Software and Services for IBM i (iSeries/AS400)
Ask a question
1000 characters left


IBMi Change Control

IBMi Security & Auditing

IBMi Software Support

IBMi Development


IBMi - Auditing Password Authorization Failures

Some of these examples are built from the IBMi Security Administration and Compliance book and implemented in Enforcive installed on an IBMi.

Password Authorization Failures

Before setting up Alerts and reports on authorization failures check that the System Audit Policy in Enforcive includes *AUTHFAIL and that the System Security Journal has been started on the Alert collector Panel.

If you want to do this manually you need to change the system value QAUDLVL to include *AUTFAIL

Now you can configure an alert which happens real time as soon as a record is written to the Audit Journal. Enforcive's Alert collector handles all the the background tasks.

To extract the PW events manually you need to use the command DSPAUDJRNE to extract the data to a file and then display that file. It's much easier to extract that information with a tool like Enforcive.

This example looks for invalid password events which can be caused by a variety of actions. The action type is PW and the events can indicate invalid passwords being entered or invalid user ID's entered. The later could indicate an automated hack in progress.

The Alert is configured on three panels.

The Alert Condition - what to look for


The Time Condition - when to look for it

The Alert Action - what to do once alerted

The PW entries when printed using Enforcive's report generator look like this. You can see here FRED is not on our system, a quick sequence of invalid user names indicates a possible hack has been attempted.

Finally the email looks like this:-


Invalid Password :
System:LS089;Invalid Password
DATE: 2023-01-17
TIME: 15:45:36

 For a free demonstration contact us using the "ASK A QUESTION" tab on the left of this page.

#ibmi, #IBMiSecurity, #ibmiAuditing, #Enforcive

IBMi Security,Tools ,Change Control and Support