Sean I have reviewed all of the QZSCSRVS that I have. I have not found anything-possibly because there is no job logs left for jobs not active now, and in the existing jobs, I see IP connections. But not for the time periods in question. I am wondering if I would not have that anyway, as each of these connection attempts have apparently been unsuccessful. It appears that the successful attempts log the user id and the IP address... > You might try WRKJOB QZSCSRVS > > Although you may have to look in a bunch to find the right one. On our > system, the job log shows user and IP address. I have not found ANY CPIAD12 messages logged. I see from the message text that this would appear to be a message that occurs when an IP connection is made, thus I should see some of those, but I do not. Note, I just went up on V4R5 4 weeks ago. > > Or DSPLOG MSGID(CPIAD12) for the time period in question. > > HTH > > > Chuck Bower wrote: > > > > Help! > > > > I have a user (lets call her XXXXX) who has the following logged into > > the QHST log: > > > > Additional Message > > Information > > > > > > Message ID . . . . . . : CPIAD0B Severity . . . . . . . : > > 00 > > Message type . . . . . : > > Information > > Date sent . . . . . . : 01/13/01 Time sent . . . . . . : > > 19:02:54 > > > > > > Message . . . . : *SIGNON server job 243473/QUSER/QZSOSIGN > > processing > > request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in > > QSYS. > > Cause . . . . . : The *SIGNON server is processing request 1 for > > user > > XXXXX. The types of requests supported are as > > follows: > > 1 -- Retrieve Signon > > Information > > 2 -- Change > > Password > > 3 -- Generate Authentication > > Token > > > > Now, it happens I was speaking with user XXXXX at a party at just the > > time this message occurred. I have been trying to find out where this > > request came from. I cannot find an IP address from this message, nor > > can I located anything else in the log that would indicate the origin > > of the request. > > > > The next day (yesterday), the same message occurred, followed by an > > automatic disabling of the user's profile. I do not care, of course, > > that the profile was disabled, (I know why it was disabled, too many > > incorrect signon attempts-because of my system value settings). What > > is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!! > > > > Because without that, I cannot track down the perpetrator that may be > > attempting to break into the system with XXXXX's authority. (which is > > quite significant). > > > > I am even running the system auditing journal. When I look at > > password failures, the device name associated with the device for the > > journal entry is "COMMUNICATIONS DEVICE". Uh, yeah! > > > > Anybody's help would be GREATLY appreciated... > > > > Chuck > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: email@example.com > +--- > +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: firstname.lastname@example.org +---
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.