How do I configure the joblog capturing tool? (NETIQKB70322)

  • 7770322
  • 21-May-2007
  • 22-May-2007

Resolution

Goal: How do I configure the joblog capturing tool?

Goal: Is there a comprehensive write-up on System Access Analysis?

Goal: How do I capture joblogs for powerful user profiles?

Goal: How can I get a report of user's login and logout times?

Fact: NetIQ Security Solutions for iSeries 8.0

Fact: PSAudit

Fact: System Access Analysis

Fix:  System Access Analysis (SAA) is a component of PSAudit for capturing basic job information, such as start and end date and time, duration, etc., and actual joblogs into a database file so that you can then list basic access information or query the joblog database for certain character strings or conditions, such as Escape messages, or Program Calls.

Since many jobs by default run with job attributes that cause no joblog to be produced or produce a joblog with insufficient information for auditing or problem determination purposes, SAA can be used to easily manage the logging levels of batch and interactive jobs.

Any reference below to SAA menu implies the following path: PSMENU, options 1 and 2 (System Access Analysis).

System Access Analysis allows you to do the following:

  1. Specify logging exceptions for specific or generic jobs, workstations, or user names.
  2. Exclude specific or generic jobs, workstations, or user names.
  3. Specify time periods, either globally or by user, job, or workstation, during which SAA should not monitor jobs.
  4. Specify a Group Profile name and extend its SAA defaults to its members.

Getting Started With SAA

1. Use SAA menu option 3 (Users/Workstations To Be Logged) and review/specify the global defaults, particularly for "Delete Joblogs". This asks whether to delete a joblog spooled file after it is captured in the SAA database.

2. Use SAA menu option 11 (Configure SAA for Interactive Jobs) and use option 6 (Apply SAA Capture(VCP)) on the SIGNOFF and ENDPASTHR commands. This action will change those two commands to use our programs to capture the joblog when the SIGNOFF and ENDPASTHR commands are used. This will add two programs to library QSYS: ALCL12 and ALCL11V23.

The ENDJOB command can also be configured to capture joblog using the following instructions:

GRTOBJAUT OBJ(PSAUDIT/ALCL20) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*USE)

CRTDUPOBJ OBJ(ALCL20) FROMLIB(PSAUDIT) OBJTYPE(*PGM) TOLIB(QSYS)

CHGOBJOWN OBJ(QSYS/ALCL20) OBJTYPE(*PGM) NEWOWN(PSOBJOWNS) CUROWNAUT(*REVOKE)

CHGCMD CMD(QSYS/ENDJOB) VLDCKR(QSYS/ALCL20)

To uninstall the ENDJOB validity checking program, run the following commands:

CHGCMD CMD(QSYS/ENDJOB) VLDCKR(*NONE)

DLTPGM PGM(QSYS/ALCL20)

The ENDGRPJOB command can also be configured to capture joblog using the following instructions. If program ALCL21 is not in library PSCOMMON, it can be requested from Technical Support:

GRTOBJAUT OBJ(PSAUDIT/ALCL21) OBJTYPE(*PGM) USER(*PUBLIC) AUT(*USE)

CRTDUPOBJ OBJ(ALCL21) FROMLIB(PSAUDIT) OBJTYPE(*PGM) TOLIB(QSYS)

CHGOBJOWN OBJ(QSYS/ALCL21) OBJTYPE(*PGM) NEWOWN(PSOBJOWNS) CUROWNAUT(*REVOKE)

CHGCMD CMD(QSYS/ENDGRPJOB) VLDCKR(QSYS/ALCL21)

To uninstall the ENDGRPJOB validity checking program, run the following commands:

CHGCMD CMD(QSYS/ENDGRPJOB) VLDCKR(*NONE)

DLTPGM PGM(QSYS/ALCL21)

3. Add routing entries to your batch and interactive subsystems.

When a batch or interactive job enters a subsystem, the routing data derived from its job description matches the Compare Value (CMPVAL) on a routing entry, indicating which program should run the request. That program is normally QSYS/QCMD.

By adding the following routing entries to your batch and interactive subsystems, our program (ALCL83) will be called and it will change the logging levels of batch or interactive jobs to the values specified in the SAA defaults. Once that is done, program ALCL83 will re-route the interactive or batch job using routing data ?ALOG? so that program QSYS/QCMD can run the original request.

You can copy then paste the commands shown below into an iSeries command entry line. You may see message "Compare value conflicts with routing entry xx". That will be OK because it?s basically saying you already have a routing entry for the same compare value (CMPVAL). If you see message "Pool identifier 2 not defined in subsystem description", then change the value for POOLID to a ?1?.

ADDRTGE SBSD(QSYS/QINTER) SEQNBR(5) CMPVAL(QCMDB) PGM(PSAUDIT/ALCL83) CLS(QGPL/QINTER) POOLID(2)

ADDRTGE SBSD(QSYS/QINTER) SEQNBR(6) CMPVAL(QCMDI) PGM(PSAUDIT/ALCL83) CLS(QGPL/QINTER) POOLID(2)

ADDRTGE SBSD(QSYS/QINTER) SEQNBR(7) CMPVAL(ALOG) PGM(QSYS/QCMD) CLS(QGPL/QINTER) POOLID(2)

 

ADDRTGE SBSD(QSYS/QBATCH) SEQNBR(5) CMPVAL(QCMDB) PGM(PSAUDIT/ALCL83) CLS(QSYS/QBATCH) POOLID(1)

ADDRTGE SBSD(QSYS/QBATCH) SEQNBR(6) CMPVAL(QCMDI) PGM(PSAUDIT/ALCL83) CLS(QSYS/QBATCH) POOLID(1)

ADDRTGE SBSD(QSYS/QBATCH) SEQNBR(7) CMPVAL(ALOG) PGM(QSYS/QCMD) CLS(QSYS/QBATCH) POOLID(1)

 

ADDRTGE SBSD(QSYS/QPGMR) SEQNBR(5) CMPVAL(QCMDB) PGM(PSAUDIT/ALCL83) CLS(QGPL/QPGMR) POOLID(2)

ADDRTGE SBSD(QSYS/QPGMR) SEQNBR(6) CMPVAL(QCMDI) PGM(PSAUDIT/ALCL83) CLS(QGPL/QPGMR) POOLID(2)

ADDRTGE SBSD(QSYS/QPGMR) SEQNBR(7) CMPVAL(ALOG) PGM(QSYS/QCMD) CLS(QGPL/QPGMR) POOLID(2)

 

ADDRTGE SBSD(QSYS/QCTL) SEQNBR(5) CMPVAL(QCMDB) PGM(PSAUDIT/ALCL83) CLS(QSYS/QCTL) POOLID(1)

ADDRTGE SBSD(QSYS/QCTL) SEQNBR(6) CMPVAL(QCMDI) PGM(PSAUDIT/ALCL83) CLS(QSYS/QCTL) POOLID(1)

ADDRTGE SBSD(QSYS/QCTL) SEQNBR(7) CMPVAL(ALOG) PGM(QSYS/QCMD) CLS(QSYS/QCTL) POOLID(1)

SAA routing entries can be removed using command PSAUDIT/RMVRTG, as in the following example:

PSAUDIT/RMVRTG SBSD(QINTER) LIB(QSYS)

An alternative to using subsystem routing entries is to call program PSAUDIT/ALCL84 in the user profile initial programs and when starting group jobs. To use this program, add the following code to your user profile initial program(s):

CALL PSAUDIT/ALCL84

MONMSG CPF0000

4. Start the job monitor.

You must have subsystem ZALOG running in order to monitor batch jobs. You should consider changing your system startup program (specified in system value QSTRUPPGM) to start the SAA subsystem after each IPL using the following commands:

STRSBS PSAUDIT/ZALOG

MONMSG CPF0000

5. Regular Cleanup.

Be sure to regularly save and purge the joblog database which can grow quite large quickly. You can purge joblog data using the following options: PSMENU, options 1, 2, and 2 (Purge Logged Data). On this screen you can purge by date (on top third of screen) or all detail and/or access data (on lower third of screen). Files purged are ALPF01 and ALPF03.

To quickly clear ALL joblog data without going through the SAA menu, run the following commands:

ENDSBS ZALOG *IMMED

CLRPFM PSAUDIT/ALPF01

CLRPFM PSAUDIT/ALPF03

STRSBS PSAUDIT/ZALOG

Or you can schedule or submit a batch job to save and purge the SAA database:

CALL ALCL30 (?QTAP01? ?MMDDYY?)

If a tape device is specified, subsystem ZALOG will be ended, will not check for volume ID, and will save ALPF01 and ALPF03 from PSAUDIT to whatever tape is loaded, then subsystem is restarted. If tape device is blank, files are purged by date, subsystem ZALOG will be ended, files are reorganized, then subsystem is restarted.

See sample source code for your own SAA purge program in FILE(PSAUDIT/SOURCEAL) MBR(PURGE). You can modify this source and create program to delete records older than x days.

For further and more complete information, particularly regarding reporting using Select/Omit criteria, refer to Chapter 3 of the VigilEnt Security Agent for iSeries PSAudit User Guide.

Testing SAA

1. Use SAA menu option 3 (Users/Workstations To Be Logged) and add users to be logged and review/specify the global defaults, particularly for "Delete Joblogs". This asks whether to delete a joblog spooled file after it is captured in the SAA database.

2. Use SAA menu option 11 (Configure SAA for Interactive Jobs) and use option 6 (Apply SAA Capture(VCP)) on the SIGNOFF and ENDPASTHR commands. This action will change those two commands to use our programs to capture the joblog when the SIGNOFF and ENDPASTHR commands are used. This will add two programs to library QSYS: ALCL12 and ALCL11V23.

3. Add routing entries to the subsystem you want to test with. For example, to test using subsystem QPGMR, run the following commands:

ADDRTGE SBSD(QSYS/QPGMR) SEQNBR(5) CMPVAL(QCMDB) PGM(PSAUDIT/ALCL83) CLS(QGPL/QPGMR) POOLID(2)

ADDRTGE SBSD(QSYS/QPGMR) SEQNBR(6) CMPVAL(QCMDI) PGM(PSAUDIT/ALCL83) CLS(QGPL/QPGMR) POOLID(2)

ADDRTGE SBSD(QSYS/QPGMR) SEQNBR(7) CMPVAL(ALOG) PGM(QSYS/QCMD) CLS(QGPL/QPGMR) POOLID(2)

4. Start the SAA subsystem with the following command:

STRSBS PSAUDIT/ZALOG

5. Start a new telnet session and login. After login, run the following command:

TFRJOB JOBQ(QPGMR)

6. End the telnet session by closing the window without logging out (x?ing out).

7. View the joblog in the SAA database for the job ended in the previous step.

Uninstalling SAA

To stop capturing joblogs, end subsystem ZALOG and run option 12 (Uninstall System Access Analysis) from the System Access Analysis menu. Alternatively, you can name specific users whose joblogs you want to capture by using option 3 (Users/Workstations To Be Logged) from the System Access Analysis menu.

To uninstall System Access Analysis:

  1. Remove subsystem routing entries, if any, using command PSAUDIT/RMVRTG, or manually using command QSYS/RMVRTGE.
  2. Access a command entry screen.
  3. Type ADDLIBLE PSAUDIT, press Enter.
  4. Type ADDLIBLE PSCOMMON, press Enter.
  5. Type CALL AL2001R, press Enter. This will uninstall SAA.
  6. Type CALL ALCL30 (? ? ?999999?), press Enter. This will purge joblog information from the SAA database for jobs older than the specified 6-digit date, which must be specified in the system date format. To purge all joblog information, use commands CLRPFM PSAUDIT/ALPF01 and CLRPFM PSAUDIT/ALPF03.
  7. Type RMVLIBLE PSAUDIT, press Enter.
  8. Type RMVLIBLE PSCOMMON, press Enter.

KNOWN ISSUES

  1. In version 8.0 and lower, if data area QLMTUSRLIB exists in the user?s library list during signon and the data area value is '1', the O/S will write message ID CPI1129 (User library list limited to 25 libraries.) to the joblog BEFORE writing message ID CPF1124 (Job started). Consequently, the SAA validity checking programs don't find the start of the job information. A temporary solution is available from Technical Support. A permanent solution will be supplied in v8.1. 
  2. If job attribute DEVRCYACN is *ENDJOBNOLIST, the joblog is not produced.
  3. ALCL02 called by ALCL20 changes the job logging level in the job in which the ENDJOB is issued.
  4. If a batch job name matches a device description, job type is assumed to be ?I? (Interactive).
  5. When command PSSETAUT is used interactively, file ALPF08 remains allocated to job.
  6. Interactive jobs ended by job ENDACTJOB from PSSecure/ISM (Inactive Session Monitor) with ISM option E (EndJob) will not have joblog captured by SAA unless the ENDJOB command uses SAA Validity Checking Program ALCL20.
  7. If the SIGNOFF command default for parameter LOG is *LIST, two joblogs are produced.
  8. Using command ENDJOB LOGLMT(0) will not produce a joblog for job being ended.

Additional Information

Formerly known as NETIQKB70322