Blog | Townsend Security

IBM i System Logging – System Operator (QSYSOPR) Messages

Written by Patrick Townsend | May 30, 2014 6:37:00 PM

IBM i users who need to meet compliance regulations for actively monitoring their systems are faced with the challenge of collecting system and security event information from a variety of log sources. We know we have to collect information from the IBM security audit journal QAUDJRN, but there are often additional security events in the system operator’s message queue QSYSOPR. The system operator message queue receives message from the IBM i operating system as well as from user applications.

There are many challenges in processing messages in the QSYSOPR file. These include:

  • The QSYSOPR message information is in an IBM proprietary format that is impossible for log collection servers and SIEM solutions to process. The messages must be converted to a usable format.
  • Access to the QSYSOPR message file by an event collector can conflict with the access by the actual system operators.
  • There are no event-driven APIs that allow you to collect new QSYSOPR messages in real time. Your QSYSOPR message collector application must detect new events and process them quickly.
  • The QSYSOPR messages are not updatable, so your QSYSOPR event collector must keep track of the messages that have been processed, and must resume after a system IPL or a system failure without lost information.
  • QSYSOPR messages are not automatically transferred to a log collection server or SIEM solution. Communications programs must be able to transfer the messages securely in real time.

Alliance LogAgent meets all of these challenges. QSYSOPR messages are automatically processed in near real time. To avoid potential access conflicts, Alliance LogAgent can collect messages from the QSYSMSG message queue. Messages are converted from the proprietary IBM format to the industry standard syslog format (RFC 3164) and converted from EBCDIC to ASCII. Messages are then transmitted to the log collection server or SIEM solution securely and in real time.

The Alliance LogAgent QSYSOPR message collector is a part of the base product. If you are currently using LogAgent to process QAUDJRN events, you can just enable the QSYSOPR message file option and you will start processing messages the next time the Alliance LogAgent subsystem starts. If you are implementing Alliance LogAgent for the first time, just enable the LogAgent QSYSOPR collector before you start the subsystem.

View our webinar "IBM i Logging for Compliance and SIEM Integration" to learn more about meeting compliance regulations and sending logs to any SIEM.
View full post