How do I set up additional alert views for iSeries using Intrusion Manager for iSeries? (NETIQKB52363)

  • 7752363
  • 02-Feb-2007
  • 08-Oct-2007


How do I set up additional alert views for iSeries using Intrusion Manager for iSeries?

How do I define views in Security Manager Intrusion Manager for CPF messages sent by PSDetect?

NetIQ Security Solutions for iSeries 8.0

Security Manager 5.1

Security Manager 5.5

PSDetect 8.0


Alerts sent from PSDETECT to Security Manager Intrusion Manager are based upon the message ID. Intrusion Manager for iSeries has pre-defined views, such as:

  • Invalid Signon Attempts
  • QAUDCTL System Values Changed
  • QSECOFR Sigon Successes
  • Rejected Remote Requests
  • Serious Storage Condition Detected
  • All other iSeries Alerts

You can add additional iSeries views to Intrusion Manager by adding a record to the PSECLASS file on the iSeries, an iSeries event processing rule in Security Manager, and a corresponding alert view in Security Manager.

To add a record to the PSECLASS file:

  1. On the iSeries system where PSDetect is installed, add a record to the PSECLASS file in library PSCOMMON with a unique classification ID. iSeries classifications are in the D.P.C.E format, where D is the domain (1 = Audit, 2 = Secure, and 3 = Detect), P is the platform (4 = AS/400), C is the category of the event, and E is the event identifier. Event Identifiers lower than 9000 are reserved for future use by NetIQ.

    For example, a classification in the PSECLASS file would read on the iSeries and 304019000 on Security Manager.

  2. Type ADDLIBLE PSCOMMON and press Enter.
  3. Type the following command and press Enter:


    where CPFXXXX is the message ID for which you are monitoring, D.P.C.E is the classification, and PSEUSRDTA is specific text in the message. This value can be left blank.

  4. Type RMVLIBLE PSCOMMON and press Enter.

To add an iSeries event processing rule:

  1. Open the Security Manager Development console.
  2. Expand the Processing rules groups on the left hand of the screen and then expand Intrusion Manager for iSeries.
  3. Select Event processing rules.
  4. Copy and paste an existing rule.
  5. Double-click the pasted rule.
  6. Change the name in the General tab to reflect the message ID added for PSEWORK.
  7. Select the Alert tab and click Custom fields.
  8. Change the value in the CustomField1: field to the classification value used in the PSECLASS file on the iSeries. Enter this number without periods. For example, the classification in the PSECLASS file is 304019000 in Security Manager.
  9. Click OK.
  10. Click Apply.
  11. Click OK.

To add a new alert view:

  1. Open the Security Manager Monitor console.
  2. Expand Security Manager root console > Monitor > Security Views > Intrusion manager for iSeries.
  3. Right-click on the Intrusion manager for iSeries item and select New Alert View.
  4. On the Alert view properties window, specify Alerts that satisfy specified criteria and click Next.
  5. Select from specified source and click on the highlighted "specified" word in the View description window.
  6. In the Alert Source window, type VigilEntAgent.
  7. Click OK to close the Alert Source window.
  8. Select with specified string in CustomField 1.
  9. Click on the highlighted "specified string" word in the View Description window.
  10. Specify the classification value. For this example, the classification value is 304010015.
  11. Click OK to close the Custom Field window.
  12. Click Next.
  13. Specify an appropriate view name and description.
  14. Click Finish.

Now that both Processing rule and Alert view have been setup, you should be able to receive event from PSDETECT using the MSGID specified
 in the PSECLASS file on the.
Security Manager Incident console


For more information on using the PSESNDALR command in PSDETECT, see NetIQ Knowledge Base article NETIQKB53988: How do I configure PSDetect to send alerts to Security Manager?

Additional Information

Formerly known as NETIQKB52363