Sean By the way, when I do get a successful connection, my QHST log shows an additional message: Message ID . . . . . . : CPIAD09 Severity . . . . . . . : 00 Message type . . . . . : Information Date sent . . . . . . : 01/15/01 Time sent . . . . . . : 16:10:49 Message . . . . : User XXXXX from client XXX.XXX.XXX.XXX connected to job 250934/QUSER/QZSCSRVS in subsystem QUSRWRK in QSYS on 01/15/01 16:10:49. But when the authentication fails, the above message is NOT logged into QHST. You would think that authentications could be tracked back to an IP address on TCPIP connection attempts. I wonder if the software just doesn't grab enough info when the request is made. > You might try WRKJOB QZSCSRVS > > Although you may have to look in a bunch to find the right one. On our > system, the job log shows user and IP address. > > Or DSPLOG MSGID(CPIAD12) for the time period in question. > > HTH > > > Chuck Bower wrote: > > > > Help! > > > > I have a user (lets call her XXXXX) who has the following logged into > > the QHST log: > > > > Additional Message > > Information > > > > > > Message ID . . . . . . : CPIAD0B Severity . . . . . . . : > > 00 > > Message type . . . . . : > > Information > > Date sent . . . . . . : 01/13/01 Time sent . . . . . . : > > 19:02:54 > > > > > > Message . . . . : *SIGNON server job 243473/QUSER/QZSOSIGN > > processing > > request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in > > QSYS. > > Cause . . . . . : The *SIGNON server is processing request 1 for > > user > > XXXXX. The types of requests supported are as > > follows: > > 1 -- Retrieve Signon > > Information > > 2 -- Change > > Password > > 3 -- Generate Authentication > > Token > > > > Now, it happens I was speaking with user XXXXX at a party at just the > > time this message occurred. I have been trying to find out where this > > request came from. I cannot find an IP address from this message, nor > > can I located anything else in the log that would indicate the origin > > of the request. > > > > The next day (yesterday), the same message occurred, followed by an > > automatic disabling of the user's profile. I do not care, of course, > > that the profile was disabled, (I know why it was disabled, too many > > incorrect signon attempts-because of my system value settings). What > > is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!! > > > > Because without that, I cannot track down the perpetrator that may be > > attempting to break into the system with XXXXX's authority. (which is > > quite significant). > > > > I am even running the system auditing journal. When I look at > > password failures, the device name associated with the device for the > > journal entry is "COMMUNICATIONS DEVICE". Uh, yeah! > > > > Anybody's help would be GREATLY appreciated... > > > > Chuck > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: email@example.com > +--- > +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: firstname.lastname@example.org +---
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.