Today’s world of complex regulatory requirements and evolving security threats requires you to find simple ways to monitor all IBM i system and database activity, identify security threats and compliance issues in real time, produce clear and concise reports, and maintain an audit trail to satisfy security officers and auditors. IBM i log files and journals are rich sources of system and database activity. However, they are in their own proprietary format, and they are not easy to manually analyze for security events. Join this webinar to learn more about: - Key IBM i log files and static data sources that must be monitored - Automating real-time analysis of log files to identify threats to system and data security - Integrating IBM i security data into SIEM solutions for a clear view of security across multiple platforms

1. Monitoring and
Reporting for IBM i
Compliance and
Security
Bill Hammond | Senior Product Marketing Manager
Dawn Winston | Product Management Director

2. Housekeeping
Webinar Audio
• Today’s webinar audio is streamed through your computer
speakers
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box
Recording and slides
• This webinar is being recorded. You will receive an email following
the webinar with a link to the recording and slides

3. Today’s Agenda
• Basics of Security Monitoring
• Key IBM i Logs
• SIEM Integration
• Assure Monitoring & Reporting
• Q & A
3

4. Basics of
Security Monitoring

5. Basics of Security Monitoring
You can’t monitor what you aren’t watching!
5
A strong IBM i security foundation requires solutions that draw a
perimeter around your system and its data – capturing security
data that you can monitor in log files
IBM i has powerful audit logs
• System Journal – QAUDJRN
• Database (Application) Journals – for Before and After
Images
• Other IBM Journals are available
• QHST Log Files – DSPLOG Command
• System Message Queues – QSYSOPR, QSYSMSG
Turn on auditing, save journal receivers, and take advantage of
everything the operating system can log for you

6. Alerts and Reporting
Full visibility into security issues!
Security tools generate the log entries required to create a
complete audit trail of events on your system. By leveraging that
information to generate alerts and reports, those tools will also:
• Simplify the process of analyzing complex IBM i journals
• Detect security incidents when they occur
• Quickly highlight compliance deviations
• Raise alerts and deliver reports in multiple formats
• Distribute reports via SMTP, FTP, IFS, SIEM
6

7. Enterprise-Level Visibility
Monitor IBM i security all the other platforms in your enterprise
7
Monitoring and reporting tools can forward IBM i security data to
a Security Information and Event Management (SIEM) solution to:
• Integrate IBM i security data with data from other IT platforms
• Enable advanced analysis of security data using advanced SIEM
technology for correlation, pattern matching, and threat detection
• Support information sharing and collaboration across teams
• Facilitate integration with case management and ticketing systems

8. Analyze IBM i Audit Logs
Tools help you extract insight from your logs
8
IBM i log files are comprehensive, unalterable, and
trusted by auditors BUT they are not easy to analyze.
Monitoring and reporting tools are needed to:
• Simplify the process of analyzing complex IBM i journals
• Filter through the massive amount of information in your logs
• Detect security incidents and raise alerts
• Quickly highlight compliance deviations
• Deliver reports in multiple formats to compliance and security
auditors, partners, customers and your management team
• Relieve your team of the burden of manual analysis

9. Key IBM i Logs

10. IBM i Audit Logs
10
• IBM i has GREAT audit logs
• System Journal – QAUDJRN
• Other IBM Journals are available
• Database (Application) Journals – for Before and After
Images
• QHST Log Files – DSPLOG Command
• System Message Queues – QSYSOPR, QSYSMSG
• But, they are not easy to use for inquiry, reporting, and
alerting.

11. IBM i System Journal (QAUDJRN) is your Friend
• Make sure QAUDJRN is active on your system - DSPSECAUD
• If not, turn it on manually or CHGSECAUD
• What settings should you have?
• QAUDCTL – *AUDLVL, *OBJAUD, *NOQTEMP
• QAUDLVL – Depends how far you want to go
• QAUDLVL2 – Use if you have more than 15, must specify *AUDLVL2 in QAUDLVL
• QAUDENDACN - *NOTIFY (Default)
• QAUDFRCLVL - *SYS (Default)
• IBM has subsetted the Audit Levels so they are more granular and specific
• There are over 35 settings in OS 7.3
• For *ATNEVT – Attention Events, there is more setup (Intrusion Detection System)
in the IBM Navigator for i
11

12. Other Levels of Auditing in QAUDJRN
• The System Journal is made up of three levels of auditing:
• System
• User
• Object
• They work together (inclusive)
• Use the commands CHGUSRAUD and CHGOBJAUD to specify additional more
specific auditing
• *CMD can only be included in the User Auditing (CHGUSRAUD) – good for
Privileged Users
• Object Auditing (CHGOBJAUD) is good for Critical or Private/Confidential files
12

13. Change User Auditing - CHGUSRAUD
• For Object Auditing Value and User Action
Auditing
• Object Auditing will log change accesses
(*CHANGE) or change and read accesses
(*ALL) this user does to objects.
• User Action Auditing specifies the level of
activity audit for this user profile.
• The full list of QAUDLVL codes are available
PLUS *CMD to log every command this user
executes on the system.
• Using *CMD for privileged users is
recommended.
13

14. Change Object Auditing - CHGOBJAUD
• For Object Auditing Value
• Object Auditing will log change
accesses (*CHANGE) or change and
read accesses (*ALL) to this object.
• If *USRPRF specified it then looks at
the User for Object Auditing Value
setting (DSPUSRPRF) to determine if
object is audited and how.
14

15. Object Auditing
15
• Where does it come from:
• System Value – QCRTOBJAUD
• Default auditing value when objects are created into a library or
directory
• The options are *NONE, *USRPRF, *CHANGE, and *ALL
• Library Description – CRTOBJAUD parameter
• Specifies the auditing value for objected created in this library
• *SYSVAL is the default value
• The other options are *NONE, *USRPRF, *CHANGE, and *ALL
• User Profile
• Auditing parameters not available on the CRTUSRPRF or
CHGUSRPRF commands
• Must use CHGUSRAUD command to set
• The options for Object Auditing are *NONE, *CHANGE, and *ALL

16. Other IBM i Journals
Working with IBM-supplied journals – v7.3
QACGJRN QSYS - Keeps job accounting information. Job Accounting in the Work
Management topic describes the use of this optional journal.
QPFRADJ QSYS - Keeps a log of dynamic performance tuning information. Job Accounting in
the Work Management topic describes using this optional journal.
QAOSDIAJRN QUSRSYS - Provides recovery for the document library files and the
distribution files. Used by Integrated xSeries Server.
QPMCCCAJRN QUSRSYS - A system managed journal used internally by performance data
collectors to insure the integrity of their database transactions.
QASOSCFG QUSRSYS - The journal for the QASOSCFG physical file. The QASOSCFG
file stores secure client SOCKets Secure (SOCKS) configuration data. The Client SOCKS
support topic provides more information about SOCKS.
QSNADS QUSRSYS - Provides an audit trail for SNADS activity.
QAUDJRN QSYS - Keeps an audit record of security-relevant activity on the system.
The Security Reference describes this optional journal.
QSZAIR QUSRSYS - A journal for Storage Management Services (SMS)
QCQJMJRN QUSRSYS - Provides an audit trail for Managed System Services. QSNMP QUSRSYS - Provides an audit trail for network management information. Simple
Network Management Protocol (SNMP) describes using this journal.
QDSNX QUSRSYS - Provides an audit trail for DSNX activity. QSXJRN QUSRSYS - Provides a log of the activity that occurs in the database files for
service-related activity. Keep the information in this journal for 30 days.
QIPFILTER QUSRSYS - Provides information for troubleshooting and auditing IP filter
rules. See the IP filtering and network address translation topic for more information
about IP filtering rules.
QTOVDBJRN QUSRSYS - A journal for virtual private networking (VPN).
QIPNAT QUSRSYS - Provides information for troubleshooting and auditing network
address translation (NAT). See the IP filtering and network address translation topic for
more information about NAT.
QVPN0001 QUSRSYS - Provides an audit trail for Virtual Private Networking (VPN)
connections. TCP/IP Configuration and Reference describes this journal.
QLYJRN QUSRSYS - Keeps a log of transactions made to the Application Development
Manager datastore files.
QYPSDBJRN QUSRSYS - A journal for the systems management platform
QLYPRJLOG QUSRSYS - Keeps the project logs for the Application Development
Manager licensed program. Used by the system if recovery is necessary.
QZCAJRN QUSRSYS - Contains a record for each SNMP PDU in and out of the SNMP
agent, by PDU type (SNMP GET, SNMP GETNEXT, SNMP SET, SNMP TRAP).
QLZALOG QUSRSYS - Used by the licensed management program to log requests
that exceed the usage limit of a license.
QZMF QUSRSYS - Provides an audit trail for the mail server framework. AnyMail/400 Mail
Server Framework Support provides more information about this journal.

17. File Journaling
• Setup journaling for Database files (*FILE)
and IFS Stream files (*STMF) for sensitive
objects to get a complete audit of
changes, including adds, changes, and
deletes to data/file.
• Also used by:
• HA/DR Software packages like MIMIX and Quick-
EDD/HA
• Application Development teams for Commitment
Control
Commands:
• CRTJRNRCV JRNRCV(MYLIB/MYRCV0001)
• CRTJRN JRN(MYLIB/MYJRN) JRNRCV(MYLIB/MYRCV0001)
• STRJRNPF FILE(MYLIB/MYFILE) JRN(MYLIB/MYJRN) IMAGES(*BOTH)
• STRJRN OBJ(('/mydir/dir1/stmf1' *INCLUDE)) JRN('/qsys.lib/mylib.lib/myjrn.jrn')
17

18. SIEM Integration

19. What is SIEM?
Security Information and Event
Management
• Real-time analysis of security alerts
generated by applications and network
hardware
• Holistic, unified view into infrastructure,
workflow, policy compliance and log
management
• Monitor and manage user and service
privileges as well as external threat data
Log Collection
Log Analysis
Event Correlation
Log Forensics
IT Compliance
Application Log Monitoring
Object Access Auditing
Real-Time Alerting
User Activity Monitoring
Dashboards
Reporting
File Integrity Monitoring
System/Device Log Monitoring
Log Retention
SIEM
19

20. Enterprise Security Monitoring
• Monitoring and reporting tools can forward IBM i security
data to a Security Information and Event Management (SIEM)
solution to:
• Integrate IBM i security data with data from other IT
platforms
• Enable advanced analysis of security data using correlation,
pattern matching, and threat detection
• Sharing information across teams
• Integrate with case management and ticketing systems
Monitor IBM i security along with your other enterprise platforms
20

21. What Can You Detect
with a SIEM?
• Data movement – inbound/outbound FTP
• Dataset access operations
• Determine potential security threats based on unauthorized access
attempts
• Ensure only authorized users are accessing critical datasets
• Privileged/non-privileged user activity monitoring
• Unusual behavior pattern – off hours connections
• High number of invalid logon attempts
• Attack detection – intrusion, scans, floods
• Authentication anomalies – e.g. entered the building at 08:30 but
logged on from another country at 09:00
• Network Traffic Analysis – high data volumes from a device/server
• And much more
21

22. ............SOURCES...............
Assure System Access
Manager
Exit Point Control
Assure Monitoring
and Reporting
System and Database
Activity
and Static Data Sources
Assure Elevated Authority
Manager
Privileged Access
Management
Assure Multi-Factor
Authentication
Reinforced Login
Management
Filters the
events
Selects the
message format:
*LEEF, *CEF,
*RFC3164, *RFC5424,
user-defined
Builds the
message
Categorizes
the message
Sends Syslog, Db2
file, stream file
Secures & encrypts
SSL/TLS
Enriches the
message
Optimizes
Connects to the
different sources
HPE ArcSight
Splunk
LogRhythm
MacAfee
AlienVault
SolarWinds
Etc…
SIEM
DSM
Event
Properties
Heartbeat
Assure
Security
Gateway
Assure Security and SIEM Integration
22

23. Assure Monitoring
and Reporting
23

24. 24
Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Assure Compliance
Monitoring
Assure Monitoring and
Reporting monitors IBM i
system and database activity
and produces clear, concise
alerts and reports that
identify compliance
deviations and security
incidents

25. Assure Monitoring & Reporting
Comprehensive monitoring of system and database activity
25
• Serves as a powerful query engine with extensive filtering
• Includes out-of-the-box, customizable models for ERP applications or GDPR compliance
• Provides security and compliance event alerts via e-mail popup or syslog
• Produces clear, easy-to-read reports continuously, on a schedule or on-demand
• Supports multiple report formats including PDF, XLS, CSV and PF formats
• Distributes reports via SMTP, FTP or the IFS
• Forwards security data to Security Information and Event Management (SIEM) consoles such as IBM
QRadar, ArcSight, LogRhythm, LogPoint, and Netwrix
• No application modifications required

26. Sample Reports
These are just a handful of the reports you could create with
Assure Monitoring and Reporting
26
• File accesses outside business hours
• Accesses to sensitive database fields
• Changes of more than 10% to a credit limit field
• All accesses from a specific IP address
• Command line activity for powerful users (*ALLOBJ, *SECADM)
• Changes to system values, user profiles, and authorization lists
• Attempts to sign into a specific account
• Actions on a sensitive spool file, such as display or deletion of the
payroll spool file

27. Benefits of
Assure Monitoring and Reporting
27
• Simplifies the process of analyzing complex journals
• Comprehensively monitors system and database activity
• Enables quick identification of security incidents and compliance
deviations when they occur
• Monitors the security best practices you have implemented
• Enables you to meet regulatory requirements for GDPR, SOX, PCI
DSS, HIPAA and others
• Satisfies requirements for a journal-based audit trail
• Provides real segregation of duties and enforces the independence of
auditors

28. Q & A