The syslog-ng 3.0 Administrator Guide

When Alliance encounters a problem processing a Syslog transaction it may send a message to the system operator message queue. Use the DSPMSG command to view these messages. Many of the messages have second level text. You can use F1 or the HELP key to view this text.

The Alliance TCP client applications will create extra diagnostic information when the option for application logging is enabled. You should restart the subsystem when changing the logging option. When application logging is enabled there will be additional information written to the job log and to output spooled files in the job.

If you have a product CD with the LogAgent product, use the Load and Run (LODRUN) command to install the product: Lodrun dev(opt01) dir(‘/’)

Be sure that you are signed on as QSECOFR or similar profile that has authority to restore objects from the optical CD. You can also install the product from an Internet download. Contact your software provider for information on downloading the product.

The subsystem ALLSYL100 must be started before logs will transfer. If the subsystem is not started display the main menu SYMAIN and use option 2 (Configuration), then option 10 (Start the subsystem) to start the subsystem. Use option 12 on this menu to view the active jobs in the subsystem.

You must configure at least one communications client in order to send logs to your log server. Use the Configuration menu option to configure TCP clients. Configure one TCP client (syslog, syslog-ng, or syslog-ng with SSL/TLS) and restart the subsystem ALLSYL100 to activate the client. From the Configuration menu select the option to Configure LogAgent. Be sure that you have enabled the option to send security audit journal QAUDJRN messages. After enabling the option to send the security journal messages, restart the ALLSYL100 subsystem.

If error messages appear on your display or in the system operator message queue about a license failure, you should contact your software provider for a temporary or permanent license key. These keys are entered on the Installation menu. If you upgrade your System i operating system or hardware you may need to contact your software supplier for a new license key.

The LogAgent license key is tied to the system serial number, model number, processor group, and logical partition number. If you upgrade your System i software or hardware you may need to receive a new license key from your software provider.

The IBM security audit journal (QAUDJRN) is not automatically created by the operating system. You must create the journal receivers and journal manually. For information on creating the QAUDJRN journal please see the IBM iSeries Security Reference manual. This IBM manual provides practical suggestions on creating and managing the journal.

Security events will not be captured even after creating the QAUDJRN journal until you change the security audit system values. There are multiple system values that must be enabled before journal entries are captured. See the LogAgent Reference manual and IBM iSeries Security Reference manual for information on changing the system values for audit collection.

You must enable user security journal collection using the Change User Audit (CHGUSRAUD) command in order to capture detailed information about security administrators, or other users. See the IBM iSeries Security Reference manual for information about capturing user information.

If you have data in sensitive files and you want to capture information about the use of the file, use the Change Object Audit (CHGOBJAUD) command to enable information collection on a file or program. See the IBM iSeries Security Reference manual for more information about this command.

From the Configuration menu select the option to Configure LogAgent. Be sure that you have enabled the option to send system operator messages (QSYSOPR message queue). After enabling the option to send the operator messages, restart the ALLSYL100 subsystem.

You can filter the security audit journal events by changing the LogAgent configuration settings using the Work With Security Types option on the configuration menu. Change the option for Send To Log Server to 2 for No.

Alliance will write error messages to the system operator message queue QSYSOPR. Use the Display Message (DSPMSG) command to view these messages. For more detailed information about a communications error, you can enable application logging on the TCP client definition. When you restart the TCP client it will write verbose information to the log file ALLOGA. You can use the Inquiry menu to view and print these logs.