Tracking User Connection Activity on IBM i

Steps

Step 1: Identify Server Connections Specific User:

Successful user connections result in job creation. JS entries are written only when a job successfully starts. IBM i does not explicitly record the access method as a single attribute. Instead, connection type is inferred using job attributes such as job type, job subtype, and job name. This method aligns with IBM Support guidance and internal diagnostic procedures.

Using the Run SQL Scripts tool, run the statement:  

SELECT ENTRY_TIMESTAMP AS JOB_EVENT_TIME,
       USER_NAME,
       JOB_NAME,
       JOB_TYPE,
       REAL_USER_PROFILE,
       ENTRY_TYPE,
       CASE
           WHEN ENTRY_TYPE = 'S' THEN 'Start'
           WHEN ENTRY_TYPE = 'E' THEN 'End'
           WHEN ENTRY_TYPE = 'M' THEN 'Change profile or group profile'
           ELSE 'Other'
       END AS JOB_EVENT_TYPE,
       CASE
           WHEN JOB_TYPE = 'INT' THEN '5250 / Telnet (Non-Secure unless SSL/Telnet configured)'
           WHEN JOB_NAME LIKE 'QZDASOINIT%' THEN 'ODBC / JDBC (Non-Secure)'
           WHEN JOB_NAME LIKE 'QZDASSINIT%' THEN 'ODBC / JDBC (Secure SSL/TLS)'
           WHEN JOB_NAME LIKE 'QTFTP%' THEN 'FTP (Non-Secure)'
           WHEN JOB_NAME LIKE 'QSSHD%' THEN 'SFTP (Secure SSH)'
           WHEN JOB_NAME LIKE 'QRWTSRVR%' THEN 'Remote SQL (Secure depends on configuration)'
           WHEN JOB_NAME LIKE 'QZRCSRVS%' THEN 'Remote Command (Secure depends on configuration)'
           WHEN JOB_NAME LIKE 'QP0ZSPWP%' THEN 'SSH / Spawned Process (Secure)'
           WHEN JOB_NAME LIKE 'QHTTPSVR%' THEN 'Web (HTTP or HTTPS - verify server config)'
           WHEN JOB_NAME LIKE 'QZLSFILE%' THEN 'Mapped Drive (Secure depends on NetServer config)'
           WHEN JOB_NAME LIKE 'QPWFSERVSO%' THEN 'File Server Job (Secure depends on config)'
           ELSE 'Other Host Server (Security Unknown)'
       END AS CONNECTION_TYPE,
       REMOTE_ADDRESS
    FROM TABLE (
            SYSTOOLS.AUDIT_JOURNAL_JS(STARTING_TIMESTAMP => CURRENT_TIMESTAMP - 7 DAYS)
        ) AJ
    WHERE REAL_USER_PROFILE = 'V6CASTIL' -- Update the User profile ID in all uppercase letters
          AND ENTRY_TYPE IN ('S', 'E', 'B', 'M')
          AND REAL_USER_PROFILE NOT IN ('QCTP', 'QUSER')
    ORDER BY JOB_EVENT_TIME DESC;

Notes for SQL:

• This query returns results for the user profile V6CASTIL; update the REAL_USER_PROFILE filter as needed to report on other users.  

• The User Profile ID must be specified in all upper case letters.

• Adjust the timestamp filter as needed; it is currently configured to display data from the last seven days.

Notes for Interpreting the Results

• This query does not identify successful sign-on events.
  IBM i does not record a discrete audit entry for a successful sign-on. The results reflect job lifecycle activity recorded by auditing, not authentication success.

• Each row represents a job‑related audit event, not a user session.
  Multiple rows may be produced for a single connection due to job start, job reuse, profile swaps, or job termination.

• JOB_EVENT_TYPE indicates how the job is changing state, not user intent:

  • Start (ENTRY_TYPE = 'S') indicates a job was started.
  • End (ENTRY_TYPE = 'E') indicates a job ended.
  • Change profile or group profile (ENTRY_TYPE = 'M') indicates job profile swapping or group profile changes.
  • These events may or may not correspond to an interactive user action.

• REAL_USER_PROFILE identifies the profile being serviced, not necessarily the job owner.

  • This is especially important for server jobs that reuse or swap to different user profiles.
  • Profile changes (M entries) indicate user context changes within the same job.

• CONNECTION_TYPE is inferred from job naming conventions, not explicitly recorded by IBM i.

  • Classification is based on well-known IBM i server job patterns (for example, QSSHD% for SFTP/SSH).
  • Custom or third‑party server jobs may appear as “Other Host Server.”

• Multiple connection types may appear for the same user within the time period.

  • This does not imply simultaneous access.
  • Host server jobs are often reused across sessions.

• REMOTE_ADDRESS shows the network endpoint associated with the job event, when available.

  • Not all job lifecycle events include a remote address.
  • For reused jobs, the address may reflect the most recent connection.

• Ordering by JOB_EVENT_TIME shows the most recent activity first, which helps identify:

  • Ongoing or recent job servicing activity
  • Profile reuse patterns
  • Session termination order

• Absence of a job end event does not necessarily indicate an active session.

  • Server jobs may remain active and later be reused for another user.

• This query is best used for activity analysis and correlation, such as:

  • Identifying when a user profile was serviced by a job
  • Associating job activity with network addresses
  • Supporting audit or security investigations  It should not be used as authoritative proof of user sign-on or logon success.

Sample Report:

Summary:

By using the AUDIT_JOURNAL_JS service, administrators can reliably track successful user connections and identify how those connections were established. This approach is fully supported, non-intrusive, and aligns with IBM i security and auditing best practices.