Learn how to audit intrusion detection activities. If the intrusion
detection system (IDS) flags a suspicious event, it writes an IM audit record.
The audit record is written to the security audit journal whenever
the QAUDCTL system value contains *AUDLVL and either the QAUDLVL or QAUDLVL2
system value contains *ATNEVT.
Note: To set *ATNEVT in QAUDLVL2,
you must first set *AUDLVL2 in QAUDLVL.
To view the IM audit records, follow these steps:
- Issue the following command from the command line
to display all of the audit journals: DSPJRN QAUDJRN
If you find an audit record of type IM, that means that IDS has flagged
a suspicious event. If no IM audit records display, IDS has not detected any
suspicious events. (To display only the IM audit records, issue the DSPJRN
QAUDJRN ENTTYP(IM) command.)
- Type 5 to view the contents of the IM audit
record.
- Report suspicious events to your systems administrator to take
appropriate action, such as closing down the port or tracking down the spoofed
IP address.
Now, you are ready to analyze the IM audit records.
The
audit record is the only way of alerting a system administrator that a suspicious
event has taken place. Note: Some fields in the IM record
are in hexadecimal format. To view those hexadecimal fields, press F11.