I have a user (lets call her XXXXX) who has the following logged into the QHST log:
Additional Message Information
Message ID . . . . . . : CPIAD0B Severity . . . . . . . : 00
Message type . . . . . : Information
Date sent . . . . . . : 01/13/01 Time sent . . . . . . : 19:02:54
Message . . . . : *SIGNON server job 243473/QUSER/QZSOSIGN processing
request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in QSYS.
Cause . . . . . : The *SIGNON server is processing request 1 for user
XXXXX. The types of requests supported are as follows:
1 -- Retrieve Signon Information
2 -- Change Password
3 -- Generate Authentication Token
Now, it happens I was speaking with user XXXXX at a party at just the time this message occurred. I have been trying to find out where this request came from. I cannot find an IP address from this message, nor can I located anything else in the log that would indicate the origin of the request.
The next day (yesterday), the same message occurred, followed by an automatic disabling of the user's profile. I do not care, of course, that the profile was disabled, (I know why it was disabled, too many incorrect signon attempts-because of my system value settings). What is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!!
Because without that, I cannot track down the perpetrator that may be attempting to break into the system with XXXXX's authority. (which is quite significant).
I am even running the system auditing journal. When I look at password failures, the device name associated with the device for the journal entry is "COMMUNICATIONS DEVICE". Uh, yeah!
Anybody's help would be GREATLY appreciated...