IBM iSeries (AS/400)
Overview
IBM iSeries (AS/400) is a robust, scalable family of midrange business computers running the IBM i operating system, known for its integrated DB2 database and strong security features.
- Vendor: IBM
- Plan: Defend Prime
- Supported environment: On prem
- Version Compatibility: 7.5
- Detection based on: Telemetry
Warning
Important - This integration requires the installation of Syslog Reporting Manager on IBM i, for which a fee is charged.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Supported versions
This integration supports the following versions:
- 7.3
- 7.4
- 7.5
Supported events
This integration supports the following events:
- Audit journal (Command entry, Authority failure)
- Integrated file system monitoring
- Message queues monitoring
- Database monitoring
- History logs
Configure
In this guide, you will configure the gateway to forward events to syslog.
Prerequisites
- An internal syslog concentrator is required to collect and forward events to Sekoia.io.
- Syslog Reporting Manager installed on the iSeries. See docs for more info.
Forward IBM iSeries events
- Ensure having
Syslog Reporting Managerinstalled and configured - On the SLMON menu, type
CFGSRM - On the Configure global settings, select Option
2 - Type the address and the port of the log concentrator
- Select
RFC5424asSyslog format - Select
CEFasSIEM message format - Select the protocol for the log concentrator (
TCPis recommended) - At the bottom of the screen, press
Enterto save the changes
Enable Audit logs (optional)
- On the SLMON menu, type
CFGSRM - On the Configure global settings, select Option
10 - Enable the following type:
- AF: Authority failures
- CD: Command string audit
- Press
F3to save the changes
Create the intake
Go to the intake page and create a new intake from the format IBM iSeries.
Send logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|act=CodeSample reason=CPC1126 msg=The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|reason=CPC1126 msg=L'utilisateur QSYSOPR a arrêt{ le travail 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3
CEF:0|IBM|IBM i|7.4|MSGMON|CPF0907|5|cat=MSG Queue Messages rt=2020-04-30-11.35.29.886549 reason=CPF0907 cs1Label=msgSev cs1=ERROR cs2Label=msgQueue cs2=QSYS/QSYSOPR cs3Label=pgmName cs3=QWCATARE msg=Serious storage condition may exist. Press HELP. cs4Label=srdb cs4=I5OSP4 suser=QSYS sproc=541034/QSYS/QSYSARB5 shost=I5OSP4
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF0927|Low|reason=CPF0927 msg=Subsystem QBATCH stopped suser=QSYS sproc=080211/QSYS/QSYSARB4 shost=EXPC3
CEF:0|IBM|IBM i|7.4|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04. suser=QZRDSRMOWN sproc=722506/QZRDSRMOWN/SLMSQMONS shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51. suser=QZRDSRMOWN sproc=086167/QZRDSRMOWN/SLMSQMONS shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 . suser=JDOE sproc=111111/JDOE/JPRC shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Travail 080694/QSPLJOB/RMTW000008 arrêt{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 . suser=QSPLJOB sproc=080694/QSPLJOB/RMTW000008 shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3
CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3
CEF:0|IBM|IBM i|7.4|DB2MON|DB2 change monitoring (Journal Extract Tool)|3|act=UPDATE rt=2020-04-30-12.11.52.265056 sproc=551907/BARLEN/QPADEV000D shost=I5OSP4 suser=BARLEN fname=QZRDSECSRM/SLTHSTENT cs1Label=pgmName cs1=CFGSLHSTP cs2Label=updatedColumnNames cs2=EVTUSER1,EVTMSGID1,EVTMSGID2,EVTMSGID3 cs5Label=rowDataBefore cs5=QJ_JOURNAL_ENTRY_TYPE\="UB" QJ_RECEIVER_NAME\="DETRCV0010" QJ_SEQUENCE_NUMBER\="22145" EVTUSER1\="BARLEN" EVTMSGID1\="CPF1122" EVTMSGID2\="CPF9998" EVTMSGID3\="SLS0040" cs4Label=rowDataAfter cs4=QJ_JOURNAL_ENTRY_TYPE\="UP" QJ_RECEIVER_NAME\="DETRCV0010" QJ_SEQUENCE_NUMBER\="22146" EVTUSER1\="BARLEN3" EVTMSGID1\="CPF1129" EVTMSGID2\="CPF9997" EVTMSGID3\="SLS0042"
CEF:0|IBM|IBM i|7.4|IFSMON|IFS File Monitor Journal Entry Type B-WA|3|act=B-WA Write, after-image event sproc=722496/BARLEN/QZSHSH suser=BARLEN shost=CTCSECT5 filePath=/home/barlen/ifsmon/weblog2.log fileType=*STMF cs2Label=changedDataLength cs2=0000000064 cs3Label=changedDataPart cs3=*ONLY cs4Label=changedDataFileOffset cs4=00000000000000788915 cs1Label=changedData cs1=Unauthorized access to Web resource accountInfo by user TBARLEN
CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-AF|Medium|reason=Authority failure msg=Not authorized to object fileType=*PGM cs1Label=objName cs1=QZRDSECSRM/CFGJSCR suser=THOMAS sproc=722470/THOMAS/QPADEV000P shost=I5OSP4 src=192.168.126.71 spt=36868 evtAggregation=*NO entryTypeField=A
CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-CD|Low|reason=Command string audit msg=Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS) fileType=*CMD cs1Label=objName cs1=QSYS/CHGENVVAR suser=BARLEN sproc=721738/BARLEN/QPADEV000Q shost=I5OSP4 src=192.168.126.71 spt=36888 evtAggregation=*NO entryTypeField=C
CEF:0|IBM|IBM i|7.3|QSYS-QHST|TCP2617|Low|reason=TCP2617 msg=TCP/IP connection to remote system 10.1.43.58 closed, reason code 1. suser=QSYS sproc=080247/QSYS/QTCPWRK shost=EXPC3
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake IBM iSeries [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x IBM iSeries [BETA] on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
Active Directory Data Export Using Csvde
Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.
- Effort: elementary
AdFind Usage
Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects
- Effort: elementary
Adexplorer Usage
Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.
- Effort: advanced
Adidnsdump Enumeration
Detects use of the tool adidnsdump for enumeration and discovering DNS records.
- Effort: advanced
Advanced IP Scanner
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
- Effort: master
Aspnet Compiler
Detects the starts of aspnet compiler.
- Effort: advanced
Bloodhound and Sharphound Tools Usage
Detects default process names and default command line parameters used by Bloodhound and Sharphound tools.
- Effort: intermediate
CVE-2017-11882 Microsoft Office Equation Editor Vulnerability
Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events.
- Effort: master
CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv
Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11.
- Effort: master
Certificate Authority Modification
Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.
- Effort: master
Certify Or Certipy
Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.
- Effort: advanced
Cobalt Strike Default Beacons Names
Detects the default names of Cobalt Strike beacons / payloads.
- Effort: intermediate
Computer Account Deleted
Detects computer account deletion.
- Effort: master
Cookies Deletion
Detects when cookies are deleted by a suspicious process.
- Effort: master
Credential Dump Tools Related Files
Detects processes or file names related to credential dumping tools and the dropped files they generate by default.
- Effort: advanced
Cron Files Alteration
Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
- Effort: advanced
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
DNS Query For Iplookup
Detects dns query of observables tagged as iplookup.
- Effort: master
Discovery Commands Correlation
Detects some frequent discovery commands used by some ransomware operators.
- Effort: intermediate
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration And Tunneling Tools Execution
Execution of well known tools for data exfiltration and tunneling
- Effort: advanced
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
HTA Infection Chains
Detect the creation of a ZIP file and an HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance).
- Effort: intermediate
HTML Smuggling Suspicious Usage
Based on several samples from different botnets, this rule aims at detecting HTML infection chain by looking for HTML created files followed by suspicious files being executed.
- Effort: intermediate
HackTools Suspicious Names
Quick-win rule to detect the default process names or file names of several HackTools.
- Effort: elementary
Hijack Legit RDP Session To Move Laterally
Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
- Effort: intermediate
ISO LNK Infection Chain
Detection of an ISO (or any other similar archive file) downloaded file, followed by a child-process of explorer, which is characteristic of an infection using an ISO containing an LNK file. For events with host.name.
- Effort: intermediate
Information Stealer Downloading Legitimate Third-Party DLLs
Detects operations that involved legitimate third-party DLLs used by information-stealing malware for data collection on the infected host. This detection rule correlates at least 7 events including the following DLLs - freebl3.dll, vcruntime140.dll, msvcp140.dll, nss3.dll, sqlite3.dll, softokn3.dll, mozglue.dll and libcurl.dll. This behaviour matches activities of several widespread stealer like Vidar, Raccoon Stealer v2, Mars Stealer, etc.
- Effort: intermediate
Kernel Module Alteration
Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
- Effort: advanced
MSBuild Abuse
Detection of MSBuild uses by attackers to infect an host. Focuses on XML compilation which is a Metasploit payload, and on connections made by this process which is unusual.
- Effort: intermediate
Microsoft Exchange Server Creating Unusual Files
Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability
- Effort: intermediate
Microsoft Office Creating Suspicious File
Detects Microsoft Office process (word, excel, powerpoint) creating a suspicious file which corresponds to a script or an executable. This behavior highly corresponds to an executed macro which loads an installation script or a malware payload. The rule requires to log for File Creations to work properly, which can be done through Sysmon Event ID 11.
- Effort: master
NTDS.dit File In Suspicious Directory
The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.
- Effort: advanced
Network Scanning and Discovery
Tools and command lines used for network discovery from current system
- Effort: advanced
Network Sniffing
List of common tools used for network packages sniffing
- Effort: advanced
Network Sniffing Windows
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
- Effort: intermediate
NlTest Usage
Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain.
- Effort: advanced
OneNote Embedded File
Detects creation or uses of OneNote embedded files with unusual extensions.
- Effort: intermediate
OneNote Suspicious Children Process
In January 2023, a peak of attacks using .one files was observed in the wild. This rule tries to detect the effect of such attempts using this technique.
- Effort: advanced
Package Manager Alteration
Package manager (eg: apt, yum) can be altered to install malicious software
- Effort: advanced
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
PasswordDump SecurityXploded Tool
Detects the execution of the PasswordDump SecurityXploded Tool
- Effort: elementary
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: intermediate
Process Trace Alteration
PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.
- Effort: advanced
PsExec Process
Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators.
- Effort: advanced
RDP Session Discovery
Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.
- Effort: advanced
RSA SecurID Failed Authentification
Detects many failed attempts to authenticate followed by a successfull login for a super admin account.
- Effort: advanced
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Remote Monitoring and Management Software - AnyDesk
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.
- Effort: master
Remote Monitoring and Management Software - Atera
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
SSH Authorized Key Alteration
The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.
- Effort: advanced
SecurityScorecard Vulnerability Assessment Scanner New Issues
Raises an alert when SecurityScorecard Vulnerability Assessment Scanner find new issues.
- Effort: master
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
Socat Relaying Socket
Socat is a linux tool used to relay local socket or internal network connection, this technics is often used by attacker to bypass security equipment such as firewall
- Effort: advanced
Socat Reverse Shell Detection
Socat is a linux tool used to relay or open reverse shell that is often used by attacker to bypass security equipment.
- Effort: intermediate
SolarWinds Suspicious File Creation
Detects SolarWinds process creating a file with a suspicious extension. The process solarwinds.businesslayerhost.exe created an unexpected file whose extension is ".exe", ".ps1", ".jpg", ".png" or ".dll".
- Effort: intermediate
Suspicious Desktopimgdownldr Execution
Detects a suspicious Desktopimgdownldr execution. Desktopimgdownldr.exe is a Windows binary used to configure lockscreen/desktop image and can be abused to download malicious file.
- Effort: intermediate
Suspicious Double Extension
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns
- Effort: advanced
Suspicious File Name
Detects suspicious file name possibly linked to malicious tool.
- Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
- Effort: advanced
System Info Discovery
System info discovery, attempt to detects basic command use to fingerprint a host.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
WMI Persistence Script Event Consumer File Write
Detects file writes through WMI script event consumer.
- Effort: advanced
Webshell Creation
Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.
- Effort: master
ZIP LNK Infection Chain
Detection of an ZIP download followed by a child-process of explorer, followed by multiple Windows processes.This is widely used as an infection chain mechanism.
- Effort: advanced
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Authentication logs |
Audit journal |
File monitoring |
Integrated file system (IFS) log files |
Process monitoring |
Message queues, database monitoring |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | authentication, database, file, network, process, session |
| Type | change, end, info, start |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|act=CodeSample reason=CPC1126 msg=The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3",
"event": {
"category": [
"process"
],
"code": "CPC1126",
"dataset": "QSYS-QHST",
"reason": "The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN.",
"type": [
"end"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"name": "QSYSOPR/UPSA_QHTTP",
"pid": 86157
},
"related": {
"user": [
"QSYSOPR"
]
},
"user": {
"name": "QSYSOPR"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|reason=CPC1126 msg=L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3",
"event": {
"category": [
"process"
],
"code": "CPC1126",
"dataset": "QSYS-QHST",
"reason": "L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN.",
"type": [
"end"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"name": "QSYSOPR/UPSA_QHTTP",
"pid": 86157
},
"related": {
"user": [
"QSYSOPR"
]
},
"user": {
"name": "QSYSOPR"
}
}
{
"message": "CEF:0|IBM|IBM i|7.4|MSGMON|CPF0907|5|cat=MSG Queue Messages rt=2020-04-30-11.35.29.886549 reason=CPF0907 cs1Label=msgSev cs1=ERROR cs2Label=msgQueue cs2=QSYS/QSYSOPR cs3Label=pgmName cs3=QWCATARE msg=Serious storage condition may exist. Press HELP. cs4Label=srdb cs4=I5OSP4 suser=QSYS sproc=541034/QSYS/QSYSARB5 shost=I5OSP4",
"event": {
"category": [
"process"
],
"dataset": "MSGMON",
"reason": "Serious storage condition may exist. Press HELP.",
"type": [
"info"
]
},
"@timestamp": "2020-04-30T11:35:29.886549Z",
"host": {
"name": "I5OSP4"
},
"ibm_i": {
"cat": "MSG Queue Messages",
"pgmName": "QWCATARE"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.4"
},
"process": {
"name": "QSYS/QSYSARB5",
"pid": 541034
},
"related": {
"user": [
"QSYS"
]
},
"user": {
"name": "QSYS"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF0927|Low|reason=CPF0927 msg=Subsystem QBATCH stopped suser=QSYS sproc=080211/QSYS/QSYSARB4 shost=EXPC3",
"event": {
"category": [
"process"
],
"code": "CPF0927",
"dataset": "QSYS-QHST",
"reason": "Subsystem QBATCH stopped",
"type": [
"end"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"name": "QSYS/QSYSARB4",
"pid": 80211
},
"related": {
"user": [
"QSYS"
]
},
"user": {
"name": "QSYS"
}
}
{
"message": "CEF:0|IBM|IBM i|7.4|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04. suser=QZRDSRMOWN sproc=722506/QZRDSRMOWN/SLMSQMONS shost=EXPC3",
"event": {
"category": [
"process"
],
"code": "CPF1124",
"dataset": "QSYS-QHST",
"reason": "Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04.",
"type": [
"start"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.4"
},
"process": {
"name": "QZRDSRMOWN/SLMSQMONS",
"pid": 722506
},
"related": {
"user": [
"QZRDSRMOWN"
]
},
"user": {
"name": "QZRDSRMOWN"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51. suser=QZRDSRMOWN sproc=086167/QZRDSRMOWN/SLMSQMONS shost=EXPC3",
"event": {
"category": [
"process"
],
"code": "CPF1124",
"dataset": "QSYS-QHST",
"reason": "Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51.",
"type": [
"start"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"name": "QZRDSRMOWN/SLMSQMONS",
"pid": 86167
},
"related": {
"user": [
"QZRDSRMOWN"
]
},
"user": {
"name": "QZRDSRMOWN"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 . suser=JDOE sproc=111111/JDOE/JPRC shost=EXPC3",
"event": {
"category": [
"process"
],
"code": "CPF1164",
"dataset": "QSYS-QHST",
"reason": "Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 .",
"type": [
"end"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"exit_code": 123,
"name": "JDOE/JPRC",
"pid": 111111
},
"related": {
"user": [
"JDOE"
]
},
"user": {
"name": "JDOE"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 . suser=QSPLJOB sproc=080694/QSPLJOB/RMTW000008 shost=EXPC3",
"event": {
"category": [
"process"
],
"code": "CPF1164",
"dataset": "QSYS-QHST",
"reason": "Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 .",
"type": [
"end"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"exit_code": 50,
"name": "QSPLJOB/RMTW000008",
"pid": 80694
},
"related": {
"user": [
"QSPLJOB"
]
},
"user": {
"name": "QSPLJOB"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3",
"event": {
"category": [
"session"
],
"code": "CPI3E34",
"dataset": "QSYS-QHST",
"reason": "User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22.",
"type": [
"start"
]
},
"@timestamp": "2024-12-03T02:16:22Z",
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"name": "QUSER/QRWTSRVR",
"pid": 86171
},
"related": {
"ip": [
"192.168.242.20"
],
"user": [
"QBRMS"
]
},
"source": {
"address": "192.168.242.20",
"ip": "192.168.242.20"
},
"user": {
"name": "QBRMS"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3",
"event": {
"category": [
"session"
],
"code": "CPI3E34",
"dataset": "QSYS-QHST",
"reason": "L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22.",
"type": [
"start"
]
},
"@timestamp": "2024-12-03T02:16:22Z",
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"name": "QUSER/QRWTSRVR",
"pid": 86171
},
"related": {
"ip": [
"192.168.242.20"
],
"user": [
"QBRMS"
]
},
"source": {
"address": "192.168.242.20",
"ip": "192.168.242.20"
},
"user": {
"name": "QBRMS"
}
}
{
"message": "CEF:0|IBM|IBM i|7.4|DB2MON|DB2 change monitoring (Journal Extract Tool)|3|act=UPDATE rt=2020-04-30-12.11.52.265056 sproc=551907/BARLEN/QPADEV000D shost=I5OSP4 suser=BARLEN fname=QZRDSECSRM/SLTHSTENT cs1Label=pgmName cs1=CFGSLHSTP cs2Label=updatedColumnNames cs2=EVTUSER1,EVTMSGID1,EVTMSGID2,EVTMSGID3 cs5Label=rowDataBefore cs5=QJ_JOURNAL_ENTRY_TYPE\\=\"UB\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22145\" EVTUSER1\\=\"BARLEN\" EVTMSGID1\\=\"CPF1122\" EVTMSGID2\\=\"CPF9998\" EVTMSGID3\\=\"SLS0040\" cs4Label=rowDataAfter cs4=QJ_JOURNAL_ENTRY_TYPE\\=\"UP\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22146\" EVTUSER1\\=\"BARLEN3\" EVTMSGID1\\=\"CPF1129\" EVTMSGID2\\=\"CPF9997\" EVTMSGID3\\=\"SLS0042\"",
"event": {
"action": "UPDATE",
"category": [
"database"
],
"dataset": "DB2MON",
"type": [
"change"
]
},
"@timestamp": "2020-04-30T12:11:52.265056Z",
"host": {
"name": "I5OSP4"
},
"ibm_i": {
"pgmName": "CFGSLHSTP"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.4"
},
"process": {
"name": "BARLEN/QPADEV000D",
"pid": 551907
},
"related": {
"user": [
"BARLEN"
]
},
"user": {
"name": "BARLEN"
}
}
{
"message": "CEF:0|IBM|IBM i|7.4|IFSMON|IFS File Monitor Journal Entry Type B-WA|3|act=B-WA Write, after-image event sproc=722496/BARLEN/QZSHSH suser=BARLEN shost=CTCSECT5 filePath=/home/barlen/ifsmon/weblog2.log fileType=*STMF cs2Label=changedDataLength cs2=0000000064 cs3Label=changedDataPart cs3=*ONLY cs4Label=changedDataFileOffset cs4=00000000000000788915 cs1Label=changedData cs1=Unauthorized access to Web resource accountInfo by user TBARLEN",
"event": {
"category": [
"file"
],
"dataset": "IFSMON",
"reason": "Unauthorized access to Web resource accountInfo by user TBARLEN",
"type": [
"info"
]
},
"file": {
"directory": "/home/barlen/ifsmon",
"name": "weblog2.log",
"path": "/home/barlen/ifsmon/weblog2.log"
},
"host": {
"name": "CTCSECT5"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.4"
},
"process": {
"name": "BARLEN/QZSHSH",
"pid": 722496
},
"related": {
"user": [
"BARLEN"
]
},
"user": {
"name": "BARLEN"
}
}
{
"message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-AF|Medium|reason=Authority failure msg=Not authorized to object fileType=*PGM cs1Label=objName cs1=QZRDSECSRM/CFGJSCR suser=THOMAS sproc=722470/THOMAS/QPADEV000P shost=I5OSP4 src=192.168.126.71 spt=36868 evtAggregation=*NO entryTypeField=A",
"event": {
"category": [
"authentication"
],
"dataset": "QSYS-QAUDJRN",
"reason": "Not authorized to object",
"type": [
"info"
]
},
"host": {
"name": "I5OSP4"
},
"ibm_i": {
"objName": "QZRDSECSRM/CFGJSCR"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.4"
},
"process": {
"name": "THOMAS/QPADEV000P",
"pid": 722470
},
"related": {
"ip": [
"192.168.126.71"
],
"user": [
"THOMAS"
]
},
"source": {
"address": "192.168.126.71",
"ip": "192.168.126.71",
"port": 36868
},
"user": {
"name": "THOMAS"
}
}
{
"message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-CD|Low|reason=Command string audit msg=Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS) fileType=*CMD cs1Label=objName cs1=QSYS/CHGENVVAR suser=BARLEN sproc=721738/BARLEN/QPADEV000Q shost=I5OSP4 src=192.168.126.71 spt=36888 evtAggregation=*NO entryTypeField=C",
"event": {
"category": [
"process"
],
"dataset": "QSYS-QAUDJRN",
"reason": "Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS)",
"type": [
"start"
]
},
"host": {
"name": "I5OSP4"
},
"ibm_i": {
"objName": "QSYS/CHGENVVAR"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.4"
},
"process": {
"name": "BARLEN/QPADEV000Q",
"pid": 721738
},
"related": {
"ip": [
"192.168.126.71"
],
"user": [
"BARLEN"
]
},
"source": {
"address": "192.168.126.71",
"ip": "192.168.126.71",
"port": 36888
},
"user": {
"name": "BARLEN"
}
}
{
"message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|TCP2617|Low|reason=TCP2617 msg=TCP/IP connection to remote system 10.1.43.58 closed, reason code 1. suser=QSYS sproc=080247/QSYS/QTCPWRK shost=EXPC3",
"event": {
"category": [
"network"
],
"code": "TCP2617",
"dataset": "QSYS-QHST",
"reason": "TCP/IP connection to remote system 10.1.43.58 closed, reason code 1.",
"type": [
"end"
]
},
"host": {
"name": "EXPC3"
},
"observer": {
"product": "IBM i",
"vendor": "IBM",
"version": "7.3"
},
"process": {
"name": "QSYS/QTCPWRK",
"pid": 80247
},
"related": {
"user": [
"QSYS"
]
},
"user": {
"name": "QSYS"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.dataset |
keyword |
Name of the dataset. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.directory |
keyword |
Directory where the file is located. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
host.name |
keyword |
Name of the host. |
ibm_i.cat |
keyword |
The category of the object |
ibm_i.objName |
keyword |
The name of the object |
ibm_i.pgmName |
keyword |
The name of the program |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
process.exit_code |
long |
The exit code of the process. |
process.name |
keyword |
Process name. |
process.pid |
long |
Process id. |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.