Displaying intrusion detection events

Edit online

Use the Intrusion Detection System GUI to display a list of potential intrusion events as well as detailed information about each event.

To display intrusion detection events, perform these steps:
  1. In IBM® Navigator for i, expand Security > Intrusion Detection.
  2. Click Display Events to display the Intrusion Detection Events page.
  3. By default, the Intrusion Detection Events page lists events that have occurred in the previous 24 hours. Perform any of the following tasks:
    • To refresh the intrusion detection events immediately, select Refresh from the Actions menu.
    • To display event details, select the event and select Details from the Actions menu. You also can find these event details in the intrusion monitor audit record.
    • To filter intrusion events, select Include from the Actions menu. For example, you can display all of the IDS events that have occurred on the system for a specific range, or include only the events that have occurred in the past five hours.
Tips:
  • If you get an intrusion detection event (or IM audit record) of type unknown with an IP address of 0.0.0.0 and any port for the port number, you can ignore it. This type of audit record occurs on system IPL when you specify IDS active.
  • If you cannot retrieve the intrusion events using the IDS GUI, use the following CL command to display the intrusion monitor (IM) audit records on the system:
    DSPJRN JRN(QSYS/QAUDJRN) RCVRNG(*CURCHAIN) ENTTYP(IM)
    You also can copy the IM records to a file so that you can display all the IM records with their fields. This allows you to see if the intrusions are related by IP address, type, time of arrival, and so on. Use the following CL commands:
    CPYAUDJRNE IM
RUNQRY *NONE QAUDITIM