Skip to content

IBM iSeries (AS/400)

Overview

IBM iSeries (AS/400) is a robust, scalable family of midrange business computers running the IBM i operating system, known for its integrated DB2 database and strong security features.

  • Vendor: IBM
  • Supported environment: On prem
  • Version Compatibility: 7.5
  • Detection based on: Telemetry

Warning

Important - This integration requires the installation of Syslog Reporting Manager on IBM i, for which a fee is charged.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Supported versions

This integration supports the following versions:

  • 7.3
  • 7.4
  • 7.5

Supported events

This integration supports the following events:

  • Audit journal (Command entry, Authority failure)
  • Integrated file system monitoring
  • Message queues monitoring
  • Database monitoring
  • History logs

Configure

In this guide, you will configure the gateway to forward events to syslog.

Prerequisites

  1. An internal syslog concentrator is required to collect and forward events to Sekoia.io.
  2. Syslog Reporting Manager installed on the iSeries. See docs for more info.

Forward IBM iSeries events

  1. Ensure having Syslog Reporting Manager installed and configured
  2. On the SLMON menu, type CFGSRM
  3. On the Configure global settings, select Option 2
  4. Type the address and the port of the log concentrator
  5. Select RFC5424 as Syslog format
  6. Select CEF as SIEM message format
  7. Select the protocol for the log concentrator (TCP is recommended)
  8. At the bottom of the screen, press Enter to save the changes

Enable Audit logs (optional)

  1. On the SLMON menu, type CFGSRM
  2. On the Configure global settings, select Option 10
  3. Enable the following type:
    • AF: Authority failures
    • CD: Command string audit
  4. Press F3 to save the changes

Create the intake

Go to the intake page and create a new intake from the format IBM iSeries.

Send logs to Sekoia.io

Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|act=CodeSample reason=CPC1126 msg=The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|reason=CPC1126 msg=L'utilisateur QSYSOPR a arrêt{ le travail 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3
CEF:0|IBM|IBM i|7.4|MSGMON|CPF0907|5|cat=MSG Queue Messages rt=2020-04-30-11.35.29.886549 reason=CPF0907 cs1Label=msgSev cs1=ERROR cs2Label=msgQueue cs2=QSYS/QSYSOPR cs3Label=pgmName cs3=QWCATARE msg=Serious storage condition may exist. Press HELP. cs4Label=srdb cs4=I5OSP4 suser=QSYS sproc=541034/QSYS/QSYSARB5 shost=I5OSP4
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF0927|Low|reason=CPF0927 msg=Subsystem QBATCH stopped suser=QSYS sproc=080211/QSYS/QSYSARB4 shost=EXPC3
CEF:0|IBM|IBM i|7.4|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04. suser=QZRDSRMOWN sproc=722506/QZRDSRMOWN/SLMSQMONS shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51. suser=QZRDSRMOWN sproc=086167/QZRDSRMOWN/SLMSQMONS shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 . suser=JDOE sproc=111111/JDOE/JPRC shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Travail 080694/QSPLJOB/RMTW000008 arrêt{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 . suser=QSPLJOB sproc=080694/QSPLJOB/RMTW000008 shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3
CEF:0|IBM|IBM i|7.4|DB2MON|DB2 change monitoring (Journal Extract Tool)|3|act=UPDATE rt=2020-04-30-12.11.52.265056 sproc=551907/BARLEN/QPADEV000D shost=I5OSP4 suser=BARLEN fname=QZRDSECSRM/SLTHSTENT cs1Label=pgmName cs1=CFGSLHSTP cs2Label=updatedColumnNames cs2=EVTUSER1,EVTMSGID1,EVTMSGID2,EVTMSGID3 cs5Label=rowDataBefore cs5=QJ_JOURNAL_ENTRY_TYPE\="UB" QJ_RECEIVER_NAME\="DETRCV0010" QJ_SEQUENCE_NUMBER\="22145" EVTUSER1\="BARLEN" EVTMSGID1\="CPF1122" EVTMSGID2\="CPF9998" EVTMSGID3\="SLS0040" cs4Label=rowDataAfter cs4=QJ_JOURNAL_ENTRY_TYPE\="UP" QJ_RECEIVER_NAME\="DETRCV0010" QJ_SEQUENCE_NUMBER\="22146" EVTUSER1\="BARLEN3" EVTMSGID1\="CPF1129" EVTMSGID2\="CPF9997" EVTMSGID3\="SLS0042"
CEF:0|IBM|IBM i|7.4|IFSMON|IFS File Monitor Journal Entry Type B-WA|3|act=B-WA Write, after-image event sproc=722496/BARLEN/QZSHSH suser=BARLEN shost=CTCSECT5 filePath=/home/barlen/ifsmon/weblog2.log fileType=*STMF cs2Label=changedDataLength cs2=0000000064 cs3Label=changedDataPart cs3=*ONLY cs4Label=changedDataFileOffset cs4=00000000000000788915 cs1Label=changedData cs1=Unauthorized access to Web resource accountInfo by user TBARLEN
CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-AF|Medium|reason=Authority failure msg=Not authorized to object fileType=*PGM cs1Label=objName cs1=QZRDSECSRM/CFGJSCR suser=THOMAS sproc=722470/THOMAS/QPADEV000P shost=I5OSP4 src=192.168.126.71 spt=36868 evtAggregation=*NO entryTypeField=A
CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-CD|Low|reason=Command string audit msg=Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS) fileType=*CMD cs1Label=objName cs1=QSYS/CHGENVVAR suser=BARLEN sproc=721738/BARLEN/QPADEV000Q shost=I5OSP4 src=192.168.126.71 spt=36888 evtAggregation=*NO entryTypeField=C
CEF:0|IBM|IBM i|7.3|QSYS-QHST|TCP2617|Low|reason=TCP2617 msg=TCP/IP connection to remote system 10.1.43.58 closed, reason code 1. suser=QSYS sproc=080247/QSYS/QTCPWRK shost=EXPC3

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

The following Sekoia.io built-in rules match the intake IBM iSeries [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x IBM iSeries [BETA] on ATT&CK Navigator

Account Added To A Security Enabled Group

Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)

  • Effort: master
Account Removed From A Security Enabled Group

Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)

  • Effort: master
Active Directory Data Export Using Csvde

Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.

  • Effort: elementary
AdFind Usage

Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects

  • Effort: elementary
Adexplorer Usage

Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.

  • Effort: advanced
Adidnsdump Enumeration

Detects use of the tool adidnsdump for enumeration and discovering DNS records.

  • Effort: advanced
Advanced IP Scanner

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

  • Effort: master
Aspnet Compiler

Detects the starts of aspnet compiler.

  • Effort: advanced
Bloodhound and Sharphound Tools Usage

Detects default process names and default command line parameters used by Bloodhound and Sharphound tools.

  • Effort: intermediate
CVE-2017-11882 Microsoft Office Equation Editor Vulnerability

Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events.

  • Effort: master
CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv

Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11.

  • Effort: master
Certificate Authority Modification

Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.

  • Effort: master
Certify Or Certipy

Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.

  • Effort: advanced
Cobalt Strike Default Beacons Names

Detects the default names of Cobalt Strike beacons / payloads.

  • Effort: intermediate
Computer Account Deleted

Detects computer account deletion.

  • Effort: master
Cookies Deletion

Detects when cookies are deleted by a suspicious process.

  • Effort: master
Credential Dump Tools Related Files

Detects processes or file names related to credential dumping tools and the dropped files they generate by default.

  • Effort: advanced
Cron Files Alteration

Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation. To ensure full performance on this rule, auditbeat intake must be configure with the module file_integrity containing path mentionned in the pattern.

  • Effort: advanced
Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
DNS Query For Iplookup

Detects dns query of observables tagged as iplookup.

  • Effort: master
Discovery Commands Correlation

Detects some frequent discovery commands used by some ransomware operators.

  • Effort: intermediate
Domain Trust Created Or Removed

A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.

  • Effort: advanced
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Exfiltration And Tunneling Tools Execution

Execution of well known tools for data exfiltration and tunneling

  • Effort: advanced
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
HTA Infection Chains

Detect the creation of a ZIP file and an HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance).

  • Effort: intermediate
HTML Smuggling Suspicious Usage

Based on several samples from different botnets, this rule aims at detecting HTML infection chain by looking for HTML created files followed by suspicious files being executed.

  • Effort: intermediate
HackTools Suspicious Names

Quick-win rule to detect the default process names or file names of several HackTools.

  • Effort: elementary
Hijack Legit RDP Session To Move Laterally

Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.

  • Effort: intermediate
ISO LNK Infection Chain

Detection of an ISO (or any other similar archive file) downloaded file, followed by a child-process of explorer, which is characteristic of an infection using an ISO containing an LNK file. For events with host.name.

  • Effort: intermediate
Information Stealer Downloading Legitimate Third-Party DLLs

Detects operations that involved legitimate third-party DLLs used by information-stealing malware for data collection on the infected host. This detection rule correlates at least 7 events including the following DLLs - freebl3.dll, vcruntime140.dll, msvcp140.dll, nss3.dll, sqlite3.dll, softokn3.dll, mozglue.dll and libcurl.dll. This behaviour matches activities of several widespread stealer like Vidar, Raccoon Stealer v2, Mars Stealer, etc.

  • Effort: intermediate
Kernel Module Alteration

Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. The prerequisites are to enable monitoring of the finit_module, init_module, delete_module syscalls using Auditbeat.

  • Effort: advanced
MSBuild Abuse

Detection of MSBuild uses by attackers to infect an host. Focuses on XML compilation which is a Metasploit payload, and on connections made by this process which is unusual.

  • Effort: intermediate
Microsoft Exchange Server Creating Unusual Files

Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability

  • Effort: intermediate
Microsoft Office Creating Suspicious File

Detects Microsoft Office process (word, excel, powerpoint) creating a suspicious file which corresponds to a script or an executable. This behavior highly corresponds to an executed macro which loads an installation script or a malware payload. The rule requires to log for File Creations to work properly, which can be done through Sysmon Event ID 11.

  • Effort: master
NTDS.dit File In Suspicious Directory

The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.

  • Effort: advanced
Network Scanning and Discovery

Tools and command lines used for network discovery from current system

  • Effort: advanced
Network Sniffing

List of common tools used for network packages sniffing

  • Effort: advanced
Network Sniffing Windows

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

  • Effort: intermediate
NlTest Usage

Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain.

  • Effort: advanced
OneNote Embedded File

Detects creation or uses of OneNote embedded files with unusual extensions.

  • Effort: intermediate
OneNote Suspicious Children Process

In January 2023, a peak of attacks using .one files was observed in the wild. This rule tries to detect the effect of such attempts using this technique.

  • Effort: advanced
Package Manager Alteration

Package manager (eg: apt, yum) can be altered to install malicious software. To ensure full performance on this rule, auditbeat intake must be configure with the module file_integrity containing path mentionned in the pattern.

  • Effort: advanced
Password Change On Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

  • Effort: intermediate
PasswordDump SecurityXploded Tool

Detects the execution of the PasswordDump SecurityXploded Tool

  • Effort: elementary
Possible Replay Attack

This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.

  • Effort: intermediate
Process Trace Alteration

PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.

  • Effort: advanced
PsExec Process

Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators.

  • Effort: advanced
RDP Session Discovery

Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.

  • Effort: advanced
RSA SecurID Failed Authentification

Detects many failed attempts to authenticate followed by a successfull login for a super admin account.

  • Effort: advanced
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
Remote Monitoring and Management Software - AnyDesk

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.

  • Effort: master
Remote Monitoring and Management Software - Atera

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
SSH Authorized Key Alteration

The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.

  • Effort: advanced
SecurityScorecard Vulnerability Assessment Scanner New Issues

Raises an alert when SecurityScorecard Vulnerability Assessment Scanner find new issues.

  • Effort: master
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
Socat Relaying Socket

Socat is a linux tool used to relay local socket or internal network connection, this technics is often used by attacker to bypass security equipment such as firewall

  • Effort: advanced
Socat Reverse Shell Detection

Socat is a linux tool used to relay or open reverse shell that is often used by attacker to bypass security equipment.

  • Effort: intermediate
SolarWinds Suspicious File Creation

Detects SolarWinds process creating a file with a suspicious extension. The process solarwinds.businesslayerhost.exe created an unexpected file whose extension is ".exe", ".ps1", ".jpg", ".png" or ".dll".

  • Effort: intermediate
Suspicious Desktopimgdownldr Execution

Detects a suspicious Desktopimgdownldr execution. Desktopimgdownldr.exe is a Windows binary used to configure lockscreen/desktop image and can be abused to download malicious file.

  • Effort: intermediate
Suspicious Double Extension

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns

  • Effort: advanced
Suspicious File Name

Detects suspicious file name possibly linked to malicious tool.

  • Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.

  • Effort: advanced
System Info Discovery

System info discovery, attempt to detects basic command use to fingerprint a host.

  • Effort: master
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master
User Account Created

Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.

  • Effort: master
User Account Deleted

Detects local user deletion

  • Effort: master
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate
WMI Persistence Script Event Consumer File Write

Detects file writes through WMI script event consumer.

  • Effort: advanced
Webshell Creation

Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.

  • Effort: master
ZIP LNK Infection Chain

Detection of an ZIP download followed by a child-process of explorer, followed by multiple Windows processes.This is widely used as an infection chain mechanism.

  • Effort: advanced

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Authentication logs Audit journal
File monitoring Integrated file system (IFS) log files
Process monitoring Message queues, database monitoring

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category authentication, database, file, network, process, session
Type change, end, info, start

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|act=CodeSample reason=CPC1126 msg=The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPC1126",
        "dataset": "QSYS-QHST",
        "reason": "The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN.",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYSOPR/UPSA_QHTTP",
        "pid": 86157
    },
    "related": {
        "user": [
            "QSYSOPR"
        ]
    },
    "user": {
        "name": "QSYSOPR"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|reason=CPC1126 msg=L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPC1126",
        "dataset": "QSYS-QHST",
        "reason": "L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN.",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYSOPR/UPSA_QHTTP",
        "pid": 86157
    },
    "related": {
        "user": [
            "QSYSOPR"
        ]
    },
    "user": {
        "name": "QSYSOPR"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|MSGMON|CPF0907|5|cat=MSG Queue Messages rt=2020-04-30-11.35.29.886549 reason=CPF0907 cs1Label=msgSev cs1=ERROR cs2Label=msgQueue cs2=QSYS/QSYSOPR cs3Label=pgmName cs3=QWCATARE msg=Serious storage condition may exist. Press HELP. cs4Label=srdb cs4=I5OSP4 suser=QSYS sproc=541034/QSYS/QSYSARB5 shost=I5OSP4",
    "event": {
        "category": [
            "process"
        ],
        "dataset": "MSGMON",
        "reason": "Serious storage condition may exist. Press HELP.",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2020-04-30T11:35:29.886549Z",
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "cat": "MSG Queue Messages",
        "pgmName": "QWCATARE"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "QSYS/QSYSARB5",
        "pid": 541034
    },
    "related": {
        "user": [
            "QSYS"
        ]
    },
    "user": {
        "name": "QSYS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF0927|Low|reason=CPF0927 msg=Subsystem QBATCH stopped suser=QSYS sproc=080211/QSYS/QSYSARB4 shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF0927",
        "dataset": "QSYS-QHST",
        "reason": "Subsystem QBATCH stopped",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYS/QSYSARB4",
        "pid": 80211
    },
    "related": {
        "user": [
            "QSYS"
        ]
    },
    "user": {
        "name": "QSYS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04. suser=QZRDSRMOWN sproc=722506/QZRDSRMOWN/SLMSQMONS shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1124",
        "dataset": "QSYS-QHST",
        "reason": "Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04.",
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "QZRDSRMOWN/SLMSQMONS",
        "pid": 722506
    },
    "related": {
        "user": [
            "QZRDSRMOWN"
        ]
    },
    "user": {
        "name": "QZRDSRMOWN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51. suser=QZRDSRMOWN sproc=086167/QZRDSRMOWN/SLMSQMONS shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1124",
        "dataset": "QSYS-QHST",
        "reason": "Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51.",
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QZRDSRMOWN/SLMSQMONS",
        "pid": 86167
    },
    "related": {
        "user": [
            "QZRDSRMOWN"
        ]
    },
    "user": {
        "name": "QZRDSRMOWN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 . suser=JDOE sproc=111111/JDOE/JPRC shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1164",
        "dataset": "QSYS-QHST",
        "reason": "Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 .",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "exit_code": 123,
        "name": "JDOE/JPRC",
        "pid": 111111
    },
    "related": {
        "user": [
            "JDOE"
        ]
    },
    "user": {
        "name": "JDOE"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 . suser=QSPLJOB sproc=080694/QSPLJOB/RMTW000008 shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1164",
        "dataset": "QSYS-QHST",
        "reason": "Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 .",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "exit_code": 50,
        "name": "QSPLJOB/RMTW000008",
        "pid": 80694
    },
    "related": {
        "user": [
            "QSPLJOB"
        ]
    },
    "user": {
        "name": "QSPLJOB"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3",
    "event": {
        "category": [
            "session"
        ],
        "code": "CPI3E34",
        "dataset": "QSYS-QHST",
        "reason": "User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22.",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-12-03T02:16:22Z",
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QUSER/QRWTSRVR",
        "pid": 86171
    },
    "related": {
        "ip": [
            "192.168.242.20"
        ],
        "user": [
            "QBRMS"
        ]
    },
    "source": {
        "address": "192.168.242.20",
        "ip": "192.168.242.20"
    },
    "user": {
        "name": "QBRMS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3",
    "event": {
        "category": [
            "session"
        ],
        "code": "CPI3E34",
        "dataset": "QSYS-QHST",
        "reason": "L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22.",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-12-03T02:16:22Z",
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QUSER/QRWTSRVR",
        "pid": 86171
    },
    "related": {
        "ip": [
            "192.168.242.20"
        ],
        "user": [
            "QBRMS"
        ]
    },
    "source": {
        "address": "192.168.242.20",
        "ip": "192.168.242.20"
    },
    "user": {
        "name": "QBRMS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|DB2MON|DB2 change monitoring (Journal Extract Tool)|3|act=UPDATE rt=2020-04-30-12.11.52.265056 sproc=551907/BARLEN/QPADEV000D shost=I5OSP4 suser=BARLEN fname=QZRDSECSRM/SLTHSTENT cs1Label=pgmName cs1=CFGSLHSTP cs2Label=updatedColumnNames cs2=EVTUSER1,EVTMSGID1,EVTMSGID2,EVTMSGID3 cs5Label=rowDataBefore cs5=QJ_JOURNAL_ENTRY_TYPE\\=\"UB\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22145\" EVTUSER1\\=\"BARLEN\" EVTMSGID1\\=\"CPF1122\" EVTMSGID2\\=\"CPF9998\" EVTMSGID3\\=\"SLS0040\" cs4Label=rowDataAfter cs4=QJ_JOURNAL_ENTRY_TYPE\\=\"UP\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22146\" EVTUSER1\\=\"BARLEN3\" EVTMSGID1\\=\"CPF1129\" EVTMSGID2\\=\"CPF9997\" EVTMSGID3\\=\"SLS0042\"",
    "event": {
        "action": "UPDATE",
        "category": [
            "database"
        ],
        "dataset": "DB2MON",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2020-04-30T12:11:52.265056Z",
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "pgmName": "CFGSLHSTP"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "BARLEN/QPADEV000D",
        "pid": 551907
    },
    "related": {
        "user": [
            "BARLEN"
        ]
    },
    "user": {
        "name": "BARLEN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|IFSMON|IFS File Monitor Journal Entry Type B-WA|3|act=B-WA Write, after-image event sproc=722496/BARLEN/QZSHSH suser=BARLEN shost=CTCSECT5 filePath=/home/barlen/ifsmon/weblog2.log fileType=*STMF cs2Label=changedDataLength cs2=0000000064 cs3Label=changedDataPart cs3=*ONLY cs4Label=changedDataFileOffset cs4=00000000000000788915 cs1Label=changedData cs1=Unauthorized access to Web resource accountInfo by user TBARLEN",
    "event": {
        "category": [
            "file"
        ],
        "dataset": "IFSMON",
        "reason": "Unauthorized access to Web resource accountInfo by user TBARLEN",
        "type": [
            "info"
        ]
    },
    "file": {
        "directory": "/home/barlen/ifsmon",
        "name": "weblog2.log",
        "path": "/home/barlen/ifsmon/weblog2.log"
    },
    "host": {
        "name": "CTCSECT5"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "BARLEN/QZSHSH",
        "pid": 722496
    },
    "related": {
        "user": [
            "BARLEN"
        ]
    },
    "user": {
        "name": "BARLEN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-AF|Medium|reason=Authority failure msg=Not authorized to object fileType=*PGM cs1Label=objName cs1=QZRDSECSRM/CFGJSCR suser=THOMAS sproc=722470/THOMAS/QPADEV000P shost=I5OSP4 src=192.168.126.71 spt=36868 evtAggregation=*NO entryTypeField=A",
    "event": {
        "category": [
            "authentication"
        ],
        "dataset": "QSYS-QAUDJRN",
        "reason": "Not authorized to object",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "objName": "QZRDSECSRM/CFGJSCR"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "THOMAS/QPADEV000P",
        "pid": 722470
    },
    "related": {
        "ip": [
            "192.168.126.71"
        ],
        "user": [
            "THOMAS"
        ]
    },
    "source": {
        "address": "192.168.126.71",
        "ip": "192.168.126.71",
        "port": 36868
    },
    "user": {
        "name": "THOMAS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-CD|Low|reason=Command string audit msg=Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS) fileType=*CMD cs1Label=objName cs1=QSYS/CHGENVVAR suser=BARLEN sproc=721738/BARLEN/QPADEV000Q shost=I5OSP4 src=192.168.126.71 spt=36888 evtAggregation=*NO entryTypeField=C",
    "event": {
        "category": [
            "process"
        ],
        "dataset": "QSYS-QAUDJRN",
        "reason": "Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS)",
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "objName": "QSYS/CHGENVVAR"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "BARLEN/QPADEV000Q",
        "pid": 721738
    },
    "related": {
        "ip": [
            "192.168.126.71"
        ],
        "user": [
            "BARLEN"
        ]
    },
    "source": {
        "address": "192.168.126.71",
        "ip": "192.168.126.71",
        "port": 36888
    },
    "user": {
        "name": "BARLEN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|TCP2617|Low|reason=TCP2617 msg=TCP/IP connection to remote system 10.1.43.58 closed, reason code 1. suser=QSYS sproc=080247/QSYS/QTCPWRK shost=EXPC3",
    "event": {
        "category": [
            "network"
        ],
        "code": "TCP2617",
        "dataset": "QSYS-QHST",
        "reason": "TCP/IP connection to remote system 10.1.43.58 closed, reason code 1.",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYS/QTCPWRK",
        "pid": 80247
    },
    "related": {
        "user": [
            "QSYS"
        ]
    },
    "user": {
        "name": "QSYS"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.dataset keyword Name of the dataset.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
file.directory keyword Directory where the file is located.
file.name keyword Name of the file including the extension, without the directory.
file.path keyword Full path to the file, including the file name.
host.name keyword Name of the host.
ibm_i.cat keyword The category of the object
ibm_i.objName keyword The name of the object
ibm_i.pgmName keyword The name of the program
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
process.exit_code long The exit code of the process.
process.name keyword Process name.
process.pid long Process id.
source.ip ip IP address of the source.
source.port long Port of the source.
user.name keyword Short name or login of the user.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.