The following is a list of frequently asked questions about iEventMonitor. If you have a question that is not covered here, ask us via E-mail and we'll answer your question.
Register your E-mail address to receive automatic notification when this product is updated.
iEventMonitor Frequently Asked Questions:
What system audit values control the functions available to the iEventMonitor Audit Monitor feature?
The system audit value QAUDLVL (or QAUDLVL2 depending on your system configuration) will be need to set for the various audit functions to work. Here is a list of the Audit Codes in iEventMonitor along with the system audit values that will cause them to be activated:
AD - Auditing changes - *SECURITY or *SECCFG
AF - Authority failures - *AUTFAIL
AX - Row and column access control - *SECURITY or *SECRUN
CD - Command line use for registered user profiles - Controlled by iEventMonitor, no system audit value needed.
CP - User profiles changed, created or restored - *SECURITY or *SECCFG
DO - Object Deletes - *SECURITY or *DELETE set for individual object auditing
DS - DST password reset - *SECURITY or *SECCFG
EV - System environment variables - *SECURITY or *SECCFG
OW - Object ownership changes - *SECURITY, *SECDIRSRV, *SECRUN or *CHANGE set for individual object auditing
PS - Profile swaps - *SECURITY or *SECVFY
PW - Invalid passwords - *AUTFAIL
SK - Secure socket connections - *NETCMN, *NETFAIL, *NETSCK, *NETSECURE, *NETTELSVR or *NETUDP
SO - Server security user information actions - *SECURITY or *SECCFG
ST - Use of service tools - *SERVICE
SV - System value changes - *SECURITY or *SECCFG
Why am I getting a "Cannot activate file monitor at this time" error when I try to activate a file monitor?
The message indicates that the file is not available to be activated. The file monitor feature uses IBM i OS trigger programs. In order to set a trigger in place for a file, that file must not be in use by any users on your system. This is a restriction in the IBM i OS and we cannot work around it. The file can only be activated for the file monitor feature when it is not in use.
You can check to see who is using it using the WRKOBJLCK command.
Can I generate the SIEM feed file to a different path using a different filename?
Yes.
The path and filename are stored in a data area named IEMCONTROL in library IEMLIB. Use the 50 characters there starting in position 940. The default value shipped with the software is:
/tmp/iem_siem_
Using this default, the SIEM file will be generated as follows:
/tmp/iem_siem_00010.txt
You can change the path (/tmp) or the file name (iem_siem_) or both. iEventMonitor will append a unique 5 digit number and the ".txt" file qualifier.
I have two systems and I want the watches and monitors used on both to be exactly the same. When I get it set up on one system, how can I easily duplicate that on the other system?
This answer assumes that you already have iEventMonitor installed on both systems and that they are at the same software level.
Check the software level by running option #5 on the INSTALL menu on each system to make sure that the release level for iEventMonitor is the same. Do not proceed if the release levels do not match.The active monitors on a system are stored in a database file named TWCHLOGF in library IEMLIB. While iEventMonitor is inactive on both systems, you can save this file on your source system and then restore it on your target system. Once done, the monitors will all be available on the target system.
For the message queue monitor, you will also have to copy the following three additional control files:
TWMONEXMSG
TWMONOR
TWMONRTG
If you are running other features in iEventMonitor, contact support@kisco.com for possible additional details.
The global settings in iEventMonitor are all stored in a data area named IEMCONTROL in library IEMLIB. To copy the global settings, this data area (*DTAARA) object must also be saved on your source system and restored on your target system. After restoring on your target system, you should run option #9 on the INSTALL menu and check the "Default Alert Subject" setting and the "IEM Respond Page Heading". We recommend that this be unique for each system so that when an alert is issued, you can easily determine which system issued the alert.
How can I perform a full reset of all of the active monitors and watches in iEventMonitor?
Sometimes you may need to do a full reset of the monitors and watches running in iEventMonitor. The recommended way to do this is as follows:
When the STRIEM command runs and the IEMONITOR subsystem is inactive, a complete reset of all internal settings is done.
When the message queue monitor starts, an existing message does not issue an alert. Is this normal?
Older versions of iEventMonitor would sometimes pickup an outstanding message, but as of release 5.12, iEventMonitor's message queue monitor will only issue alerts on messages that are posted to the monitored message queue after the time when the monitor is started.
I am seeing a signficant increase in system audit journal activity since installing iEventMonitor. Can we control this?
Starting with Release 5.12, iEventMonitor uses an internal IBM i OS exit point for message queue monitoring. This feature of the IBM i OS generates a lot of profile swap activity which can be captured by the system audit journal as Type T, Code JS journal entries. Please see the following link for more of an explanation and a way to configure your system to significantly reduce this extra logging.
How can I move iEventMonitor to another system or partition?
You can transfer iEventMonitor from one system to another by moving the application library named IEMLIB to the new system. Before you load the library on the new system, you will need to run the following series of commands:
CRTUSRPRF USRPRF(IEMONITOR) PASSWORD(*NONE) PWDEXP(*NO) STATUS(*DISABLED) USRCLS(*SECOFR) TEXT('Required user profile for IEM software')CRTAUTL AUTL(IEMONITOR) TEXT('iEventMonitor Authorization List') AUT(*USE)
CHGAUTLE AUTL(IEMONITOR) USER(*PUBLIC) AUT(*USE)
ADDAUTLE AUTL(IEMONITOR) USER(QSECOFR) AUT(*ALL)
ADDAUTLE AUTL(IEMONITOR) USER(IEMONITOR) AUT(*ALL)
ADDAUTLE AUTL(IEMONITOR) USER(QTMHHTP1) AUT(*ALL)
ADDAUTLE AUTL(IEMONITOR) USER(QTMHHTTP) AUT(*ALL)
After you have loaded the IEMLIB library on the new system, run option #1 on the INSTALL menu. Then, run option #2 on the INSTALL menu to confirm that the software is now installed on trial. If so, you can now use the software in trial mode.
If you decide that you want to license the software on this alternate system, contact Kisco Information Systems for details.
Can we send email through SMTP using a port number other than 25?
Yes!
As installed, iEventMonitor defaults to using the standard port number 25. You can change the port number to a different port number. Before making the change, make sure that all monitors and watches have been stopped (ENDIEM).
The port number being used for outbound SMTP is stored in hexadecimal in positions 796-800 of the data area named IEMCONTROL in library IEMLIB. As shipped from Kisco Information Systems, this is set to X'0000000019' which is the hex equivalent of 25. After all monitors and watches have been stopped, you can change this value.
For example, if you want to change iEventMonitor to use port 24, you would use the following instruction:
CHGDTAARA DTAARA(IEMLIB/IEMCONTROL (796 5)) VALUE(X'0000000018')
After the change has been posted, go to the INSTALL menu in library IEMLIB and use option #12 to send a test email using this new setting. Confirm that the test email is delivered successfully before you resume normal use of the monitors and watches. You can restart everything using the STRIEM command.
We are upgrading our IBM/i OS. Are there any special considerations for iEventMonitor?
If you have implemented the browser option for responding to error messages, IEM Respond, then the answer is yes.
After the upgrade to the new IBM/i OS level has been completed, please run the following two commands on your system:
DLTSRVPGM SRVPGM(IEMLIB/QZHBCGI)
CRTDUPOBJ OBJ(QZHBCGI) FROMLIB(QHTTPSVR) OBJTYPE(*SRVPGM) TOLIB(IEMLIB)
This will reset the browser interface to use the current abilities in the new IBM/i OS levels.
Can we change the graphic at the top of the web page in IEM Respond to show our company logo and name?
Yes!
The graphic file for this is named "header.gif" and it is located the the htdocs folder for the IEVENTMON server instance. You will find this in the www folder off the IFS root directory on your system.
The graphic file is 600 pixels by 60 pixels. We recommend that you keep these dimensions for your own graphic file.
Before you install your own file, make sure that you save the current one by renaming it. This is for your safety should a problem develop and you need to restore the Kisco version of the file. Also, make a note for yourself that any future install of a version upgrade for iEventMonitor will result in the graphic file being reset back to the Kisco version. Make sure that you keep a copy of your new graphic file separate from the server instance objects in the IFS.
IEM Respond uses port#8077. Can we change the port# for our system?
Yes!
You will need to update the HTTP Server Instance on your system. To use a different port#, do the following:
ENDTCPSVR SERVER(*HTTP) HTTPSVR(IEVENTMON)
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)This process can take up to several minutes on some systems.
We want to use iEventMonitor on our DR system. Are there any special considerations for DR testing?
When you transfer iEventMonitor to a DR site, the software will not work since it is only licensed to run on the system with your registered serial number and partition number. To conduct a DR test, contact Kisco Information Systems support and provide the serial number, partition number and date range for your testing. A temporary code will be provided to you in advance of your test.
If you use the iEventMonitor message queue reminder alerts feature, this will register an exit program on your DR system during your test. When you are done with your test, make sure that you run option #15 on the INSTALL menu in library IEMLIB to remove the exit point registration. Failure to do this may result in unpredictable processing on the DR system when the trial period for your DR test expires.
When we specify reminder alerts for the QSYSOPR message queue, the reminders get issued even after the message was answered. Why?
Some customers may choose to use multiple monitoring software products concurrently. The reminder alert process uses the QIBM_QMH_REPLY_INQ exit point. If another software product has a program already registered to this point, iEventMonitor will not register its own exit program and, as a result, the reminder logic will not work correctly.
You can verify this by running the following command:
WRKREGINF EXITPNT(QIBM_QMH_REPLY_INQ)
Place an 8 next to the displayed exit point to view the program(s) currently registered. If you find a program there in a library other than IEMLIB, then this is why the iEventMonitor reminder is not working correctly.
To correct for this, shut down your message queue monitor in iEventMonitor for the message queue in question. Review the jobs running in the IEMONITOR subsystem and cancel any jobs shown with a job name that starts with REMxxxxxx. Then, run the following command from the command line:
CHGDTAARA DTAARA(IEMLIB/IEMCONTROL (628 4)) VALUE(X'00000002')
This will change iEventMonitor to register its exit program in the second seat for the exit point. Once this change has been made, you can restart the message queue monitor with the reminder option active. If you view the exit point programs again, you will see two programs registered to the exit point.
Can I allow someone without *SECOFR authority use the features of iEventMonitor?
You can grant permission to non-*SEFCOFR users using option #8 on the INSTALL menu'
Can I use iEventMonitor to check for user profiles that become disabled?
Yes, you can.
When a user profile becomes disabled, the IBM i OS sends a status message to the special message queue named QSYSMSG in library QSYS. If your system does not have this message queue, you can create it as it is a user optional message queue. To create it, use the following command:
CRTMSGQ MSGQ(QSYS/QSYSMSG) TEXT('System Security Message Queue')
Once the message queue has been created, set up a monitor for it in iEventMonitor and check for all messages from severity level zero and higher. All important security events will be reported to this message queue including user profiles that become disabled due to using incorrect passwords too many times.
After an IPL, the Watch Tasks that I set are no longer active. How can I restart them automatically?
Watch tasks end when you do an IPL or when you bring your system into restricted state. Following either of these events, they need to be restarted. You can do this, for both situations, by updating your system startup up program (system value QSTRUPPGM). In your startup program, you will need to add the following command:
IEMLIB/STRIEM
This will restart all monitors and watches that were running when the IPL was performed.
Can I send an alert as a text message to my smartphone?
Yes!
Check with your cell phone provider to find out the email address format that you should use and then just configure iEventMonitor to use that email address. For example, we use Verizon Wireless here at Kisco Information Systems. Verizon supports sending an email to a Verizon Wireless smartphone by using the email address format of: [areacode+phonenumber]@vtext.com. If your phone number is 518-555-1111, then the email address at Verizon Wireless would be "5185551111@vtext.com". Just use this email address in iEventMonitor and you will get a text message for the alert notification.
Here are the email to text formats currently available for the most common cell carriers available in the USA:
VERIZON: phonenumber@vtext.com
AT&T: phonenumber@txt.att.net
SPRINT: phonenumber@messaging.sprintpcs.com
SPRINT-NEXTEL: phonenumber@messaging.nextel.com
T-MOBILE: phonenumber@tmomail.net
CELLULAR ONE: phonenumbermobile@celloneusa.com
BOOST MOBILE: phonenumber@myboostmobile.com
CRICKET: phonenumber@sms.mycricket.com
US CELLULAR: phonenumber@email.uscc.net
VIRGIN MOBILE: phonenumber@vmobl.com
METROPCS: phonenumber@mymetropcs.com
REPUBLIC WIRELESS: phonenumber@text.republicwireless.com
TING: phonenumber@message.ting.com
Absolutely!
iEventMonitor includes a built-in command that you can call from your own applications to issue alerts using the methods and delivery implemented by iEventMonitor.
© 2021 KISCO SYSTEMS LLC
54 Danbury Rd. | Suite 439 | Ridgefield, CT 06877
