IBM i Machine Data 101: A Quick Guide
The IBM i series continues to be an indispensable data processing workhorse for businesses around the world. Because these machines often handle the most sensitive and mission-critical information an organization has, keeping them operating securely, reliably and efficiently is crucial.
Ensuring the security and operational health of your IBM i system requires collection and analysis of two types of information. IT Operational Analytics (ITOA) data provides critical information regarding system health and efficiency, while Security and Information Event Management (SIEM) data enables real-time analysis of security event information and quick detection of potential threats. Regulatory regimes such as HIPAA and GDPR may require that both types of data be actively monitored.
Fortunately, the IBM i provides a wealth of internal system information. By monitoring and analyzing this data, you can gain a comprehensive view of the operational and security status of your system.
One difficulty, however, is that IBM i data is collected in several different places within the system. Here’s a brief look at where the most important information sources are located.
IBM i Data Sources
IBM i information is available in several message queues and journals. IBM describes a message queue as being like a mailbox in which incoming messages are stored until they can be handled. Journals are system objects in which the activities of other specified objects can be recorded.
- System Audit Journal (QAUDJRN): QAUDJRN is the system’s primary security auditing resource. All user activity is logged there, and it serves as a central repository for a wide range of security-related events such as login attempts, user profile changes, and the creation, modification, or deletion of objects. A key feature is that once an event is logged into QAUDJRN, that entry cannot be changed, providing a tamper-proof audit trail.
- System Operator Message Queue (QSYSOPR): The QSYSOPRmessage queue receives operator notifications from users, applications, and the system. These messages, which sometimes include important security information, may require operator action.
- System and Application Message Queue (QSYSMSG): Although the use of QSYSMSG is optional, it can play a vital role in the proper handling of both ITOA and SIEM information. Because the QSYSOPR queue receives many messages of varying degrees of importance, messages requiring immediate attention can be overlooked in the QSYSOPR queue. But when QSYSMSG is enabled, the system can be configured so that critical messages are sent to both QSYSOPR and QSYSMSG, or to QSYSMSG alone, to ensure that they won’t be missed.
- History Log (QHST): QHST keeps a history of system activity, including items such as a high-level trace of system, subsystem and job information, user login and logoff events, and more. It consists of both a message queue and a physical file called a log version. Messages sent to the QHST queue are also written to the current log version file.
- Accounting Journal: This journal tracks the use of system resources during job execution, including details such as CPU usage and printer activity.
- Collection Services and Logs for Performance Data: The IBM i system can be configured to log comprehensive performance metrics to a Management Collection object. Then, either in real time or some time later, the information can be extracted from the object and stored in an optionally journaled Db2 table. Vital performance data can then be extracted as needed from the Db2 tables or the journals for analysis.
Syncsort Can Help You Access Your IBM i Data
Syncsort offers the industry’s most comprehensive solutions for accessing IBM i data. These tools continuously monitor various internal data sources. They automatically extract required information, seamlessly converting it to industry standard formats. It is then forwarded in near real time to external analytics platforms such as Splunk.
If you’d like to learn how you can maximize your access to internal IBM i data, please download our ebook, The Ultimate Guide to IBM i Machine Data.