agent as one of the most comprehensive and powerful
security auditing and alerting products for the IBM eServer iSeries. A large part of its value and
functionality comes from its integration as part of the VISUAL Message Center product suite. The iSeries
Security Agent can also be integrated with many other types of software security products.
Figure 1 – iSeries Security Agent gives a comprehensive protection to your data and applications, effectively enhancing the external defences provided by external or internal firewalls.
Now we will consider security in general terms, and then see how the iSeries Security Agent can help
you to achieve your security objectives.
© 2013 Tango/04 Computing Group Page 1
Introduction
1.2 System Security ObjectivesSystem security has three important objectives:
Confidentiality:
• Protecting against disclosing information to unauthorized people.
• Restricting access to confidential information.
• Protecting against curious system users and outsiders.
Integrity:
• Protecting against unauthorized changes to data.
• Restricting manipulation of data to authorized programs.
• Providing assurance that data is trustworthy.
Availability:
• Preventing accidental changes or destruction of data.
• Protecting against attempts by outsiders to abuse or destroy system resources.
These objectives are extremely critical, as failure to keep sensitive data confidential may result in loss of
business, government fines, or other problems. Disruptions caused by a security failure have also a high
price tag, as the cost of downtime is increasing.
1.3 Project ExamplesSeveral projects can benefit from the deployment of iSeries Security Agent, including:
• Protecting data to ensure its confidentiality, integrity, and availability
• Compliance with FDA 21 CFR – Part 11 regarding resource access auditing
• Compliance with European Privacy Laws (such as the Spanish LOPD)
• Compliance with HIPAA Security Standards regarding information systems activity reviews,
security incident procedures, etc.
• Compliance with ISO/IEC 17799:2000 regarding operations management, resource access
auditing and confidentiality
• Compliance with British Standard 7999 regarding information systems management, resource
access auditing and confidentiality
• Compliance with internal and external auditing standards and other existing and future
regulations
iSeries Security Agent helps you to achieve these goals in different ways. Basically, it can monitor the
behaviour of all the users in the system at any time, including normal and suspicious activity, data
access, etc., and it provides different mechanisms to act upon and review the collected data, including
real-time alerts, automated actions, incident recording, and graphical business impact analysis.
If you need specific assistance in your security project, please contact an authorized Tango/04
Computing Group Business Partner.
© 2013 Tango/04 Computing Group Page 2
Introduction
Figure 2 – iSeries Security Agent is a “Big Brother” that monitors all system activity and rapidly alerts the appropriate parties of suspicious behavior and deviations.
1.4 The Importance of a Security PolicyThe basis of all security projects is a security policy. The following is a definition of a security policy from
Whatis.com:
“In business, a security policy is a document that states in writing how a company plans to protect the
company's physical and information technology assets. A security policy is often considered to be a
"living document", meaning that the document is never finished, but is continuously updated as
technology and employee requirements change. A company's security policy may include an acceptable
security policy, a description of how the company plans to educate its employees about protecting the
company's assets, an explanation of how security measurements will be carried out and enforced, and a
procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will
be made.”
Note that the security policy is a living document; and that in order to successfully develop a security
policy, measurement of success or auditing is vital. The iSeries Security Agent will help you here.
In this sense, security can be considered as an ongoing project, involving three complementary phases:
planning; configuration and setting; and auditing.
Figure 3 – The three phases of Security Policies deployment
© 2013 Tango/04 Computing Group Page 3
Introduction
1.5 Deploying Security Policies using OS/400 toolsUsually, you will implement your security policies with OS/400-provided tools. The most important tool
the Operating System provides is an embedded, object-based authorization system. Granting or
revoking object access to certain users can secure the system. Nevertheless, there are different ways in
which a user can try to defeat the authorization system. First, the application can have undetected holes
in its security authorization scheme (which is common with certain third-party applications). Programs
may inherit access privileges that are higher than the individual user. A user can get access to an
unsecured command that can grant him / her more privileges. A password for a powerful user profile can
be obtained using different methods. A programmer may use an unauthorized interface (such as DFU,
Data File Utility) to modify a sensitive file.
No matter how well designed and deployed your security schema is, you must verify that
nothing compromises it. For example, a user profile created late at night or a system value change
could render your security schema useless. Modern hackers use “Social Engineering” to get their foot in
the door: they pose as employees, system administrators, or Help Desk personnel to get user names
and passwords or other relevant data from innocent workers. Or a dissatisfied employee, who plans to
leave soon, may be tempted to delete application objects, copy confidential data, or publish salary
information on a Web site. Any suspicious action must be immediately detected.
iSeries Security Agent excels in the way you can detect all the actions that can be considered
suspicious. You can set customized policies at a very detailed level, receive real time alerts, and
automatically execute actions when a problem arises (such as disabling access for a particular user),
effectively shielding your system against common security threats.
1.6 Real-Time and Historical Security AuditingThe basic goal of Security Auditing is to continuously evaluate your security planning and policies,
identify weaknesses, and cover limitations, specifically:
• Ensure that your security policy protects your company’s resources adequately.
• Detect unauthorized attempts to access your system and your company's information.
• Detect attempted security violations and application problems related to authorizations.
• Reduce average time for problem resolution.
• Detect system vulnerabilities.
• Plan migration to a higher security level.
• Monitor the use of sensitive objects, such as confidential files.
© 2013 Tango/04 Computing Group Page 4
Introduction
Figure 4 – iSeries Security Agent can show you customized dashboards or “command centers” where the status of a security threat can be easily spotted using color-coded icons.
Examples of possible violations that you can detect with iSeries Security Agent include:
• Failed attempts to access sensitive information or objects
• Suspicious accesses to sensitive files (for example, after normal working hours, or by using an
unsupported interface like DFU)
• Alterations to system objects and commands
• Alterations to application programs
• Problems with applications related to security
• Unauthorized creation and alteration of user profiles
• Unauthorized alteration of access privileges
• Programs that are granted higher access privileges or system status
• Suspicious access to sensitive objects or spool files
• User profile switches
• Suspicious saves or restores
• Unauthorized usage of powerful system tools (like DST)
In the past, lack of adequate technology forced security auditing to be performed in a historical fashion.
Today, technology provides for instantaneous detection and immediate reaction to security threats.
iSeries Security Agent, in combination with the SmartConsole, allows you to do both: get detailed
historical information from the console (for example, of user authorization failures) or by using a
powerful Reporting System and Event Navigation system, and to get alerted to any suspicious action in
real-time.
Even if you are not a security expert, iSeries Security Agent will help you set the desired auditing level
for your iSeries systems by navigating intuitive and easy to use PDM-like panels. Powerful filters let you
collect and see only relevant events. To work and review security events, you can use the advanced
© 2013 Tango/04 Computing Group Page 5
Introduction
Event Lists from the SmartConsole. You can create your own views for logical, geographical, or physical
groups, if desired, in different dashboards or “command centers”.
You can create a hierarchy of these groups to easily detect the business impact of security events. You
can set comprehensive escalation lists and receive alerts through various notification methods, including
e-mail and GSM-based SMS (Short Messaging System). You will also be able to automatically set
almost any action to protect your systems from malicious use, using familiar OS/400 commands.
Figure 5 – iSeries Security Agent can show hierarchical views of your systems. Security events can be shown alone, or can be mixed, if desired, with Service Levels, Business Continuity, or other
information.
At the SmartConsole, you will be able to correlate and group events from several systems together. You
can even receive security alerts and logs from different platforms, such as Windows or Unix/Linux. You
can also categorize and prioritize events and actions based on a wide number of variables, including
event repetitions and pattern matching. iSeries Security Agent gives you unparalleled power with a short
learning curve.
1.7 Unique Features of the iSeries Security AgentThe iSeries Security Agent performs all of the above tasks, with significant added value. Unique features
of the iSeries Security Agent include:
• Full OS/400 Auditable Action Coverage: More than 70 different actions are covered, with
more than 500 different messages produced, including traditional and IFS object and
configuration auditing, as well as full SNA and TCP/IP network activity, clustering and Java
object actions. iSeries Security Agent covers all OS/400 auditable events up to V7R1.
• Configuration Wizard: All the complexity of setting up OS/400 security is masked. No
expertise needed, meaning fewer configuration mistakes, faster deployment, and less costly
maintenance.
• Custom Filters on the iSeries Side: Because the iSeries Security Agent uses ALEV
(Arithmetic-Logic Expression eValuator), you can efficiently customize the product to your
security needs, no matter how unique – thereby discarding unwanted data. More granularity on
policy definitions means saved disk space, reduced network traffic, and fewer messages to be
reviewed, increasing operator productivity.
© 2013 Tango/04 Computing Group Page 6
Introduction
• Plain English Messages: iSeries Security Agent shows plain English explanatory text instead
of complex technical jargon, making it easy for you to assess the real impact of each event.
Each event text can be further customized at the iSeries or Console side at your convenience.
• Enriched Messages: More information in every message, including original journal entry type
code and description, severity, user, accounting code, user group, user class, real user (for
ODBC / JDBC jobs), remote IP address, and more. Through powerful pre-processing filters,
further enrichment is possible.
• Flexible Reporting System: Create your own schedulable, customized reports – including
outputs to Web-based format (HTML), PDF, RTF, etc.
• Advanced Real Time Alerts: Through SmartConsole, you can be alerted of iSeries security
events in real-time with clear diagnostic information. From the SmartConsole, you can then
program automatic replies, send the message to staff via SMS and e-mail escalation lists (or
use multimedia files to show how to solve a problem), and even intelligently detect suspicious
or repetitive events using the SmartConsole’s advanced pattern matching and duplicate event
suppression.
In summary, the iSeries Security Agent can:
• Alert you in real time to any weakness or system intrusion
• Take automated actions to auto-protect your system from damage
• Integrate with other critical system management functionality
© 2013 Tango/04 Computing Group Page 7
OS/400 Auditing Mechanism
Chapter 2 2 OS/400 Auditing Mechanism
The iSeries Security Agent uses OS/400’s auditing mechanisms to provide you with real-time and
historical system auditing.
In this chapter we will summarize the nature of OS/400’s auditing. In the following chapter, we will
describe how iSeries Security Agent works with the OS/400 auditing.
2.1 OS/400 Security Auditing OS/400 can log security events that occur on your system; they are recorded in special objects called
journal receivers.
The security auditing function is optional, and you must take specific steps to set it up. System values
and specific commands control which events are logged.
2.2 OS/400 Auditing IssuesOS/400 auditing configuration is not easy. There are many commands, system values, and interrelations
among them. Additionally, due to lack of filter support, you must deal with large amounts of raw data.
Another issue is the lack of real-time monitoring. There are few native tools, and reporting is the only
thing you can do. These reports can be done daily, but often they are produced only monthly, and in
some cases they are never inspected.
Due to the fact that auditing is not linked to actions, when trouble occurs it is often too late by the time
you find out.
Configuring auditing in OS/400 is very complex and involves working with many commands and system
values. The iSeries Security Agent takes all that complexity out of the process, insulating you from the
technical details and providing an easy to use interface for working with OS/400 auditing. This includes:
• Filter options to reduce the amount of data collected
• Enrichment of auditing messages to provide more information for operators
• Integration with messaging console
The iSeries Security Agent does not offer any raw functionality that is not already offered by OS/400.
However, it does add substantial additional value to OS/400’s auditing functionality.
Auditing should be divided into two sections: action auditing and object auditing.
© 2013 Tango/04 Computing Group Page 8
OS/400 Auditing Mechanism
2.3 Action AuditingAction Auditing is the action to log system-wide security-relevant events, and is available at system-level
and/or at user-level. Examples include:
• User profile changed
• User profile created
• Object restore
• Actions to spooled files
2.4 Object AuditingObject Auditing is the action to log specific object-related security-relevant events, and is available at
system-level and/or user-level. Available actions are:
• Only for Object Changes
• All Accesses to Object
2.5 OS/400 References• iSeries Security Reference Manual SC41-5302
• Tips and Tools for Securing your AS/400 SC41-5300
© 2013 Tango/04 Computing Group Page 9
Working with the iSeries Security Agent
Chapter 3 3 Working with the iSeries Security Agent
3.1 Installing the iSeries Security AgentYou install the iSeries Security Agent as part of the VISUAL Message Center product suite. For
information on installation and activation, see the installation instructions for the product.
Remember to install VISUAL Message Center SmartConsole. The SmartConsole displays, filters, and
correlates iSeries Security Agent events and includes a full-featured Reporting System.
3.2 Configuring Security Auditing: Main MenuAfter you have installed the product in the B_DETECTOR library, you can access the main menu using the
following command:
GO MENU(B_DETECTOR/SECMAIN)
Figure 6 – Main iSeries Security Agent product menu
This screen gives you the main options for working with the product. We will look at the main product
options, that is, Actions to be audited and Objects to be audited.
Note
Tango/04 or our partners can provide professional installation assistance and provide you
with expert advice. We can also demonstrate the most important concepts in operating the
product so you don’t even need to read this manual at all!
© 2013 Tango/04 Computing Group Page 10
Working with the iSeries Security Agent
3.3 Starting the Security MonitorIn order to receive security events from the iSeries Security Agent in the VISUAL Message Center
SmartConsole, you must start the security monitor job. Enter the command:
B_DETECTOR/STRSECMON
You can also enter option 12 to start the job SECMONITOR running in the T4NICELINK subsystem.
CHGSECMON allows you to change the Security Agent’s configuration values. You can specify whether you
want Security Agent to start up automatically in the specified subsystem with AUTOSTART and specify the
starting point for retrieving security auditing events. You can specify *TODAY (retrieve events from today
or from the last event retrieved in a previous execution of Security Agent) or *NOW (only retrieve events
generated from the last time Security Agent was started).
3.3.1 Checking Security Monitor JobsYou can check the security monitor job at any time by entering option 15: ”Check Monitor Activity” in the
iSeries Security Agent menu.
Tip
Another way to start the job SECMONITOR is to enter the command GO T4NICELINK/
T4NICELINK and then select the corresponding option. From there, you can access all of
our product menus.
© 2013 Tango/04 Computing Group Page 11
Configuring Action Auditing
Chapter 4 4 Configuring Action Auditing
Action Auditing is the action to log system-wide security-relevant events, and is available at system-level
and/or user-level. Examples of security-relevant events are the changing or creation of user profiles,
object restore, and actions to spooled files.
VISUAL Message Center iSeries Security Agent can be used to audit all actions in real time with alerts
and reporting.
For a complete list of types of events available, see Appendix B: OS/400 Entry Types on page 54.
For more information on OS/400’s auditing capabilities, see the following IBM manuals:
• iSeries Security Reference Manual SC41-5302
• Tips and Tools for Securing your AS/400 SC41-5300
4.1 Main MenuFrom the main menu, enter option 1 to view the “Work with actions to be audited” screen, giving you a
list of all the audit entry types available, and their current status:
Figure 7 – Configuring Action Auditing: Main Screen
© 2013 Tango/04 Computing Group Page 12
Configuring Action Auditing
This highly user-friendly interface lets you configure OS/400 auditing and provides the added benefit of
allowing messages to be redirected to the VISUAL Message Center SmartConsole for alerts and
automated actions.
Furthermore, messages received by the VISUAL Message Center SmartConsole are enriched,
providing additional information not provided by normal OS/400 auditing.
4.2 Entry TypesOS/400 classifies Action security events by Entry Type, such as AD (Auditing Changes) and AF
(Authority Failure). Entries are well defined by OS/400 and are unchangeable.
For example, AD (Auditing Changes) is grouped into the *SECURITY category. If you enable or disable
the AD Entry Type, all of the *SECURITY entries will be included (CA, CP, DS…). Strictly speaking, you
cannot enable or disable an Entry Type: the option will be applied to the whole category. A list of
supported Entry Types is shown in Appendix B: OS/400 Entry Types on page 54.
When you change any Entry Type configuration, you will be advised of other Entry Types that will be
changed:
Figure 8 – Change Status of Entry Type
For each Entry Type, you can take the following actions:
10 / 11 - Enable / disable send to journal
20 - Auditing by user
Tip
If a text description is cut off at the end of a line, enter option 8 on that line to view the entire
description.
Important
OS/400 classifies entry types in categories called “Action Auditing Values.” Each category
represents an auditing option for the QAUDLVL system value, which controls the level of
auditing on the system. Because of this, you cannot enable or disable the auditing status for
a single entry type. Therefore, the option will be applied on the whole entry type’s category.
OS/400’s auditing categories are described in Appendix A: OS/400 Auditing Categories on
page 44.
© 2013 Tango/04 Computing Group Page 13
Configuring Action Auditing
30 / 31 - Enable / disable send to console
40 - Work with filters
4.3 Send to Journal, System-WideThis defines, for specific entry type related events, the auditing status at a system-wide level. This
means that journaling has been activated by OS/400, but does not necessarily mean that events will be
received at the SmartConsole (see below).
System-wide level means the action will be audited for any user generating the event. Use options 10 or
11 to toggle the value (remember the Action Auditing Categories).
Possible values are:
• *YES: the Entry Type is being logged system-wide
• *NO: the Entry Type is not being logged system-wide
• N/A: the auditing is not available at a system-wide level; it is available only at a per-user level.
4.4 Send to Journal, per-UserThis defines, for specific entry type related events, the auditing status at a user level. Per-user level
means that the action will be audited only for a specific set of users generating the event. Note that this
setting only makes sense if the value for “Send to Journal, System-Wide” is set to *No or N/A.
Options:
• Use option 20 to define for which users the security events will be logged
• Refresh the field value using F4 (optimized to avoid long waits)
Possible values are:
• *ALL: the Entry Type is being logged for every system user (same as system-wide)
• *SOME: the Entry Type is being logged only for some specific user(s)
• *NONE: the Entry Type is not being logged at per-user level.
• N/A: the auditing is not available at a per-user level, only at a system-wide level.
For more details see section 4.6 – Select Users to Audit.
4.5 Send to VISUAL Message Center SmartConsoleYou can enable system auditing, but not have all messages forward to the SmartConsole. Use this
option to specify which events you want to forward to the SmartConsole database to be monitored.
More specifically, this option defines if an Entry Type will be sent to the A first level of filtering to define if
you want an Entry Type to be retrieved or not.
Use options 30 or 31 to toggle the value.
Possible values are:
• *YES: the Entry Type events will be sent to the SmartConsole, if being logged by OS/400
• *NO: The Entry Type events will not be sent to the SmartConsole, despite whether they are
being logged or not.
© 2013 Tango/04 Computing Group Page 14
Configuring Action Auditing
An Entry Type can be monitored by SmartConsole if:
• Send to VISUAL Message Center SmartConsole = *YES (required) AND
• Send to Journal System-Wide = *YES (optional) OR
• Send to Journal per-User = *ALL (optional) OR
• Send to Journal per-User = *SOME (optional)
4.6 Select Users to AuditThe iSeries Security Agent allows you to perform user-specific auditing. Note that this setting only
makes sense if the value for “Send to Journal, System-Wide” is set to *No or N/A.
Figure 9 – A list of all user profiles existing in the system is shown.
Use Option 10 and 11 to enable or disable the logging for a specific user.
4.7 Working with Action Auditing Filtering Filters are used by Action Auditing and Object Auditing. See Chapter 6 - Working with Audit Filters on
page 24.
4.8 General Considerations• Use Action Auditing when you want to log system-wide events
• Easy configuration: no need to know system commands or values
• Filter support: flexible and powerful to give you only the information you need
User filters
Global filters
Entry Type filters
Important
Remember the Action Auditing Categories - the same applies here - if you enable a user for
a specific Entry Type, you are enabling it for all the events belonging to a specific Action
Auditing Category.
© 2013 Tango/04 Computing Group Page 15
Configuring Object Auditing
Chapter 5 5 Configuring Object Auditing
Object auditing is the action of logging specific object-related security-relevant events, and is available
at a system-level and/or at user-level. You can create or access a database file, although auditing can
be applied to any object type.
Filters offer you a high level of granularity because you can customize them to your specific needs. For
example, you can filter by date, time, or user to ensure that unauthorized users do not access a specific
object after business hours or during the weekend. You can also ensure that specific objects are not
used from a specified peak time, such as 2 to 3 p.m. for example.
Available actions:
• Only for Object Changes
• All Accesses to Object
5.1 Main Menu
Figure 10 – Main Window of iSeries Security Agent
Object auditing is very powerful, but it must be focused. Plan your target well (for example, an entire
library, a specific set of objects, or specific users, or a specific entry types to be audited). If you do not
use auditing carefully, you can generate a very large amount of data, therefore, it is important to be
© 2013 Tango/04 Computing Group Page 16
Configuring Object Auditing
conscious of resource issues such as disk space and CPU usage. Do not cut corners by deciding to
audit everything.
Although object auditing offers great granularity, it is a challenge to configure and maintain it, because
the audit status has to be defined at object level.
To address this issue, the Object actions to be audited, the Work with Libraries and the Work with
Objects screens allows you to easily identify and configure the auditing status of your objects with an
intuitive interface.
5.2 Object Actions to be AuditedSelect option 1 to work with Entry types to be audited, and then, you will see this screen below, which
displays the available entry types to work with them:
Figure 11 – The Object actions to be audited screen, enables you to access and configure the auditing of system security-relevant objects.
5.2.1 Object Auditing State in System This information shows the object auditing state currently defined for your system. You can use
F11=Toggle Object Auditing State to change this value.
Possible values are:
• *OFF: the object auditing is not enabled and no object auditing events will be logged in your
system.
• *ON: the object auditing is enabled and object auditing events will be logged for those objects
having an active object auditing status.
To select an option, type the option number in the list area Option and press Enter.
5.2.2 OptionUse this column to perform different operations in individual entry types. Type a valid option number next
to an entry type and press Enter.
You can type the same option next to more than one entry type simultaneously, and you can also type
different option values next to different elements at the same time. Select one of the following options:
© 2013 Tango/04 Computing Group Page 17
Configuring Object Auditing
8=Display text
Use this option to display the detailed text description provided for each entry type.
30=Enable Send to Console
Use this option to enable the sending of entry type events audited to the SmartConsole database.
Object auditing must also be enabled at system wide (Use F11 to toggle this value *ON/*OFF). You can
use this option for those entry types having a value of *NO for the column Send to VMC Console.
Entering this option for an entry type already having a value of *YES for the column Send to VMC
Console will produce no effect.
31=Disable Send to Console
Use this option to disable the sending of entry type events to the SmartConsole database. You can use
this option for those entry types having a value of *YES for the column Send to VMC Console. Entering
this option for an entry type already having a value of *NO for the column Send to VMC Console will
produce no effect.
40=Work with Filters
Use this option to access the Work with Filter by Entry Type screen: the screen allows you to configure
filter conditions for a specific entry type. Once the configuration is done and you return to this screen,
press F5 (Refresh) to have your changes reflected in the 'Filtered' column.
5.2.3 Entry TypeThis column contains the available entry types that can be audited. You cannot add or delete entry
types, because they are defined by OS/400.
5.2.4 TextA text description is provided for each entry type.
5.2.5 Send to VMC ConsoleIndicates if the entry type related events would be sent to the VISUAL Message Centre database in
order to be monitored from the SmartConsole. Only those entry types having this value at *YES could be
monitored by the SmartConsole.
Possible values are:
• *YES: the entry type events will be sent to the SmartConsole, if they are being logged at
system-wide.
• *NO: the entry type events will not be sent to the SmartConsole, despite whether they are being
logged or not at the OS/400 level.
5.2.6 FilteredDefines if a filter condition has been configured for this entry type.
Possible values are:
• *YES: one or more set of filter conditions has been configured for this entry type.
• *NO: no filter condition exists for this entry type.
© 2013 Tango/04 Computing Group Page 18
Configuring Object Auditing
5.3 Work with LibrariesSelect option 5 to work with auditing by library, and then select the libraries to work with, as in a PDM
interface. You will see this screen below, which displays the status of the selected libraries:
Figure 12 – Working with Libraries
Note the SYSVAL QCRTOBJAUD. This is the current value of the system value QCRTOBJAUD: it defines the
auditing status of new objects created in a library having its Create Object Auditing value (CRTOBJAUD)
set to *SYSVAL. You can change this value using the OS/400’s CHGSYSVAL or WRKSYSVAL commands.
The following options are available:
2=Change to *NONE
Use this option to change to *NONE the Create Object Auditing value for the specified libraries: this value
will determine the object auditing status for the new objects created in the library.
A value of *NONE means that no auditing events will be logged for the objects that will be created in the
library.
3=Change to *CHANGE
Use this option to change to *CHANGE the Create Object Auditing value for the specified libraries: this
value will determine the object auditing status for the new objects created in the library.
A value of *CHANGE means that all changes accessed by all users will be logged for the objects that will
be created in the library.
4=Change to *ALL
Use this option to change to *ALL the Create Object Auditing value for the specified libraries: this value
will determine the object auditing status for the new objects created in the library.
A value of *ALL means that all changes or read accesses by all users will be logged for the objects that
will be created in the library.
5=Change to *USRPRF
Use this option to change the Create Object Auditing value for the specified libraries to *USRPRF: this
value will determine the object auditing status for the new objects created in the library.
© 2013 Tango/04 Computing Group Page 19
Configuring Object Auditing
A value of *USRPRF means that the auditing for the objects that will be created in the library will be
determined by the OBJAUD value of the user profile that is performing the action on the object.
6=Change to *SYSVAL
Use this option to change the Create Object Auditing value for the specified libraries to *SYSVAL: this
value will determine the object auditing status for the new objects created in the library.
A value of *SYSVAL means that the auditing for the objects that will be created in the library will be
determined by the QCRTOBJAUD system value.
F11=Toggle
The Object auditing state in system option must be toggled ON for any object auditing to take place.
Press F11 to toggle between ON and OFF.
12=Work with Objects
Use this option to access the Work with Objects screen; in this screen you can define the object auditing
status for the objects located in a specific library.
22=Work with Users
Use this option to access the Work with Users screen; in this screen you can define the object auditing
status at user level that will be used for objects with the auditing status of *USRPRF.
5.4 Work with ObjectsThe Work with Objects screen also has a PDM look and feel, allowing you to view object audit status at
a glance. You can make changes with a direct option. Possible values are:
• *ALL: Every access to an object will be logged
• *CHANGE: Changes to an object will be logged
• *USRPRF: User profile will determine if actions on object will be logged or not
• *NONE: No action on object will be logged
Note
This new value only applies to new objects that you create. To change the value of pre-
existing objects, please see section 5.4 - Work with Objects on page 20.
© 2013 Tango/04 Computing Group Page 20
Configuring Object Auditing
Figure 13 – Working with Objects
2=Change to *NONE
Use this option to change to *NONE the auditing status for the specified objects. A value of *NONE means
that no auditing events will be logged for these objects.
3=Change to *CHANGE
Use this option to change to *CHANGE the auditing status for the specified objects. A value of *CHANGE
means that all changes accesses by all users will be logged for these objects.
4=Change to *ALL
Use this option to change to *ALL the auditing status for the specified objects. A value of *ALL means
that all changes or read accesses by all users will be logged for these objects.
5=Change to *USRPRF
Use this option to change to *USRPRF the auditing status for the specified objects. A value of *USRPRF
means that the auditing for these objects will be determined by the OBJAUD value of the user profile that
is performing the action on the objects.
F11=Toggle
The Object auditing state in system option must be toggled ON for any object auditing to take place.
Press F11 to toggle between ON and OFF.
12=Work with Users
Use this option to go directly to the Work with Users screen.
5.5 Work with UsersThe Work with Users screen defines auditing actions to take place for objects with *USRPRF status.
Possible values are:
• *ALL: Every access to *USRPRF objects will be logged for the specified user
• *CHANGE: Changes to *USRPRF objects will be logged for the specified user
• *NONE: No action on *USRPRF objects will be logged for the specified user
© 2013 Tango/04 Computing Group Page 21
Configuring Object Auditing
Figure 14 – Working with Users
2=Change to *NONE
Use this option to change to *NONE the auditing status for the specified user profiles. A value of *NONE
means that no auditing events will be logged for those objects having the auditing status value *USRPRF.
3=Change to *CHANGE
Use this option to change to *CHANGE the auditing status for the specified user profiles. A value of
*CHANGE means that all changes accesses will be logged for those objects having the auditing status
value *USRPRF.
4=Change to *ALL
Use this option to change to *ALL the auditing status for the specified user profiles. A value of *ALL
means that all changes or read accesses will be logged for those objects having the auditing status
value *USRPRF.
5.6 Work with Object Auditing FiltersObject Auditing uses the same filter interface and behaves in the same way as Action Auditing filters.
You can create and manage the filter conditions to control specifically what information and which
events are sent to the VISUAL Message Center SmartConsole. Each time an auditing action is
retrieved, the application checks to see if global filter conditions exist and parses them. If the action
passes this first level of filtering, then filter conditions for that specific entry type are applied (if they
exist). If no conditions are defined at a global or entry type level, all the events retrieved by the
application are sent to the VISUAL Message Center console.
To work with the object auditing filters at a global level go to the main menu of Object Auditing and
choose Option 2 “Work with filters for object auditing”. To work with the filter conditions at entry-type
level choose option 1 “Object actions to be audited”. Next select option 40 for each entry type.
Note
Any change in the auditing value of objects by user will only take effect in new jobs for that
user that start or connect the user from that moment onwards. For example, if an interactive
session is already started before you make a change, the change will not be taken into
account.
© 2013 Tango/04 Computing Group Page 22
Configuring Object Auditing
For more information about working with filters see the following chapter, Working with Audit Filters.
Note
Currently, global filters are available for Action and Object auditing-related security events.
Entry type filters are only available for Action auditing.
© 2013 Tango/04 Computing Group Page 23
Working with Audit Filters
Chapter 6 6 Working with Audit Filters
Filters help you clean up the tons of raw data that can be generated by the auditing functionality. The
iSeries Security Agent features powerful filtering rules that allow you to pinpoint auditing, capturing only
truly relevant auditing events.
Filters are processed with minimal resource use. Thousands of events can be efficiently handled per
second.
The two levels of filtering are:
Global filters
• Applied to every action-auditing and object-auditing event
• Use F6 to define them
Entry Type specific filters
• Applied to a specific entry type action-auditing events
• Use option 40 to define them
Action auditing is a particularly useful feature. For example, you can ensure that you are notified if
security values are changed. This is a potentially dangerous situation and it is important for you to be
notified if this happens at once.
Each time an auditing event is logged and retrieved, the application first checks if global filter conditions
exist and then parses them. If the event passes this first level of filtering, then filter conditions for that
specific entry type are applied (if they exist). Any event that matches the specific entry type filter is sent
to the SmartConsole. Also, if no conditions are defined at global and entry-type level, all the events
logged and retrieved by the application will be sent to the SmartConsole. For more detail see the
document VISUAL Message Center SmartConsole Architecture included in the installation.
You can define exclusion and/or inclusion filters. Exclusion conditions are checked first - an event will
pass an exclusive filter condition if the expression contained in it is false; otherwise, the event is
discarded.
When all the exclusive filter conditions have been checked, inclusion conditions are parsed. An event
passes an inclusive filter condition if the expression contained in it is true; otherwise, the event is
discarded.
You can enter a brief description that allows you to easily understand the purpose of a specific filter
condition.
© 2013 Tango/04 Computing Group Page 24
Working with Audit Filters
A filter condition can be deactivated and then reactivated again without deleting and losing it.
Press F6 to create a new condition.
6.1 Defining Filter Conditions
Figure 15 – Define a filter condition
Enter a filter description to easily identify its purpose.
Press F4 at any time to get a list of available variables.
Create simple or complex condition using standard expressions.
Use F22 to set the filter as include or exclude.
6.2 Filter ConditionsThe Filter Condition screen allows you to create, display or change a specific filter condition for an entry
type or at a global level.
Global filters are available for Action and Object auditing related events, while entry type filters are
available for action auditing only.
A filter condition consists of:
• A condition type attribute, which defines if it is an exclusive or inclusive condition
• A filter description that allows you to easily understand which is the purpose of this condition
• A valid logical expression
6.3 Logical ExpressionsBasically, an expression consists of a set of variables, constant values and logical operators; it’s called
logical because its result is always true or false.
You can use a set of variables defined by the application; press F4=Select Variable to get a list of the
available variables. A variable name must begin with the symbol &.
© 2013 Tango/04 Computing Group Page 25
Working with Audit Filters
Below is a brief explanation of the variables you can use:
Variable Description
&JOBNAME The name of the job that caused the audit entry
&JOBNBR The job number
&JOBUSER The user profile name associated with the job
&JRNSTRING
Security events audited by the system are categorized in entry types and logged in a special object called “journal receiver”. Each entry type consists of a header containing common fields for all the entry types, followed by “entry-specific data” with a different layout for each entry type.
There are different versions of this header for different Operating Systems. iSeries Security Agent selects the appropriate header based on the version of iSeries Security Agent and the version of the Operating System. If iSeries Security agent is version 5.70 or higher and the Operating System version is V5R2M0 or greater the agent uses the header TYPE5. In all other cases the Security Agent uses header TYPE4.
Both headers consist of a number of fixed-length characters. Type5 contains 609 characters, whereas TYPE4 contains 233 characters.
The variable &JRNSTRING represents the “entry-specific data” which follows these headers, for each event audited by the system. For detailed descriptions of each entry type layout see the manual “OS/400 Security Reference – SC41-5302”. To find the position in a &JRNSTRING of some of the fields in the “entry-specific data” of an entry type simply subtract the header length (223 for TYPE4 and 609 for TYPE5) from the offset documented in the manual “OS/400 Security Reference – SC41-5302”.
Example: you want to retrieve authority failure (Entry Type=AF) security events only for those objects contained in library ‘ABC’ in an iSeries with OS version V5R3 and iSeries Security Agent ver-sion 5.73. In this case header TYPE5 applies.
Referring to the manual “OS/400 Security Reference – SC41-5302”, you can see that the offset for the “Library Name” field is 621; subtracting 609 (header length) from the library offset, we get a value of 12.
So, the regular expression would look like this:
(SUBSTR(&JRNSTRING,12,10) = 'ABC') AND / OR…
Note: There is no need to change your expressions that use &JRN‐STRING when you change Operating System version or upgrade iSeries Security Agent, as the position of the fields after subtracting the header length remains the same, regardless of what header type applies.
&STRINGLEN Length of the entry specific data (length of JRNSTRING)
&SYSNAME The name of the system
© 2013 Tango/04 Computing Group Page 26
Working with Audit Filters
The following variables are available for object auditing only:
6.4 ExamplesHere are some examples of logical expressions using additional functions:
6.4.1 Example 1Events generated in jobs with user profile starting with the letter D and during the fifth week of the
month:
(&USRPRF LIKE('D*')) AND (WEEKOFMONTH(&TIMESTAMP) = 5)
&TIMESTAMP
Date and time that the entry was made. You can use a rich set of functions to retrieve specific values:
DAY - Returns the day number, an integer from 1 to 31.
(DAY(&TIMESTAMP) = 3) AND / OR …
DAYNAME - Returns the name of the day.
(DAYNAME(&TIMESTAMP) = ‘Monday’) AND / OR …
DAYOFWEEK - Returns the day of the week, an integer from 1 (Sun-day) to 7 (Saturday).
(DAYOFWEEK(&TIMESTAMP) <> 1) AND / OR …
HOUR - Returns the hour, an integer from 0 to 23.
(HOUR(&TIMESTAMP) >= 8) AND / OR …
MINUTE - Returns the minute, an integer from 0 to 59.
MONTH - Returns the month, an integer from 1 to 12.
(MONTH(&TIMESTAMP) = 1) AND / OR …
MONTHNAME - Returns the name of the month.
(MONTHNAME(&TIMESTAMP) = ‘July’) AND / OR …
SECOND - Returns the seconds, an integer from 0 to 59.
WEEKOFMONTH - Return the week of the month, an integer from 0 to 5.
(WEEKOFMONTH(&TIMESTAMP) = 1) AND / OR …
WEEKOFYEAR - Return the week of the year, an integer from 1 to 53.
(WEEKOFYEAR(&TIMESTAMP) <> 27) AND / OR …
YEAR - Returns the year.
&USRPRF
The name of the “execution user profile”. Often this value will be the same as the &JOBUSER variable. The execution user profile is used under some special circumstances, for example in ODBC jobs: ODBC are pre-started jobs initially “owned” by a generic IBM’s user profile (QUSER, QSYS…). When a user connects, entering his user and password for authority checking, the system swaps the job cre-ation profile to the new execution profile: this new user profile will be used to determine the privileges and the authorizations for this ODBC connection.
Variable Description
Variable Description
&LIBNAMEThe name of the library that contains the object that is being audited.
&OBJNAME The name of the object that is being audited.
&OBJTYPE The type of the object that is being audited.
© 2013 Tango/04 Computing Group Page 27
Working with Audit Filters
6.4.2 Example 2Events generated by user profile CHARLES after 10:00 p.m.:
(&JOBUSER = 'CHARLES') AND (TIME(&TIMESTAMP) > #22:00:00#)
6.4.3 Example 3Events generated in jobs having the name PAYROLL after the 20th of March 2002:
(&JOBNAME = 'PAYROLL') AND ((DATE(&TIMESTAMP) >= #02/03/20#))
6.4.4 Example 4 Object auditing events only for the object called “EMPLOYEES” in library “PAYROLL” type “*FILE”:
(&LIBNAME = 'PAYROLL') AND (&OBJNAME = 'EMPLOYEES') AND (&OBJTYPE = '*FILE')
There are many more functions. For more information, see the ALEV (Arithmetic-Logic Expression
eValuator) Reference Manual.
© 2013 Tango/04 Computing Group Page 28
Monitoring Your System Security with VISUAL Message Center SmartConsole
Chapter 7 7 Monitoring Your System Security with VISUAL
Message Center SmartConsole
Once you have defined the events that you would like to audit on the iSeries, and started the security
monitor, you can start to receive those events at the SmartConsole.
The SmartConsole is shown below:
Figure 16 – VISUAL Message Center SmartConsole
The new Business Views allow us to group messages and events for specific “business” or technological
areas. The icons in the left pane of the main SmartConsole window are Business Shortcuts; these help
you instantly check for important events, as the color will change from green to blue, yellow or red
according to the criticalness of messages received. The second pane contains your Business Network,
effectively a business impact analyzer where you can create and organize your Business Views into
folders that reflect the structure of your enterprise. The third pane is dedicated to the Message Grid,
where you can see the messages of the currently selected Business View.
© 2013 Tango/04 Computing Group Page 29
Monitoring Your System Security with VISUAL Message Center SmartConsole
In this case, it is great for grouping security messages – regardless of which user, subsystem, job etc.
they come from.
Now we can look at some examples of working with alarms and automated actions with the
SmartConsole and the iSeries Security Agent.
7.1 Example - Monitoring Changes to System ValuesIn this example, we want to monitor for a possible unauthorized change to the QSECURITY system value
(now set to 50). If it happens, you will automatically restore QSECURITY to its original value; additionally,
you will expel the user from the system, ending the job that issued the action and disabling the user
profile.
Figure 17 – Work with Actions to be Audited
Note that the SV Entry Type has been enabled at a system-wide level and Send to VISUAL Message
Center Console has been enabled as well.
To investigate the alarm definition, we reproduced the message to see its structure; in order to do it, we
changed the system value and then restored it to its original value. You may not be able to do this on
your production system: possibly you could do so on a non-production partition.
Note
All events received from the iSeries Security Agent have the agent code “AUD”.
© 2013 Tango/04 Computing Group Page 30
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 18 – Message Received by the SmartConsole
The screenshot above shows us the message as received by the SmartConsole.
Figure 19 – Variables in the Message Variables Tab
The Variables tab shows us the message variables. Now we can create the filter formula to use in the
SmartConsole. We will trigger an action if:
© 2013 Tango/04 Computing Group Page 31
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 20 – Advanced ALEV Filter Editor
We can go even further: you can consider some additional filters. For example, if you know that QSECOFR
is the only user that should be authorized to perform this task:
Figure 21 – Adding Additional Filters with ALEV
Figure 22 – QSECURITY Alarm
Now we can set the action for this alarm:
© 2013 Tango/04 Computing Group Page 32
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 23 – Setting Actions for the Alarm
This will change the QSECURITY system value back to its original value (&VAR04), end the job that
changed the system value, and disable that user profile.
The security breach has been protected against automatically and the suspect user profile has been
disabled.
Of course, you can also configure an alarm for the security officer to alter him / her to the danger.
7.2 Example - Checking Spool File AccessIn this example, we have a spool file called SALARY that should only be read by the User Group
PAYROLL. We may want to ensure that users with *ALLOBJ but who are not part of PAYROLL group are
not accessing this file.
We want an alarm that sends an SMS or e-mail to the security officer. He or she can then use VISUAL
Support to watch that user.
© 2013 Tango/04 Computing Group Page 33
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 24 – Checking Spool File Access
Note the SF Entry Type. This controls access to spool files. This auditing entry type has been enabled
system wide with no user filter. It is also being sent to the SmartConsole.
To reproduce the auditing event now, we will first create a dummy spool file called SALARY. Run the
following commands to create the file:
OVRPRTF FILE(QSYSPRT) SPLFNAME(SALARY)
CPYF FROMFILE(MYLIB/EXAMPLE) TOFILE(*PRINT)
DLTOVR FILE(QSYSPRT)
The FROMFILE parameter should refer to a physical file (you can create a temporary one in QTEMP). In
our example we have used MYLIB/EXAMPLE.
Note that if you read the spool file with a user profile that is different from the user profile that created the
spool file, the Operating System only generates an event for the SF entry type. Therefore we will enter in
an interactive session with a new user and we will read the recently create Salary spool file.
Figure 25 – Work with All Spooled Files
The following figure shows an example of the message you should receive at the SmartConsole:
© 2013 Tango/04 Computing Group Page 34
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 26 – Example of the Message You Should Receive at the VISUAL Message Center SmartConsole
And below you can see the messages variables received at the SmartConsole:
Figure 27 – Messages Variables Received at the SmartConsole
Now we can create the filter to trigger the alarm:
© 2013 Tango/04 Computing Group Page 35
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 28 – Create a Filter to Trigger the Alarm
Also you may consider, for example, adding the output queue to the filter formula:
Figure 29 – Adding the Output Queue to the Filter Formula
Figure 30 – Salary Spool File Alarm
Now let’s configure the action for this alarm: send a mail to the security officer.
© 2013 Tango/04 Computing Group Page 36
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 31 – Configuring the Action for an Alarm
Figure 32 – Configuration to Send the Security Officer an E-Mail
Now the Security Officer will receive an e-mail alert every time that spool file is accessed by anyone who
is not part of the PAYROLL user group. As the alert will be in real-time, the Security Officer can
immediately take action to prevent that user from abusing the information in the file.
© 2013 Tango/04 Computing Group Page 37
Monitoring Your System Security with VISUAL Message Center SmartConsole
7.3 Example – Creating New User ProfilesA user other than the security officer creates a new user profile. The security officer wants to receive an
e-mail with a spool file output of the new user profile created. That way he/she can see the authorization
granted, and also knows which user created the new profile.
If that user is suspicious then they can take action – that could be an IT action e.g. delete user
profile…or it could be physical action, e.g. go to the user’s office and ask some questions!
To receive an event about an object creation, you have to enable the CO Entry Type:
Figure 33 – Creating New User Profiles
Next, you will see an example of the message you receive when a user profile has been created:
Figure 34 – Message Received when a User Profile is Created
And following are the message variables:
© 2013 Tango/04 Computing Group Page 38
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 35 – Message Variables
Now, create the filter to trigger the alarm only if a user not belonging to the SECOFFICER user group has
created the profile:
Figure 36 – Creating the Filter to Trigger an Alarm
© 2013 Tango/04 Computing Group Page 39
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 37 – E-Mail Sent to the Security Officer about the Created User
We want the action to send an e-mail to the security officer: the e-mail will contain information about the
created user (&VAR02):
Figure 38 – Information about User Profile Creation
Select the Retrieve spool files option to retrieve the spool file output, and that will be sent by e-mail.
© 2013 Tango/04 Computing Group Page 40
Monitoring Your System Security with VISUAL Message Center SmartConsole
Figure 39 – Information the Security Officer Receives
Now, the Security Officer can detect the creation of any user profile, receive information required to
diagnose whether that is a valid user profile or whether it could represent a security breach.
© 2013 Tango/04 Computing Group Page 41
Security Agent Express
Chapter 88 Security Agent Express
Security Agent Express users to process auditing entries stored in specific journal receivers. It is
common for journal receivers containing old entries to not be kept in your system, but backed up and
stored elsewhere. Due to a number of reasons, for example external audits to fulfill regulations, users
might need to restore those receivers and use VISUAL Message Center Security Agent to process their
entries, which is made possible by using Security Agent Express.
The default execution mode of Security Agent is *MONITOR. B_DETECTOR/STRSECMON MODE(*MONITOR)
or just B_DETECTOR/STRSECMON can also be used.
Figure 40 – Default Execution Mode of Security Agent
Users can also set the Execution Mode parameter to *EXPRESS.
To set the Execution Mode parameter to *EXPRESS:
Step 1. Specify the initial and ending journal receivers of the chain you want to process
Step 2. Once Security Monitor Express has processed all specified receivers, the job monitor
SECMONITOR ends
© 2013 Tango/04 Computing Group Page 42
Security Agent Express
Figure 41 – Setting Execution Mode to *EXPRESS
To process just one receiver, use the same process for From Receiver as To Receiver, or just leave To
Receiver blank.
Note
The chain of receivers between the initial and ending receivers must not be broken. In this
case, the monitor will end without processing any entry, and, as with other possible errors,
you should display the joblog of job SECMONITOR to check what happened.
Note
Security Monitor Express is not a separate monitor apart from Security Monitor, but a new
execution mode of the same job SECMONITOR, that runs in the T4NICELINK subsystem. This
means that both of them are not able to run at the same time.
© 2013 Tango/04 Computing Group Page 43
Appendix A : OS/400 Auditing Categories
Appendix A Appendix A: OS/400 Auditing Categories
*NONE
No auditing occurs on the system.
*ATNEVT
The following attention events are logged:
Potential intrusions being detected
Affected actions:
*AUTFAIL
The following authorization failures are audited:
All access failures (sign-on, authorization, job submission)
Incorrect password or user ID entered from a device
Affected actions:
Entry Type Tango/04 Queue Name
IM *INTRUSMON
Entry Type Tango/04 Queue Name
AF *AUTFAIL
X1 * IDTOKEN
CV *CNCTVRIFY
DI *DIRSRV
GR *GENREC
IP *INTPRCCMN
KF *KEYRINGF
PW *INVPWD
© 2013 Tango/04 Computing Group Page 44
Appendix A : OS/400 Auditing Categories
*CMD
The system logs commands strings run by a user
Affected actions:
*CREATE
Objects created into library QTEMP are not audited. The following object creates are audited:
Newly-created objects
Objects created to replace an existing object
Affected actions:
*DELETE
All deletions of external objects on the system are audited.
Objects deleted from library QTEMP are not audited.
Affected actions:
*JOBDTA
The following actions that affect a job are audited:
VC *CNTSTREND
VN *LOGNTWRK
VO *VALISTACT
VP *NETPWDERR
XD *XDIRSRV
Entry Type Tango/04 Queue Name
Entry Type Tango/04 Queue Name
CD *COMMAND
Entry Type Tango/04 Queue Name
CO *CREATEOBJ
DI *DIRSRV
XD *XDIRSRV
Entry Type Tango/04 Queue Name
DO *DELETEOBJ
DI *DIRSRV
XD *XDIRSRV
© 2013 Tango/04 Computing Group Page 45
Appendix A : OS/400 Auditing Categories
Job start and stop data
Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to
prestart job entries
Affected actions:
*NETCMN
All violations detected by the APPN firewall function are audited. The two journal entry types are:
NE - Auditing of End point filter violations
ND - Auditing of Directory search filter violations
When using V5R3M0 the *NETCMN auditing category is subdivided into four subcategories:
*NETBAS: Network base functions.
*NETCLU: Cluster and cluster resource group operations.
*NETFAIL: Network failures.
*NETSCK: Socket tasks.
Affected entry types and corresponding subcategory:
• CU *NETCLU
• CV *NETBAS
• IR *NETBAS
• IS *NETBAS
• ND *NETBAS
• NE *NETBAS
• SK *NETFAIL, *NETSCK
Affected actions:
Entry Type Tango/04 Queue Name
JS *JOBACTION
SG *ASYNCSGN
VC *CNTSTRENT
VN *LOGNTWRK
VS *SRVSES
Entry Type Tango/04 Queue Name
CU *CLSTEROPS
CV *CNCTVRIFY
IR *IPACTIONS
IS *INTSECMNG
© 2013 Tango/04 Computing Group Page 46
Appendix A : OS/400 Auditing Categories
*OBJMGT
The following generic object tasks are audited:
Moves of objects
Renames of objects
Affected actions:
*OFCSRV
The following OfficeVision/400 tasks are audited:
Changes to the system distribution directory
Tasks involving electronic mail
Affected actions:
*OPTICAL
The following optical functions are audited:
Add or remove optical cartridge
Change the authorization list used to secure an optical volume
Open optical file or directory
Create or delete optical directory
Change or retrieve optical directory attributes
Copy, move, or rename optical file
Copy optical directory
Back up optical volume
Initialize or rename optical volume
Convert backup optical volume to a primary volume
Save or release held optical file
Absolute read of an optical volume
ND *APPCDPFV
NE *APPCEPFV
SK *SECSOCKCN
Entry Type Tango/04 Queue Name
Entry Type Tango/04 Queue Name
DI *DIRSRV
OM *OBJMOVE
Entry Type Tango/04 Queue Name
ML *OFMAILACT
SD *SYSDTRCHG
© 2013 Tango/04 Computing Group Page 47
Appendix A : OS/400 Auditing Categories
Affected actions:
*PGMADP
Adopting authority from a program owner is audited.
Affected actions:
*PGMFAIL
The following program failures are audited:
Blocked instruction
Validation value failure
Domain violation
Affected actions:
*PRTDTA
The following printing functions are audited:
Printing a spooled file
Printing with parameter SPOOL(*NO)
Affected actions:
*SAVRST
The following save and restore information is audited:
When programs that adopt their owner's user profile are restored
When job descriptions that contain user names are restored
When ownership and authority information changes for objects that are restored
When the authority for user profiles is restored
When a system state program is restored
Entry Type Tango/04 Queue Name
O1 *OPACSNGL
O2 *OPACDUAL
O3 *OPACVOLUM
Entry Type Tango/04 Queue Name
AP *ADOPTING
Entry Type Tango/04 Queue Name
AF *AUTFAIL
Entry Type Tango/04 Queue Name
PO *PRINTOUT
© 2013 Tango/04 Computing Group Page 48
Appendix A : OS/400 Auditing Categories
When a system command is restored
When an object is restored
Affected actions:
*SECURITY
All security-related functions are audited, including:
Changes to object authority
Create, change, delete, and restore operations of user profiles
Changes to object ownership
Changes to programs (CHGPGM) that will now adopt the owner’s profile
Changes to system values and network attributes
Changes to subsystem routing
When the QSECOFR password is reset to the shipped value by DST
When the DST security officer password is requested to be defaulted
Changes to the auditing attribute of an object
When using V5R3M0 you will find the *SECURITY auditing category is subdivided into eight
subcategories:
*SECCFG: Security configuration.
*SECRUN: Security run time functions.
*SECSCKD: Socket descriptors.
*SECIPC: Changes to inter-process communications.
*SECVFY: Use of verification functions.
*SECLVLD: Changes to validations list objects.
*SECNAS: Network authentication services actions.
*SECDIRSRV: Changes or updates when doing directory service functions.
The affected entry types and their corresponding subcategories are:
• AD*SECCFG
• AU*SECCFG
Entry Type Tango/04 Queue Name
OR *OBJRST
RA *AUTCHANGE
RJ *RSTUSRJBD
RO *OBJOWNCHG
RP *RSTPGMADP
RQ *RSTCRQDOB
RU *RSTUSPAUT
RZ *RSTPGPCHG
© 2013 Tango/04 Computing Group Page 49
Appendix A : OS/400 Auditing Categories
• CA*SECRUN
• CP*SECCFG
• CQ*SECCFG
• CV*SECCFG, *SECRUN, *SECSCKD, *SECIPC, *SECVFY, *SECVLDL, *SECNAS,
• *SECDIRSRV
• CY*SECCFG
• DI*SECDIRSRV
• DO*SECCFG
• DS*SECCFG
• EV*SECCFG
• GR*SECCFG
• GS*SECSCKD
• IP*SECIPC
• JD*SECCFG
• KF*SECCFG
• NA*SECCFG
• OW*SECRUN
• PA*SECCFG
• PG*SECRUN
• PS*SECVFY
• SE*SECCFG
• SO*SECCFG
• SV*SECCFG
• VA*SECCFG
• VO*SECVLDL
• VU*SECCFG
• X0*SECNAS
• X1*SECVFY
Affected actions:
Entry Type Tango/04 Queue Name
AD *AUDCHANGE
AU *ATRCHANGE
CA *AUTCHANGE
© 2013 Tango/04 Computing Group Page 50
Appendix A : OS/400 Auditing Categories
*SERVICE
The following commands and API calls are audited:
Dump Document Library Object (DMPDLO)
Dump Object (DMPOBJ) and Dump System Object (DMPSYSOBJ)
Print Error Log (PRTERRLOG)
CP *USRPRFCHG
CQ *CRQDCHG
CV *CNCTVRIFY
CY *CRYPTCFG
DI *DIRSR
DO *DELETEOBJ
DS *DSTPWD
EV *ENVVAR
GR *GENREC
GS *SOCKETS
IP *INTPRCCMN
JD *JOBDCHG
KF *KEYRINGF
NA *NETATRCHG
OW *OBJOWNCHG
PA *PGMADP
PG *OBJPGPCHG
PS *PRFSWAP
SE *SBSRTECHG
SO *SRVSECUIA
SV *SYSVALCHG
VA *ACTLLCHG
VO *VALISTACT
VU *NETPRFCHG
X0 *NETAUTENT
X1 *IDTOKEN
Entry Type Tango/04 Queue Name
© 2013 Tango/04 Computing Group Page 51
Appendix A : OS/400 Auditing Categories
Print Internal Data (PRTINTDTA)
Start Copy Screen (STRCPYSCN)
Start, End, Print, and Delete Communications Trace
Start Service Job (STRSRVJOB): the commands that act on the serviced job do not produce
an audit record.
Start System Service Tools (STRSST): one entry is sent when the STRSST is used to enter
the service tools.
Start Trace (STRTRC) and End Trace (ENDTRC)
Trace Connection (TRCCNN)
Trace Internal (TRCINT)
Trace TCP Application (TRCTCPAPP)
Control Device (QTACTLDV) API
Control Trace (QWTCTLTR) API
Set Trace (QWTSETTR) API
Affected actions:
*SPLFDTA
The following spooled file functions are audited:
Create a spooled file
Delete a spooled file
Display a spooled file
Copy a spooled file
Get data from a spooled file (QSPGETSP)
Hold a spooled file
Release a spooled file
Change spooled file attributes (CHGSPLFA command)
Affected actions:
*SYSMGT
The following system management tasks by an audited user are audited:
Hierarchical file system registration
Changes for Operational Assistant functions
Changes to the system reply list
Changes to the DRDA relational database directory
Entry Type Tango/04 Queue Name
ST *SERVTOOLS
VV *SRVSTSCHG
Entry Type Tango/04 Queue Name
SF *SPOOLFILE
© 2013 Tango/04 Computing Group Page 52
Appendix A : OS/400 Auditing Categories
Network file operations
Affected actions:
Entry Type Tango/04 Queue Name
DI *DIRSRV
SM *SYSMGTCHG
VL *ACCLMTEXC
© 2013 Tango/04 Computing Group Page 53
Appendix B : OS/400 Entry Types
Appendix B Appendix B: OS/400 Entry Types
Entry Type
Tango/04 Queue Name
Description Auditing Category
AD *AUDCHANGE Auditing changes *SECCFG
AF *AUTFAIL Authority failure *AUTFAIL, *PGMFAIL
AP *ADOPTINGObtaining adopted authority
*PGMADP
AU *ATRCHANGE Attribute changes *SECCFG
CA *AUTCHANGE Authority changes *SECRUN
CD *COMMAND Command string audit *CMD
CO *CREATEOBJ Create object *CREATE
CP *USRPRFCHGUser profile changed, created, or restored
*SECCFG
CQ *CRQDCHG Change of *CRQD object *SECCFG
CU *CLSTEROPS Cluster Operations *NETCLU
CV *CNCTVRIFY Connection verification
*AUTFAIL, *NET‐BAS, *SECCFG, *SECRUN, *SECSCKD, *SECIPC, *SECVFY, *SECLVLD, *SECNAS, *SECDIRSRV
CY *CRYPTCFGCryptographic configura-tion
*SECCFG
DI *DIRSRV Directory Services
*AUTFAIL, *CREATE, *DELETE, *OBJMGT, *SECDIRSRV, *SYS‐MGT
DO *DELETEOBJ Delete object *DELETE, *SECCFG
DS *DSTPWDDST security password reset
*SECCFG
© 2013 Tango/04 Computing Group Page 54
Appendix B : OS/400 Entry Types
EV *ENVVARSystem environment variables
*SECCFG
GR *GENREC Generic Record *AUTFAIL, *SECCFG
GS *SOCKETSSocket description was given to another job
*SECSCKD
IM *INTRUSMON Intrusion Monitor *ATNEVT
IP *INTPRCCMNInter Process Communi-cation
*AUTFAIL, *SECIPC
IR *IPACTIONS IP Rules Actions *NETBAS
IS *INTSECMNGInternet Security Man-agement
*NETBAS
JD *JOBDCHGChange to user parame-ter of a job description
*SECCFG
JS *JOBACTION Actions that affect jobs *JOBDTA
KF *KEYRINGF Key Ring File *AUTFAIL, *SECCFG
LD *LNKDIRELink, unlink, or look up directory entry
*CHANGE
ML *OFMAILACTOffice services mail actions
*OFCSRV
NA *NETATRCHGNetwork attribute changed
*SECCFG
ND *APPCDPFVAPPN directory search filter violation
*NETBAS
NE *APPCEPFVAPPN end point filter violation
*NETBAS
OM *OBJMOVE Object move or rename *OBJMGT
OR *OBJRST Object restore *SAVRST
OW *OBJOWNCHGObject ownership changed
*SECRUN
O1 *OPACSNGL(Optical Access) Single File or Directory
*OPTICAL
O2 *OPACDUAL(Optical Access) Dual File or Directory
*OPTICAL
O3 *OPACVOLUM (Optical Access) Volume *OPTICAL
PA *PGMADPProgram changed to adopt authority
*SECCFG
PG *OBJPGPCHGChange of an object's primary group
*SECRUN
PO *PRINTOUT Printed output *PRTDTA
PS *PRFSWAP Profile swap *SECVFY
Entry Type
Tango/04 Queue Name
Description Auditing Category
© 2013 Tango/04 Computing Group Page 55
Appendix B : OS/400 Entry Types
PW *INVPWD Invalid password *AUTFAIL
RA *AUTCHANGEAuthority change during restore
*SAVRST
RJ *RSTUSRJBDRestoring job description with user profile speci-fied
* SAVRST
RO *OBJOWNCHG Change of object owner during restore
* SAVRST
RP *RSTPGMADPRestoring adopted authority program
* SAVRST
RQ *RSTCRQDOB Restoring a *CRQD object * SAVRST
RU *RSTUSPAUTRestoring user profile authority
* SAVRST
RZ *RSTPGPCHGChanging a primary group during restore
* SAVRST
SD *SYSDTRCHGChanges to system dis-tribution directory
*OFCSRV
SE *SBSRTECHGSubsystem routing entry changed
*SECCFG
SF *SPOOLFILE` Actions to spooled files *SPLFDTA
SG *ASYNCSGN Asynchronous signals *JOBDTA
SK *SECSOCKCNSecure Sockets connec-tions
*NETFAIL
SM *SYSMGTCHGSystem management changes
*SYSMGT
SO *SRVSECUIAServer security user information actions
*SECCFG
ST *SERVTOOLS Use of service tools *SERVICE
SV *SYSVALCHG System Values Changes *SECCFG
VA *ACTLLCHGChanging an access control list
*SECCFG
VC *CNTSTRENDStarting or ending a con-nection
*AUTFAIL, *JOBDTA
VF *CLSSRVFIL Closing server files *CHANGE
VL *ACCLMTEXC Account limit exceeded *SYSMGT
VN *LOGNTWRKLogging on and off the network
*AUTFAIL, *JOBDTA
VO *VALISTACT Validation list actions *AUTFAIL, *SECVLDL
VP *NETPWDERR Network password error *AUTFAIL
Entry Type
Tango/04 Queue Name
Description Auditing Category
© 2013 Tango/04 Computing Group Page 56
Appendix B : OS/400 Entry Types
VR *NETRSCACSNetwork resource access
*CHANGE
VS *SRVSESStarting or ending a server session
*JOBDTA
VU *NETPRFCHGChanging a network pro-file
*SECCFG
VV *SRVSTSCHG Changing service status *SERVICE
X0 *NETAUTENT Network Authentication *SECNAS
X1 *IDENTOKEN Identity Token *AUTFAIL, *SECVFY
XD *XDIRSRVDirectory Server Exten-sion
*AUTFAIL, *CREATE, *DELETE
YC *DLOOBJCHGDLO Object accessed (change)
*CHANGE
YR *DLOOBJRDDLO Object accessed (read)
*ALL
ZC *OBJCHANGE Change to Object *CHANGE
ZR *OBJREAD Read of Object *ALL
Entry Type
Tango/04 Queue Name
Description Auditing Category
© 2013 Tango/04 Computing Group Page 57
Appendix C : Complete List of Messages for V7R1
Appendix C Appendix C: Complete List of Messages for V7R1
The following is a list of the messages supplied by the product to help you in your planning. Additional
information for each message, such as second level help text and replacement variables formats (such
as Object Name and Object Library for audited objects) can be obtained from the AUDMSG00S
message file in the B_DETECTOR library, or by reviewing message details at the SmartConsole.
Additionally, extended information about the event is stored in the operational data warehouse, like the
real user who produced the event.
Each entry type generates a message with a Message ID (such as AAD0004). This Message ID starts
with an A, followed by the entry type (such as AD), and a 4-digit number (such as 0004).
Message ID
Severity Message Text
AAD0004 30Auditing of &20 DLO in folder path &22 was changed with CHGDLOAUD command.
AAD0015 30Auditing of &2 object in library &3, type: &4 was changed with CHGOBJAUD command.
AAD0019 30The scan attribute of the &2 object was changed using CHG-ATR command or the Qp0lSetAttr API, or when the object was created.
AAD0021 30Auditing for &2 user was changed with CHGUSRAUD com-mand.
AAF0001 30Attempt made to access object &2 in library &3, type:&4 or perform an operation to which the user &11 was not autho-rized.
AAF0002 30Program &2 in library &3 ran a restricted machine interface instruction with current user profile &11.
AAF0003 30Program &2 in library &3,which failed the restore-time valida-tion was restored with current user profile &11.
AAF0004 30Program &9 in library &10 accessed object &2 in library &3, type:&4 through an unsupported interface...
AAF0005 30Hardware storage protection violation with current user pro-file &11.
AAF0006 30 ICAPI authorization error with current user profile &11.
© 2013 Tango/04 Computing Group Page 58
Appendix C : Complete List of Messages for V7R1
AAF0007 30 ICAPI authentication error with current user profile &11.
AAF0008 30Authority failure in scan exit program action for the program &9.
AAF0009 30 System Java inheritance not allowed.
AAF0010 30Attempt made to submit or schedule a job under job descrip-tion &2 in library &3, which has &11 user profile specified.
AAF0014 30Profile token not a regenerable profile token. User profile causing the authority failure &11.
AAF0015 30 Optical object Authority Failure.
AAF0016 30Attempt made to use a profile handle that is not valid on the QWTSETP API. User profile causing the authority failure is &11.
AAF0018 30Attempt made to update object &2 in library &3, which is defined as read only, with user profile &11.
AAF0019 30Attempt made to sign on without entering an user ID or a password.
AAF0020 30 Not authorized to TCP/IP port &2.
AAF0021 30User &11 permission request for object &2 library &3, type: &4 was not valid.
AAF0022 30Profile token not valid for generating new profile token. User profile causing the authority failure &11.
AAF0023 30Profile token not valid for swap. User profile causing the authority failure &11.
AAF0024 30Operation violation. User profile causing the authority failure &11.
AAF0025 30Not authorized to the current JUID field during a clear JUID operation. User profile causing the authority failure &11.
AAF0026 30Not authorized to the current JUID field during a set JUID operation. User profile causing the authority failure &11.
AAP0001 30Adopted authority of user &5 used during activation of object &3/&2, type &4.
AAP0005 30Started adopted authority of user &5 during activation of object &3/&2, type &4.
AAP0019 30Ended adopted authority of user &5 during activation of object &3/&2, type &4.
AAU0001 30 System value or service attribute changed.
AAU0002 30 Network attribute changed.
AAU0005 30 EIM configuration attributes changed.
ACA0001 30 Authority change in object &2 in library &3 of type &4.
ACD0003 0 Command &6 run.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 59
Appendix C : Complete List of Messages for V7R1
ACD0012 0 An OCL statement: &6 was run.
ACD0015 0 Operator control command: &6 was run.
ACD0016 0 S/36 procedure: &6 was run.
ACD0019 0 Command: &6 was run after command substitution.
ACD0021 0 Utility control statement: &6 was run.
ACD0024 0 Proxy command &6 run
ACO0014 30 Object &2 of type &4 was created in library &3.
ACO0018 30 Object &2 of type &4 was replaced in library &3.
ACP0001 30User Profile &2 in library &3 was changed using &5 com-mand...
ACQ0001 30Object &3/&2 type &4 changed to run under owning user profile.
ACU0001 30 Cluster &6 created.
ACU0002 30 Cluster &6 deleted from node &8.
ACU0003 30 Cluster node &7 added to cluster &6.
ACU0004 30 Cluster node &7 removed from cluster &6.
ACU0005 30 Cluster node &7 started in cluster &6.
ACU0006 30 Cluster node &7 ended in cluster &6.
ACU0007 30 Cleanup of cluster &6 resources failed.
ACU0008 30Cluster resource group exit program on cluster node &8 called.
ACU0009 30 Cluster resource group exit program on node &7 failed.
ACU0010 30 Automatic recovery of cluster &6 object attempted.
ACU0013 30 Cluster control operation has been done.
ACU0018 30Cluster Resource Group (*GRP) Management operation has been done.
ACV0003 30Connection verification has been established. Value of entry type:(&1). &N (C=established; E=ended; R=rejected)
ACV0005 30Connection verification has been ended. Value of entry type:(&1). &N (C=established; E=ended; R=rejected)
ACV0018 30Connection verification has been rejected. Value of entry type:(&1). &N (C=established; E=ended; R=rejected)
ACY0001 30Cryptographic configuration modified or accessed: Access Control Function.
ACY0006 30Cryptographic configuration modified or accessed: Facility Control Function.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 60
Appendix C : Complete List of Messages for V7R1
ACY0011 30Cryptographic configuration modified or accessed: Master Key Function.
ACY0013 30Cryptographic configuration modified or accessed: Master Key Function.
ADI0012 30 An LDAP Directory Services event type &2 has occurred.
ADO0001 30Object &2 of type &4 was deleted from library &3 not under commitment control.
ADO0003 30Pending delete of object &2 of type &4 in library &3 was committed.
ADO0004 30Pending create of object &2 of type &4 in library &3 was rolled back.
ADO0009 30 Environment variable space initialize
ADO0016 30The delete of object &2 of type &4 in library &3 is pending (the delete was performed under commitment control.)
ADO0018 30A pending delete for object &2 of type &4 in library &3 was rolled back.
ADS0001 30 Reset of DST password.
ADS0003 30 Change to DST profile.
ADS0016 30 Service tools user ID password was changed.
AEV0001 30 An environment variable has been added.
AEV0003 30 An environment variable has been changed.
AEV0004 30 An environment variable has been deleted.
AEV0009 30 An environment variable has been initialized
AGR0001 30 Generic Record of user &3. Exit program added.
AGR0004 30 Generic Record of user &3 Exit program removed.
AGR0006 30 Generic Record of user &3. Function registration operations.
AGR0018 30 Generic Record of user &3. Exit program replaced.
AGS0007 30 Give socket descriptor.
AGS0018 30 Receive socket descriptor.
AGS0021 30 Unable to use socket descriptor.
AIM0016 30 A potential intrusion event with type &12 has been detected.
AIP0001 30An Interprocess communications event type &2 has occurred. Ownership and/or authority changes.
AIP0003 30An Interprocess communications event type &2 has been created.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 61
Appendix C : Complete List of Messages for V7R1
AIP0004 30An Interprocess communications event type &2 has been deleted.
AIP0006 30An Interprocess communications event type &2 has occurred. IPC: Authority Failure.
AIP0007 30An Interprocess communications event type &2 has been occurred: GET.
AIP0013 30An Interprocess communications event type &2 has occurred. IPC: Shared memory attach.
AIP0026 30An Interprocess communications event type &2 has occurred. IPC: Normal semaphore close or shared memory detach.
AIR0012 30An IP rules event type &1 has occurred. IP Rules have been loaded from a file.
AIR0014 30An IP rules event type &1 has occurred. IP Rules unloaded for an IP security connection.
AIR0016 30An IP rules event type &1 has occurred. IP Rules loaded for an IP security connection.
AIR0018 30An IP rules event type &1 has occurred. IP Rules have been read and copied to a file.
AIR0021 30An IP rules event type &1 has occurred. IP Rules have been unloaded (removed).
AIS0001 30Internet security management event type &1 has failed. (A=Fail)
AIS0003 30Internet security management event type &1 has been done normally. (C=Normal).
AIS0021 30Internet security management event type &1 has occurred. (U=Mobile user).
AIS0031 30Internet security management event type &1 has occurred. (1=IKE Phase 1 SA Negotiation).
AIS0032 30Internet security management event type &1 has occurred. (2=IKE Phase 2 SA Negotiation).
AJD0001 30Job description &3/&2 changed USER parameter from &6 to &7 using &5 command.
AJS0001 30 Job &6/&5/&4 change by ENDJOBABN command.
AJS0002 30 Job &6/&5/&4 was submitted.
AJS0003 30 Job &6/&5/&4 was changed.
AJS0005 30 Job &6/&5/&4 was ended.
AJS0008 30 Job &6/&5/&4 was held.
AJS0009 30 Job &6/&5/&4 was disconnected.
AJS0010 30The current job &6/&5/&4 is attempting to interrupt another job.
AJS0011 30 The current job &6/&5/&4 is about to be interrupted.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 62
Appendix C : Complete List of Messages for V7R1
AJS0012 30 The interruption of job &6/&5/&4 has completed.
AJS0013 30 Job &6/&5/&4 change: modify profile or group profile.
AJS0014 30 Job &6/&5/&4 change by ENDJOB command.
AJS0016 30 Attach prestart or batchimmediate job &6/&5/&4.
AJS0017 30 Job &6/&5/&4: change query attributes.
AJS0018 30 Job &6/&5/&4 released.
AJS0019 30 Job &6/&5/&4 started.
AJS0020 30Job &6/&5/&4 change: Modify profile or group profile using a profile token.
AJS0021 30 Job &6/&5/&4 change by CHGUSRTRC.
AJS0022 30 Job &6/&5/&4: Virtual device changed by QWSACCDS API.
AKF0003 30A Key Ring File event type &1 has occurred: Certificate oper-ation.
AKF0011 30A Key Ring File event type &1 has occurred: Key ring file operation.
AKF0016 30A Key Ring File event type &1 has occurred: Incorrect pass-word.
AKF0020 30A Key Ring File event type &1 has occurred: Trusted root operation.
ALD0011 30 Search directory.
ALD0012 30 Link directory.
ALD0021 30 Unlink directory.
AML0015 30 Mail log opened for user &2.
ANA0001 30Network attribute &2 has changed its value. &N The old value was &4. &N The new value was &3. &N
AND0001 30 APPN Directory search filter.
ANE0001 30 APPN End point filter.
AOM0013
30 Object &2 of type &4 in library &3 was moved to library &6.
AOM0018
30 Object &2 of type &4 in library &3 was renamed to &5.
AOR0005 30The existing object &2 of type &4 was restored to library &3. The object was saved from library &6 with name &5.
AOR0014 30The new object &2 of type &4 was restored to library &3. The object was saved from library &6 with name &5.
AOW0001
30Change in ownership of object &3/&2 of type &4. The old owner was &5. The new owner is &6.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 63
Appendix C : Complete List of Messages for V7R1
AO10003 30Optical Access type &1 to device &4. Single File or Directory. (C=Create Dir).
AO10004 30Optical Access type &1 to device &4. Single File or Directory. (D=Delete).
AO10018 30Optical Access type &1 to device &4. Single File or Directory. (R=Read).
AO10021 30Optical Access type &1 to device &4. Single File or Directory. (U=Update).
AO10024 30Optical Access type &1 to device &4. Single File or Directory. (X=Release Held File).
AO20002 30Optical Access type &1. Dual File or Directory. (B=Backup Dir or File).
AO20003 30 Optical Access type &1. Dual File or Directory. (C=Copy).
AO20013 30Optical Access type &1. Dual File or Directory. (M=Move File).
AO20018 30 Optical Access type &1. Dual File or Directory. (R=Rename).
AO20019 30Optical Access type &1. Dual File or Directory. (S=Save Held File).
AO30001 30Optical Access type &1. Volume. (A=Change Volume Attri-butes).
AO30002 30 Optical Access type &1. Volume. (B=Backup Volume).
AO30003 30Optical Access type &1. Volume. (C=Convert Backup Vol-ume to Primary).
AO30005 30 Optical Access type &1. Volume. (E=Export).
AO30009 30 Optical Access type &1. Volume. (I=Initialize).
AO30011 30 Optical Access type &1. Volume. (K=Check Volume).
AO30012 30 Optical Access type &1. Volume. (L=Change Auth. List).
AO30013 30 Optical Access type &1. Volume. (M=Import).
AO30014 30 Optical Access type &1. Volume. (N=Rename).
AO30018 30 Optical Access type &1. Volume. (R=Absolute Read).
APA0001 30Program &2 in library &3 was changed to adopt &5, the owner of the program, authority.
APA0010 30A Java program based in file with object name &14 was changed or created to adopt the authority of user &5.
APA0013 30An object of type &4 adopts the authority of user &5, the owner of this object.
APG0001 30Primary group for object &2 in library &3 of type &4 has changed. The previous primary group was &5 and the new primary group is &6.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 64
Appendix C : Complete List of Messages for V7R1
APO0004 30Direct print of spooled file &14 &15 &18 in device &9. The output was created by user &6 .
APO0018 30Printer output &14 &15 &18 sent to remote queue &21 in remote system &20. The output was created by user &6 .
APO0019 30Spooled file &14 &15 &18 printed in device &9. The output was created by user &6.
APS0001 30Profile swap during pass-through. The target user profile has changed from &4 to &5.
APS0005 30 End work on behalf of relationship by office user &6.
APS0008 30Profile handler generated by API QSYGETPH. The User Profile is &2.
APS0009 30 All profile tokens were invalidated.
APS0013 30 The maximum number of profile token has been reached.
APS0016 30 Profile token generated for user &2.
APS0018 30 All profile tokens for user &2 were removed.
APS0019 30 Start work on behalf of relationship by office user &6.
APS0022 30 User profile &2 has been authenticated.
APW0001
30APPC bind failure. Local location name is &5 and remote location name is &4 for the APPC bind in network &6.
APW0003
30 User authentication with the CHKPWD command failed.
APW0004
30 DST user name &2 not valid.
APW0005
30 DST password for user name &2 not valid.
APW0016
30 Password not valid for user name &2 in device &3.
APW0017
30Attempted sign on (user &2 authentication) failed because user profile is disabled
APW0018
30Attempted sign on (user &2 authentication) failed because password was expired.
APW0019
30 The SQL decryption password is not valid.
APW0021
30 User name &2 not valid in device &3.
APW0024
30Service tools user &2 is disable. The name of service tool being accessed is &3.
APW0025
30Service tools user &2 is not valid. The name of service tool being accessed is &3.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 65
Appendix C : Complete List of Messages for V7R1
APW0026
30Service tools password for user &2 is not valid. The name of service tool being accessed is &3.
ARA0001 30Changes in authority for restored object &2 of type &4 in library &3.
ARJ0001 30Restoring job description &2 that had user profile &5 speci-fied in the USER parameter. The object was restored to library &3.
ARO0001 30Restoring object &2 in library &3 of type &4 ownership was changed. The old owner was &5 and the new owner is &6.
ARP0001 30Program &2 has been restored in library &3 adopting the authority of the owner, user &5.
ARQ0001 30 Object &3/&2 type &4 with the *OWNER attribute restored.
ARU0001 30 Restore Authority for user profile.
ARZ0001 30Primary Group for restored object &3/&2 type &4 changed from &5 to &6.
ASD0019 30 System distribution directory updated by user &5.
ASE0001 30Routing entry changed for &3/&2 type &4 sequence number &7.
ASF0001 30Spooled file &7 &8 of job &27/&28/&29 in output queue &10/&9 was read.
ASF0003 30Spooled file &7 &8 of job &27/&28/&29 created in output queue &10/&9.
ASF0004 30Spooled file &7 &8 of job &27/&28/&29 deleted in output queue &10/&9.
ASF0008 30Spooled file &7 &8 of job &27/&28/&29 held in output queue &10/&9.
ASF0009 30 Create of inline file.
ASF0018 30Spooled file &7 &8 of job &27/&28/&29 released in output queue &10/&9.
ASF0019 30Spooled file &7 &8 of job &27/&28/&29 in output queue &10/&9 was saved.
ASF0020 30Spooled file &7 &8 of job &27/&28/&29 in output queue &10/&9 was restored.
ASF0021 30Security-relevant attributes of spooled file &7 &8 of job &27/&28/&29 changed in output queue &10/&9.
ASF0022 30Nonsecurity-relevant attributes of spooled file &7 &8 of job &27/&28/&29 changed in output queue &10/&9.
ASG0001 30 Asynchronous iSeries signal processed.
ASG0016 30Asynchronous Private Address Space Environment (PASE) signal processed.
ASK0001 30Secure socket connections between&2 local IP address and &4 remote IP address. Secure Socket Connections: Accept.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 66
Appendix C : Complete List of Messages for V7R1
ASK0003 30Secure socket connections between&2 local IP address and &4 remote IP address. Secure Socket Connections: Con-nect.
ASK0004 30Secure socket connections between&2 local IP address and &4 remote IP address. DHCP address assigned.
ASK0006 30Secure socket connections between&2 local IP address and &4 remote IP address. Secure Socket Connections: Filtered mail.
ASK0016 30Secure socket connections between&2 local IP address and &4 remote IP address. Secure Socket Connections: Port unavailable.
ASK0018 30Secure socket connections between&2 local IP address and &4 remote IP address. Secure Socket Connections: Reject-mail.
ASK0021 30Secure socket connections between&2 local IP address and &4 remote IP address. DHCP address denied.
ASM0002 30 The backup list &8 was changed.
ASM0003 30 Automatic cleanup options were accessed.
ASM0004 30A DRDA action was made in relational database &5. The access type is &2...
ASM0006 30 HFS file system &6 was accessed. The access type is &2...
ASM0014 30A network file operation was performed in member &10 with number &11 of network file &9.
ASM0015 30 The &7 backup option was changed.
ASM0016 30 The power on/off schedule was accessed.
ASM0019 30 The system reply list was accessed.
ASM0020 30The access path recovery times were changed. &N See menu CMDAP for related information.
ASO0001 30Server security user information actions of user &2 for server &5. Server Security User Action: Add entry.
ASO0003 30Server security user information actions of user &2 for server &5. Server Security User Action: Change entry.
ASO0018 30Server security user information actions of user &2 for server &5. Server Security User Action: Remove entry.
ASO0020 30Server security user information actions of user &2 for server &5. Server Security User Action: Retrieve entry.
AST0001 30 Service Tool &2 used.
ASV0001 30Change to system value &2. The previous value was &4&6 and the new value is &3&5. See CMDSYSVAL for related information.
ASV0002 30Change to system attribute &2. The previous value was &4&6 and the new value is &3&5.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 67
Appendix C : Complete List of Messages for V7R1
ASV0003 30Change to system clock. The previous value was &4&6 and the new value is &3&5.
ASV0004 30Change in Universal Coordinated Time (UTC) adjustment. The previous value was &4&6 and the new value is &3&5
ASV0005 30Change to option. The previous value was &4&6&8 and the new value is &3&5&7
ASV0006 30Change to system-wide journal attribute. The previous value was &4&6&8 and the new value is &3&5&7
AVA0006 30Access control list changed on server &2. Change of Access Control List: Failed.
AVA0019 30Access control list changed on server &2. Change of Access Control List: Successful.
AVC0005 30 Stop of connection on server &2.
AVC0018 30 Reject of connection on server &2.
AVC0019 30 Start of connection on server &2.
AVF0001 30 File closed on server &2. Administrative disconnection.
AVF0014 30 File closed on server &2. Normal client disconnection.
AVF0019 30 File closed on server &2. Session disconnected.
AVL0001 30 Account limit exceeded on server &2. Account expired.
AVL0004 30 Account limit exceeded on server &2. Account disabled.
AVL0012 30Account limit exceeded on server &2. Logon hours exceeded.
AVL0021 30Account limit exceeded on server &2. Unknown or unavail-able.
AVL0023 30 Account limit exceeded on server &2. Workstation not valid.
AVN0006 30Network logon or logoff event type &1 has occurred in server &2. Logoff request has been done.
AVN0015 30Network logon or logoff event type &1 has occurred in server &2. Logon request has been done.
AVN0018 30Network logon or logoff event type &1 has occurred in server &2. Logon reject has been done.
AVO0001 30 Validation list actions for the list &3. Add validation list entry.
AVO0003 30Validation list actions for the list &3. Change validation list entry.
AVO0006 30 Validation list actions for the list &3. Find validation list entry.
AVO0018 30Validation list actions for the list &3. Remove validation list entry.
AVO0021 30Validation list actions for the list &3. Unsuccessful verify of a validation list entry.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 68
Appendix C : Complete List of Messages for V7R1
AVO0022 30Validation list actions for the list &3. Successful verify of a validation list entry.
AVP0016 30 Password failure on server &2.
AVR0006 30 Network resource access failed on server &2.
AVR0019 30 Network resource access succeeded on server &2.
AVS0005 30 Stop of session on server &2.
AVS0019 30 Start of session on server &2.
AVU0007 30Network profile changed on server &2. Network profile change: Group record.
AVU0013 30Network profile changed on server &2. Network user profile global information.
AVU0021 30Network profile changed on server &2. Network profile change: User record.
AVV0003 30 Status change of server &2. Service status changed.
AVV0005 30 Status change of server &2. Server stopped.
AVV0016 30 Status change of server &2. Server paused.
AVV0018 30 Status change of server &2. Server restarted.
AVV0019 30 Status change of server &2. Server started.
AX00001 30A Network authentication event type &1 has occurred. Decrypt of KRB_AP_PRIV or KRB_AP_SAFE error.
AX00002 30A Network authentication event type &1 has occurred. Remote IP address mismatch.
AX00003 30A Network authentication event type &1 has occurred. Local IP address mismatch.
AX00004 30A Network authentication event type &1 has occurred. KRB_AP_PRIV or KRB_AP_SAFE timestamp error.
AX00005 30A Network authentication event type &1 has occurred. KRB_AP_PRIV or KRB_AP_SAFE replay error.
AX00006 30A Network authentication event type &1 has occurred. KRB_AP_PRIV or KRB_AP_SAFE seq. order error.
AX00011 30A Network authentication event type &1 has occurred. GSS accept - expired credential.
AX00012 30A Network authentication event type &1 has occurred. GSS accept - checksum error.
AX00013 30A Network authentication event type &1 has occurred. GSS accept - channel bindingst.
AX00014 30A Network authentication event type &1 has occurred. GSS unwrap or GSS verify expired context.
AX00015 30A Network authentication event type &1 has occurred. GSS unwrap or GSS verify decrypt/decode.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 69
Appendix C : Complete List of Messages for V7R1
AX00016 30A Network authentication event type &1 has occurred. GSS unwrap or GSS verify checksum error.
AX00017 30A Network authentication event type &1 has occurred. GSS unwrap or GSS verify sequence error.
AX00031 30A Network authentication event type &1 has occurred. Ser-vice ticket valid in Network.
AX00032 30A Network authentication event type &1 has occurred. Ser-vice principals do not match.
AX00033 30A Network authentication event type &1 has occurred. Client principals do not match.
AX00034 30A Network authentication event type &1 has occurred. Ticket IP address mismatch.
AX00035 30A Network authentication event type &1 has occurred. Decryption of the ticket failed.
AX00036 30A Network authentication event type &1 has occurred. Decryption of authenticator failed.
AX00037 30A Network authentication event type &1 has occurred. Realm is not within client local realms.
AX00038 30A Network authentication event type &1 has occurred. Ticket is a replay attempt.
AX00039 30A Network authentication event type &1 has occurred. Ticket not yet valid.
AX10004 30An Identity Token event type &1 has occurred: delegate of identify token was successful.
AX10006 30An Identity Token event type &1 has occurred: delegate of identify token failed.
AX10007 30An Identity Token event type &1 has occurred: get user from identity token was successful.
AX10021 30An Identity Token event type &1 has occurred: get user from identity token failed.
AXD0007 30Directory server extension for a DI entry (or event ADI*) con-taining group names information
AYC0001 30Object &2 in library &3 ,type: &4 changed. Access Type: Add.
AYC0002 30Object &2 in library &3 ,type: &4 changed. Access Type: Activate Program.
AYC0003 30Object &2 in library &3 ,type: &4 changed. Access Type: Analyze.
AYC0004 30Object &2 in library &3 ,type: &4 changed. Access Type: Apply.
AYC0005 30Object &2 in library &3 ,type: &4 changed. Access Type: Call or TFRCTL.
AYC0006 30Object &2 in library &3 ,type: &4 changed. Access Type: Configure.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 70
Appendix C : Complete List of Messages for V7R1
AYC0007 30Object &2 in library &3 ,type: &4 changed. Access Type: Change.
AYC0008 30Object &2 in library &3 ,type: &4 changed. Access Type: Check.
AYC0009 30Object &2 in library &3 ,type: &4 changed. Access Type: Close.
AYC0010 30Object &2 in library &3 ,type: &4 changed. Access Type: Clear.
AYC0011 30Object &2 in library &3 ,type: &4 changed. Access Type: Compare.
AYC0012 30Object &2 in library &3 ,type: &4 changed. Access Type: Cancel.
AYC0013 30Object &2 in library &3 ,type: &4 changed. Access Type: Copy.
AYC0014 30Object &2 in library &3 ,type: &4 changed. Access Type: Cre-ate.
AYC0015 30Object &2 in library &3 ,type: &4 changed. Access Type: Convert.
AYC0016 30Object &2 in library &3 ,type: &4 changed. Access Type: Debug.
AYC0017 30Object &2 in library &3 ,type: &4 changed. Access Type: Delete.
AYC0018 30Object &2 in library &3 ,type: &4 changed. Access Type: Dump.
AYC0019 30Object &2 in library &3 ,type: &4 changed. Access Type: Dis-play.
AYC0020 30Object &2 in library &3 ,type: &4 changed. Access Type: Edit.
AYC0021 30Object &2 in library &3 ,type: &4 changed. Access Type: End.
AYC0022 30 Object &2 in library &3 ,type: &4 changed. Access Type: File.
AYC0023 30Object &2 in library &3 ,type: &4 changed. Access Type: Grant.
AYC0024 30Object &2 in library &3 ,type: &4 changed. Access Type: Hold.
AYC0025 30Object &2 in library &3 ,type: &4 changed. Access Type: Ini-tialize.
AYC0026 30Object &2 in library &3 ,type: &4 changed. Access Type: Load.
AYC0027 30 Object &2 in library &3 ,type: &4 changed. Access Type: List.
AYC0028 30Object &2 in library &3 ,type: &4 changed. Access Type: Move.
AYC0029 30Object &2 in library &3 ,type: &4 changed. Access Type: Merge.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 71
Appendix C : Complete List of Messages for V7R1
AYC0030 30Object &2 in library &3 ,type: &4 changed. Access Type: Open.
AYC0031 30Object &2 in library &3 ,type: &4 changed. Access Type: Print.
AYC0032 30Object &2 in library &3 ,type: &4 changed. Access Type: Query.
AYC0033 30Object &2 in library &3 ,type: &4 changed. Access Type: Reclaim.
AYC0034 30Object &2 in library &3 ,type: &4 changed. Access Type: Receive.
AYC0035 30Object &2 in library &3 ,type: &4 changed. Access Type: Read.
AYC0036 30Object &2 in library &3 ,type: &4 changed. Access Type: Reorganize.
AYC0037 30Object &2 in library &3 ,type: &4 changed. Access Type: Release.
AYC0038 30Object &2 in library &3 ,type: &4 changed. Access Type: Remove.
AYC0039 30Object &2 in library &3 ,type: &4 changed. Access Type: Rename.
AYC0040 30Object &2 in library &3 ,type: &4 changed. Access Type: Replace.
AYC0041 30Object &2 in library &3 ,type: &4 changed. Access Type: Resume.
AYC0042 30Object &2 in library &3 ,type: &4 changed. Access Type: Restore.
AYC0043 30Object &2 in library &3 ,type: &4 changed. Access Type: Retrieve.
AYC0044 30Object &2 in library &3 ,type: &4 changed. Access Type: Run.
AYC0045 30Object &2 in library &3 ,type: &4 changed. Access Type: Revoke.
AYC0046 30Object &2 in library &3 ,type: &4 changed. Access Type: Save.
AYC0047 30Object &2 in library &3 ,type: &4 changed. Access Type: Save with Storage Free.
AYC0048 30Object &2 in library &3 ,type: &4 changed. Access Type: Save and Delete.
AYC0049 30Object &2 in library &3 ,type: &4 changed. Access Type: Submit.
AYC0050 30 Object &2 in library &3 ,type: &4 changed. Access Type: Set.
AYC0051 30Object &2 in library &3 ,type: &4 changed. Access Type: Send.
AYC0052 30Object &2 in library &3 ,type: &4 changed. Access Type: Start.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 72
Appendix C : Complete List of Messages for V7R1
AYC0053 30Object &2 in library &3 ,type: &4 changed. Access Type: Transfer.
AYC0054 30Object &2 in library &3 ,type: &4 changed. Access Type: Trace.
AYC0055 30Object &2 in library &3 ,type: &4 changed. Access Type: Ver-ify.
AYC0056 30Object &2 in library &3 ,type: &4 changed. Access Type: Vary.
AYC0057 30Object &2 in library &3 ,type: &4 changed. Access Type: Work.
AYC0058 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO Attribute.
AYC0059 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO Security.
AYC0060 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO Content.
AYC0061 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO all parts.
AYC0062 30Object &2 in library &3 ,type: &4 changed. Access Type: Add Constraint.
AYC0063 30Object &2 in library &3 ,type: &4 changed. Access Type: Change Constraint.
AYC0064 30Object &2 in library &3 ,type: &4 changed. Access Type: Remove Constraint.
AYC0065 30Object &2 in library &3 ,type: &4 changed. Access Type: Start Procedure.
AYC0066 30Object &2 in library &3 ,type: &4 changed. Access Type: Get Access on **OOPOOL.
AYC0067 30Object &2 in library &3 ,type: &4 changed. Access Type: Sign object.
AYC0068 30Object &2 in library &3 ,type: &4 changed. Access Type: Remove all signatures.
AYC0069 30Object &2 in library &3 ,type: &4 changed. Access Type: Clear a signed object.
AYC0070 30Object &2 in library &3 ,type: &4 changed. Access Type: MOUNT.
AYC0071 30Object &2 in library &3 ,type: &4 changed. Access Type: Unload.
AYC0072 30Object &2 in library &3 ,type: &4 changed. Access Type: End Rollback.
AYR0001 30 Object &2 in library &3 ,type: &4 read. Access Type: Add.
AYR0002 30Object &2 in library &3 ,type: &4 read. Access Type: Activate Program.
AYR0003 30Object &2 in library &3 ,type: &4 read. Access Type: Ana-lyze.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 73
Appendix C : Complete List of Messages for V7R1
AYR0004 30 Object &2 in library &3 ,type: &4 read. Access Type: Apply.
AYR0005 30Object &2 in library &3 ,type: &4 read. Access Type: Call or TFRCTL.
AYR0006 30Object &2 in library &3 ,type: &4 read. Access Type: Config-ure.
AYR0007 30 Object &2 in library &3 ,type: &4 read. Access Type: Change.
AYR0008 30 Object &2 in library &3 ,type: &4 read. Access Type: Check.
AYR0009 30 Object &2 in library &3 ,type: &4 read. Access Type: Close.
AYR0010 30 Object &2 in library &3 ,type: &4 read. Access Type: Clear.
AYR0011 30Object &2 in library &3 ,type: &4 read. Access Type: Com-pare.
AYR0012 30 Object &2 in library &3 ,type: &4 read. Access Type: Cancel.
AYR0013 30 Object &2 in library &3 ,type: &4 read. Access Type: Copy.
AYR0014 30 Object &2 in library &3 ,type: &4 read. Access Type: Create.
AYR0015 30 Object &2 in library &3 ,type: &4 read. Access Type: Convert.
AYR0016 30 Object &2 in library &3 ,type: &4 read. Access Type: Debug.
AYR0017 30 Object &2 in library &3 ,type: &4 read. Access Type: Delete.
AYR0018 30 Object &2 in library &3 ,type: &4 read. Access Type: Dump.
AYR0019 30 Object &2 in library &3 ,type: &4 read. Access Type: Display.
AYR0020 30 Object &2 in library &3 ,type: &4 read. Access Type: Edit.
AYR0021 30 Object &2 in library &3 ,type: &4 read. Access Type: End.
AYR0022 30 Object &2 in library &3 ,type: &4 read. Access Type: File.
AYR0023 30 Object &2 in library &3 ,type: &4 read. Access Type: Grant.
AYR0024 30 Object &2 in library &3 ,type: &4 read. Access Type: Hold.
AYR0025 30Object &2 in library &3 ,type: &4 read. Access Type: Initial-ize.
AYR0026 30 Object &2 in library &3 ,type: &4 read. Access Type: Load.
AYR0027 30 Object &2 in library &3 ,type: &4 read. Access Type: List.
AYR0028 30 Object &2 in library &3 ,type: &4 read. Access Type: Move.
AYR0029 30 Object &2 in library &3 ,type: &4 read. Access Type: Merge.
AYR0030 30 Object &2 in library &3 ,type: &4 read. Access Type: Open.
AYR0031 30 Object &2 in library &3 ,type: &4 read. Access Type: Print.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 74
Appendix C : Complete List of Messages for V7R1
AYR0032 30 Object &2 in library &3 ,type: &4 read. Access Type: Query.
AYR0033 30Object &2 in library &3 ,type: &4 read. Access Type: Reclaim.
AYR0034 30Object &2 in library &3 ,type: &4 read. Access Type: Receive.
AYR0035 30 Object &2 in library &3 ,type: &4 read. Access Type: Read.
AYR0036 30Object &2 in library &3 ,type: &4 read. Access Type: Reorga-nize.
AYR0037 30Object &2 in library &3 ,type: &4 read. Access Type: Release.
AYR0038 30Object &2 in library &3 ,type: &4 read. Access Type: Remove.
AYR0039 30Object &2 in library &3 ,type: &4 read. Access Type: Rename.
AYR0040 30Object &2 in library &3 ,type: &4 read. Access Type: Replace.
AYR0041 30Object &2 in library &3 ,type: &4 read. Access Type: Resume.
AYR0042 30 Object &2 in library &3 ,type: &4 read. Access Type: Restore.
AYR0043 30Object &2 in library &3 ,type: &4 read. Access Type: Retrieve.
AYR0044 30 Object &2 in library &3 ,type: &4 read. Access Type: Run.
AYR0045 30 Object &2 in library &3 ,type: &4 read. Access Type: Revoke.
AYR0046 30 Object &2 in library &3 ,type: &4 read. Access Type: Save.
AYR0047 30Object &2 in library &3 ,type: &4 read. Access Type: Save with Storage Free.
AYR0048 30Object &2 in library &3 ,type: &4 read. Access Type: Save and Delete.
AYR0049 30 Object &2 in library &3 ,type: &4 read. Access Type: Submit.
AYR0050 30 Object &2 in library &3 ,type: &4 read. Access Type: Set.
AYR0051 30 Object &2 in library &3 ,type: &4 read. Access Type: Send.
AYR0052 30 Object &2 in library &3 ,type: &4 read. Access Type: Start.
AYR0053 30Object &2 in library &3 ,type: &4 read. Access Type: Trans-fer.
AYR0054 30 Object &2 in library &3 ,type: &4 read. Access Type: Trace.
AYR0055 30 Object &2 in library &3 ,type: &4 read. Access Type: Verify.
AYR0056 30 Object &2 in library &3 ,type: &4 read. Access Type: Vary.
AYR0057 30 Object &2 in library &3 ,type: &4 read. Access Type: Work.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 75
Appendix C : Complete List of Messages for V7R1
AYR0058 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO Attribute.
AYR0059 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO Security.
AYR0060 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO Content.
AYR0061 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO all parts.
AYR0062 30Object &2 in library &3 ,type: &4 read. Access Type: Add Constraint.
AYR0063 30Object &2 in library &3 ,type: &4 read. Access Type: Change Constraint.
AYR0064 30Object &2 in library &3 ,type: &4 read. Access Type: Remove Constraint.
AYR0065 30Object &2 in library &3 ,type: &4 read. Access Type: Start Procedure.
AYR0066 30Object &2 in library &3 ,type: &4 read. Access Type: Get Access on **OOPOOL.
AYR0067 30Object &2 in library &3 ,type: &4 read. Access Type: Sign object.
AYR0068 30Object &2 in library &3 ,type: &4 read. Access Type: Remove all signatures.
AYR0069 30Object &2 in library &3 ,type: &4 read. Access Type: Clear a signed object.
AYR0070 30Object &2 in library &3 ,type: &4 read. Access Type: MOUNT.
AYR0071 30 Object &2 in library &3 ,type: &4 read. Access Type: Unload.
AYR0072 30Object &2 in library &3 ,type: &4 read. Access Type: End Rollback.
AZC0001 30Object &2 in library &3 ,type: &4 changed. Access Type: Add.
AZC0002 30Object &2 in library &3 ,type: &4 changed. Access Type: Activate Program
AZC0003 30Object &2 in library &3 ,type: &4 changed. Access Type: Analyze
AZC0004 30Object &2 in library &3 ,type: &4 changed. Access Type: Apply.
AZC0005 30Object &2 in library &3 ,type: &4 changed. Access Type: Call or TFRCTL
AZC0006 30Object &2 in library &3 ,type: &4 changed. Access Type: Configure.
AZC0007 30Object &2 in library &3 ,type: &4 changed. Access Type: Change.
AZC0008 30Object &2 in library &3 ,type: &4 changed. Access Type: Check.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 76
Appendix C : Complete List of Messages for V7R1
AZC0009 30Object &2 in library &3 ,type: &4 changed. Access Type: Close.
AZC0010 30Object &2 in library &3 ,type: &4 changed. Access Type: Clear
AZC0011 30Object &2 in library &3 ,type: &4 changed. Access Type: Compare.
AZC0012 30Object &2 in library &3 ,type: &4 changed. Access Type: Cancel.
AZC0013 30Object &2 in library &3 ,type: &4 changed. Access Type: Copy.
AZC0014 30Object &2 in library &3 ,type: &4 changed. Access Type: Cre-ate.
AZC0015 30Object &2 in library &3 ,type: &4 changed. Access Type: Convert.
AZC0016 30Object &2 in library &3 ,type: &4 changed. Access Type: Debug
AZC0017 30Object &2 in library &3 ,type: &4 changed. Access Type: Delete.
AZC0018 30Object &2 in library &3 ,type: &4 changed. Access Type: Dump.
AZC0019 30Object &2 in library &3 ,type: &4 changed. Access Type: Dis-play.
AZC0020 30Object &2 in library &3 ,type: &4 changed. Access Type: Edit.
AZC0021 30Object &2 in library &3 ,type: &4 changed. Access Type: End.
AZC0022 30 Object &2 in library &3 ,type: &4 changed. Access Type: File.
AZC0023 30Object &2 in library &3 ,type: &4 changed. Access Type: Grant.
AZC0024 30Object &2 in library &3 ,type: &4 changed. Access Type: Hold.
AZC0025 30Object &2 in library &3 ,type: &4 changed. Access Type: Ini-tialize
AZC0026 30Object &2 in library &3 ,type: &4 changed. Access Type: Load.
AZC0027 30 Object &2 in library &3 ,type: &4 changed. Access Type: List.
AZC0028 30Object &2 in library &3 ,type: &4 changed. Access Type: Move.
AZC0029 30Object &2 in library &3 ,type: &4 changed. Access Type: Merge.
AZC0030 30Object &2 in library &3 ,type: &4 changed. Access Type: Open.
AZC0031 30Object &2 in library &3 ,type: &4 changed. Access Type: Print.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 77
Appendix C : Complete List of Messages for V7R1
AZC0032 30Object &2 in library &3 ,type: &4 changed. Access Type: Query.
AZC0033 30Object &2 in library &3 ,type: &4 changed. Access Type: Reclaim
AZC0034 30Object &2 in library &3 ,type: &4 changed. Access Type: Receive.
AZC0035 30Object &2 in library &3 ,type: &4 changed. Access Type: Read.
AZC0036 30Object &2 in library &3 ,type: &4 changed. Access Type: Reorganize.
AZC0037 30Object &2 in library &3 ,type: &4 changed. Access Type: Release.
AZC0038 30Object &2 in library &3 ,type: &4 changed. Access Type: Remove.
AZC0039 30Object &2 in library &3 ,type: &4 changed. Access Type: Rename
AZC0040 30Object &2 in library &3 ,type: &4 changed. Access Type: Replace.
AZC0041 30Object &2 in library &3 ,type: &4 changed. Access Type: Resume.
AZC0042 30Object &2 in library &3 ,type: &4 changed. Access Type: Restore.
AZC0043 30Object &2 in library &3 ,type: &4 changed. Access Type: Retrieve.
AZC0044 30Object &2 in library &3 ,type: &4 changed. Access Type: Run.
AZC0045 30Object &2 in library &3 ,type: &4 changed. Access Type: Revoke.
AZC0046 30Object &2 in library &3 ,type: &4 changed. Access Type: Save.
AZC0047 30Object &2 in library &3 ,type: &4 changed. Access Type: Save with Storage Free.
AZC0048 30Object &2 in library &3 ,type: &4 changed. Access Type: Save and Delete.
AZC0049 30Object &2 in library &3 ,type: &4 changed. Access Type: Submit.
AZC0050 30 Object &2 in library &3 ,type: &4 changed. Access Type: Set.
AZC0051 30Object &2 in library &3 ,type: &4 changed. Access Type: Send.
AZC0052 30Object &2 in library &3 ,type: &4 changed. Access Type: Start.
AZC0053 30Object &2 in library &3 ,type: &4 changed. Access Type: Transfer.
AZC0054 30Object &2 in library &3 ,type: &4 changed. Access Type: Trace.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 78
Appendix C : Complete List of Messages for V7R1
AZC0055 30Object &2 in library &3 ,type: &4 changed. Access Type: Ver-ify.
AZC0056 30Object &2 in library &3 ,type: &4 changed. Access Type: Vary.
AZC0057 30Object &2 in library &3 ,type: &4 changed. Access Type: Work.
AZC0058 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO Attribute.
AZC0059 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO Security.
AZC0060 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO Content.
AZC0061 30Object &2 in library &3 ,type: &4 changed. Access Type: Read/Change DLO all parts.
AZC0062 30Object &2 in library &3 ,type: &4 changed. Access Type: Add Constraint.
AZC0063 30Object &2 in library &3 ,type: &4 changed. Access Type: Change Constraint.
AZC0064 30Object &2 in library &3 ,type: &4 changed. Access Type: Remove Constraint.
AZC0065 30Object &2 in library &3 ,type: &4 changed. Access Type: Start Procedure.
AZC0066 30Object &2 in library &3 ,type: &4 changed. Access Type: Get Access on *OOPOOL.
AZC0067 30Object &2 in library &3 ,type: &4 changed. Access Type: Sign object.
AZC0068 30Object &2 in library &3 ,type: &4 changed. Access Type: Remove all signatures.
AZC0069 30Object &2 in library &3 ,type: &4 changed. Access Type: Clear a signed object.
AZC0070 30Object &2 in library &3 ,type: &4 changed. Access Type: MOUNT.
AZC0071 30Object &2 in library &3 ,type: &4 changed. Access Type: Unload.
AZC0072 30Object &2 in library &3 ,type: &4 changed. Access Type: End Rollback.
AZR0001 30 Object &2 in library &3 ,type: &4 read. Access Type: Add.
AZR0002 30Object &2 in library &3 ,type: &4 read. Access Type: Activate Program.
AZR0003 30Object &2 in library &3 ,type: &4 read. Access Type: Ana-lyze.
AZR0004 30 Object &2 in library &3 ,type: &4 read. Access Type: Apply.
AZR0005 30Object &2 in library &3 ,type: &4 read. Access Type: Call or TFRCTL.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 79
Appendix C : Complete List of Messages for V7R1
AZR0006 30Object &2 in library &3 ,type: &4 read. Access Type: Config-ure.
AZR0007 30 Object &2 in library &3 ,type: &4 read. Access Type: Change.
AZR0008 30 Object &2 in library &3 ,type: &4 read. Access Type: Check.
AZR0009 30 Object &2 in library &3 ,type: &4 read. Access Type: Close.
AZR0010 30 Object &2 in library &3 ,type: &4 read. Access Type: Clear.
AZR0011 30Object &2 in library &3 ,type: &4 read. Access Type: Com-pare.
AZR0012 30 Object &2 in library &3 ,type: &4 read. Access Type: Cancel.
AZR0013 30 Object &2 in library &3 ,type: &4 read. Access Type: Copy.
AZR0014 30 Object &2 in library &3 ,type: &4 read. Access Type: Create.
AZR0015 30 Object &2 in library &3 ,type: &4 read. Access Type: Convert.
AZR0016 30 Object &2 in library &3 ,type: &4 read. Access Type: Debug.
AZR0017 30 Object &2 in library &3 ,type: &4 read. Access Type: Delete.
AZR0018 30 Object &2 in library &3 ,type: &4 read. Access Type: Dump.
AZR0019 30 Object &2 in library &3 ,type: &4 read. Access Type: Display.
AZR0020 30 Object &2 in library &3 ,type: &4 read. Access Type: Edit.
AZR0021 30 Object &2 in library &3 ,type: &4 read. Access Type: End.
AZR0022 30 Object &2 in library &3 ,type: &4 read. Access Type: File.
AZR0023 30 Object &2 in library &3 ,type: &4 read. Access Type: Grant.
AZR0024 30 Object &2 in library &3 ,type: &4 read. Access Type: Hold.
AZR0025 30Object &2 in library &3 ,type: &4 read. Access Type: Initial-ize.
AZR0026 30 Object &2 in library &3 ,type: &4 read. Access Type: Load.
AZR0027 30 Object &2 in library &3 ,type: &4 read. Access Type: List.
AZR0028 30 Object &2 in library &3 ,type: &4 read. Access Type: Move.
AZR0029 30 Object &2 in library &3 ,type: &4 read. Access Type: Merge.
AZR0030 30 Object &2 in library &3 ,type: &4 read. Access Type: Open.
AZR0031 30 Object &2 in library &3 ,type: &4 read. Access Type: Print.
AZR0032 30 Object &2 in library &3 ,type: &4 read. Access Type: Query.
AZR0033 30Object &2 in library &3 ,type: &4 read. Access Type: Reclaim.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 80
Appendix C : Complete List of Messages for V7R1
AZR0034 30Object &2 in library &3 ,type: &4 read. Access Type: Receive.
AZR0035 30 Object &2 in library &3 ,type: &4 read. Access Type: Read.
AZR0036 30Object &2 in library &3 ,type: &4 read. Access Type: Reorga-nize.
AZR0037 30Object &2 in library &3 ,type: &4 read. Access Type: Release.
AZR0038 30Object &2 in library &3 ,type: &4 read. Access Type: Remove.
AZR0039 30Object &2 in library &3 ,type: &4 read. Access Type: Rename.
AZR0040 30Object &2 in library &3 ,type: &4 read. Access Type: Replace.
AZR0041 30Object &2 in library &3 ,type: &4 read. Access Type: Resume.
AZR0042 30 Object &2 in library &3 ,type: &4 read. Access Type: Restore.
AZR0043 30Object &2 in library &3 ,type: &4 read. Access Type: Retrieve.
AZR0044 30 Object &2 in library &3 ,type: &4 read. Access Type: Run.
AZR0045 30 Object &2 in library &3 ,type: &4 read. Access Type: Revoke.
AZR0046 30 Object &2 in library &3 ,type: &4 read. Access Type: Save.
AZR0047 30Object &2 in library &3 ,type: &4 read. Access Type: Save with Storage Free
AZR0048 30Object &2 in library &3 ,type: &4 read. Access Type: Save and Delete
AZR0049 30 Object &2 in library &3 ,type: &4 read. Access Type: Submit.
AZR0050 30 Object &2 in library &3 ,type: &4 read. Access Type: Set.
AZR0051 30 Object &2 in library &3 ,type: &4 read. Access Type: Send.
AZR0052 30 Object &2 in library &3 ,type: &4 read. Access Type: Start.
AZR0053 30Object &2 in library &3 ,type: &4 read. Access Type: Trans-fer.
AZR0054 30 Object &2 in library &3 ,type: &4 read. Access Type: Trace.
AZR0055 30 Object &2 in library &3 ,type: &4 read. Access Type: Verify.
AZR0056 30 Object &2 in library &3 ,type: &4 read. Access Type: Vary.
AZR0057 30 Object &2 in library &3 ,type: &4 read. Access Type: Work.
AZR0058 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO Attribute
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 81
Appendix C : Complete List of Messages for V7R1
AZR0059 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO Security.
AZR0060 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO Content.
AZR0061 30Object &2 in library &3 ,type: &4 read. Access Type: Read/Change DLO all parts.
AZR0062 30Object &2 in library &3 ,type: &4 read. Access Type: Add Constraint
AZR0063 30Object &2 in library &3 ,type: &4 read. Access Type: Change Constraint.
AZR0064 30Object &2 in library &3 ,type: &4 read. Access Type: Remove Constraint.
AZR0065 30Object &2 in library &3 ,type: &4 read. Access Type: Start Procedure.
AZR0066 30Object &2 in library &3 ,type: &4 read. Access Type: Get Access on *OOPOOL.
AZR0067 30Object &2 in library &3 ,type: &4 read. Access Type: Sign object.
AZR0068 30Object &2 in library &3 ,type: &4 read. Access Type: Remove all signatures.
AZR0069 30Object &2 in library &3 ,type: &4 read. Access Type: Clear a signed object.
AZR0070 30 Object &2 in library &3 ,type: &4 read. Access Type: MOUNT.
AZR0071 30 Object &2 in library &3 ,type: &4 read. Access Type: Unload.
AZR0072 30Object &2 in library &3 ,type: &4 read. Access Type: End Rollback.
Message ID
Severity Message Text
© 2013 Tango/04 Computing Group Page 82
Appendix D : Notes Regarding Audit Journal Management
© 2013 Tango/04 Computing Group Page 83
Appendix D Appendix D: Notes Regarding Audit Journal Management
The OS/400 auditing journal, QSYS/QAUDJRN, which is the basis of this product, is intended solely for
security auditing.
According to IBM (see the Security Reference Manual), objects should not be journaled to the audit
journal. Commitment control should not use the audit journal. User entries should not be sent to this
journal using the Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE)API.
D.1 Disk Space Management
The VISUAL Message Center historical database may need regular cleaning too. For more information
see the VISUAL Message Center (iSeries Modules) User Guide.
D.2 LocksSpecial locking protection is used to ensure that the system can write audit entries to the audit journal.
When auditing is active (the QAUDCTL system value is not *NONE), the system arbitrator job (QSYSARB)
holds a lock on the QSYS/QAUDJRN journal. Certain operations, like moving or restoring the journal,
cannot be performed while locked. See the IBM Security Reference for more details.
D.3 Damaged JournalsIf damage occurs to the journal or to its current receiver so that the auditing entries cannot be journaled,
the QAUDENDACN system value determines what action the system takes. Recovery from a damaged
journal or journal receiver is the same as for other journals.
D.4 More InformationYou may want to have the system manage the changing of journal receivers. See the IBM Security
Reference for more details. See the IBM Backup and Recovery book for complete information about
managing journals and journal receivers.
Important
The automatic cleanup function provided using Operational Assistant menus does not clean
up the QAUDJRN receivers. You should regularly detach, save, and delete QAUDJRN receivers
to avoid problems with disk space.
Appendix E : Working with SmartConsole Messages
© 2013 Tango/04 Computing Group Page 84
Appendix E Appendix E: Working with SmartConsole Messages
All of the messages that are sent to the VISUAL Message Center SmartConsole are based on
messages defined on the iSeries.
You can edit the content and format of these messages if you wish – they are accessible within the
B_DETECTOR library in the message file AUDMSG00S:
Figure 42 – Display Message Descriptions
By changing the message description (CHGMSGD) you can adapt it to your needs, change the severity of
each message, etc. This will change the format of the message that your receive at the SmartConsole.
Note that some filters and alarms that you configure may be affected by changes to the messages
variables (such as &VAR01 etc.).
Tip
You can also change the message and its severity at the SmartConsole.
Important
Any changes you make will be overwritten when you install a new version.
Appendix F : Contacting Tango/04
Appendix FAppendix F: Contacting Tango/04
North America
Tango/04 North America
PO BOX 3301
NH 03458 Peterborough USA
Phone: 1-800-304-6872 / 603-924-7391
Fax: 858-428-2864
www.tango04.com
EMEA
Tango/04 Computing Group S.L.
Avda. Meridiana 358, 5 A-B
08027 Barcelona Spain
Phone: +34 93 274 0051
Fax: +34 93 345 1329
www.tango04.com
Italy
Tango/04 Italy
Viale Garibaldi 51/53
13100 Vercelli Italy
Phone: +39 0161 56922
Fax: +39 0161 259277
www.tango04.it
Sales Office in France
Tango/04 France
La Grande Arche
Paroi Nord 15ème étage
92044 Paris La Défense France
Phone: +33 01 40 90 34 49
Fax: +33 01 40 90 31 01
www.tango04.fr
Sales Office in Switzerland
Tango/04 Switzerland
18, Avenue Louis Casaï
CH-1209 Genève
Switzerland
Phone: +41 (0)22 747 7866
Fax: +41 (0)22 747 7999
www.tango04.fr
Latin American Headquarters
Barcelona/04 Computing Group SRL (Argentina)
Avda. Federico Lacroze 2252, Piso 6
1426 Buenos Aires Capital Federal
Argentina
Phone: +54 11 4774-0112
Fax: +54 11 4773-9163
www.barcelona04.com
© 2013 Tango/04 Computing Group Page 85
Sales Office in Peru
Barcelona/04 PERÚ
Centro Empresarial Real
Av. Víctor A. Belaúnde 147, Vía Principal 140 Edificio Real Seis, Piso 6
L 27 Lima
Perú
Phone: +51 1 211-2690
Fax: +51 1 211-2526
www.barcelona04.com
Sales Office in Chile
Barcelona/04 Chile
Nueva de Lyon 096 Oficina 702,
Providencia
Santiago
Chile
Phone: +56 2 234-0898
Fax: +56 2 2340865
www.barcelona04.com
© 2013 Tango/04 Computing Group Page 86
About Tango/04 Computing Group
Tango/04 Computing Group is one of the leading developers of systems management and automation
software. Tango/04 software helps companies maintain the operating health of all their business
processes, improve service levels, increase productivity, and reduce costs through intelligent
management of their IT infrastructure.
Founded in 1991 in Barcelona, Spain, Tango/04 is an IBM Business Partner and a key member of IBM's
Autonomic Computing initiative. Tango/04 has more than a thousand customers who are served by over
35 authorized Business Partners around the world.
Alliances
Awards
Partnerships IBM Business Partner
IBM Autonomic Computing Business Partner
IBM PartnerWorld for Developers Advanced Membership
IBM ISV Advantage Agreement
IBM Early code release
IBM Direct Technical Liaison
Microsoft Developer Network
Microsoft Early Code Release
© 2013 Tango/04 Computing Group Page 87
Legal Notice
The information in this document was created using certain specific equipment and environments, and it is limited in
application to those specific hardware and software products and version and releases levels.
Any references in this document regarding Tango/04 Computing Group products, software or services do not mean
that Tango/04 Computing Group intends to make these available in all countries in which Tango/04 Computing Group
operates. Any reference to a Tango/04 Computing Group product, software, or service may be used. Any functionally
equivalent product that does not infringe any of Tango/04 Computing Group's intellectual property rights may be used
instead of the Tango/04 Computing Group product, software or service
Tango/04 Computing Group may have patents or pending patent applications covering subject matter in this
document. The furnishing of this document does not give you any license to these patents.
The information contained in this document has not been submitted to any formal Tango/04 Computing Group test
and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer
responsibility, and depends on the customer's ability to evaluate and integrate them into the customer's operational
environment. Despite the fact that Tango/04 Computing Group could have reviewed each item for accurateness in a
specific situation, there is no guarantee that the same or similar results will be obtained somewhere else. Customers
attempting to adapt these techniques to their own environments do so at their own risk. Tango/04 Computing Group
shall not be liable for any damages arising out of your use of the techniques depicted on this document, even if they
have been advised of the possibility of such damages. This document could contain technical inaccuracies or
typographical errors.
Any pointers in this publication to external web sites are provided for your convenience only and do not, in any
manner, serve as an endorsement of these web sites.
The following terms are trademarks of the International Business Machines Corporation in the United States and/or
other countries: iSeries, iSeriese, iSeries, i5, DB2, e (logo)®Server IBM ®, Operating System/400, OS/400, i5/OS.
Microsoft, SQL Server, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft
Corporation in the United States and/or other countries. Java and all Java-based trademarks and logos are
trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. UNIX is a
registered trademark in the United States and other countries licensed exclusively through The Open Group. Oracle
is a registered trade mark of Oracle Corporation.
Other company, product, and service names may be trademarks or service marks of other companies.
© 2013 Tango/04 Computing Group Page 88