For analyzing journal logs of IBM AS400/iSeries devices, you need to enable auditing in those systems.
To enable auditing for AS400/iSeries journal logs you have to:
Once the journal receiver is created and the logs specified are collected in it, EventLog Analyzer will fetch those logs for monitoring, report generation and alert notification.
You can create a journal receiver in a library of your choice by using the following command:
CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + THRESHOLD(100000) AUT(*EXCLUDE) + TEXT('Auditing Journal Receiver')
AUT(*EXCLUDE) TEXT('Auditing Journal')
Specify the journal receiver name that you created, using the JRNRCV parameter.
Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal.
(*SYSTEM) is passed as the parameter for Manage Receiver (MNGRCV). Thus when the attached journal receiver reaches its threshold size, the system itself detaches this receiver and creates and attaches a new journal receiver.
Avoid detaching receivers and creating & attaching new receivers manually, using the CHGJRN command.
To retain the detached journal receivers, specify (*NO) as the value for DLTRCV. This will prevent the automatic deletion of detached receivers by the system.
CHGSECAUD QAUDCTL(*ALL) QAUDLVL(*ALL)
To specify which actions are to be logged into the audit journal for all the users on the system, you need to set the audit level to the QAUDLVL system value using the WRKSYSVAL command.
If you want to set action and object auditing for specific users, use the CHGUSRAUD command.
You can also set object auditing for specific objects as per your requirement, using the CHGOBJAUD and CHGDLOAUD commands.
Setting the QAUDENDACN system value helps you determine the systems action when it is unable to write an entry to the audit journal.
With the QAUDFRCLVL system value parameters, you can control the transfer of audit records from memory to auxiliary storage.
Once this security auditing set up is completed, EventLog Analyzer will automatically fetch the logs collected in the journal receiver of the AS400/iSeries device that is added for monitoring. If the AS400/iSeries machine is not added to EventLog Analyzer server, add the device to begin collecting its logs.