IBM Support

Using QAUDJRN to Determine the TCP/IP Address of a Failed FTP Log On Attempt

Troubleshooting


Problem

This document shows how to find the journal entry that shows you the TCP/IP address of the remote system that attempted, and failed, to successfully log on the FTP server on the IBM System i products.

Resolving The Problem

This document shows how to find the journal entry that shows you the TCP/IP address of the remote system that attempted, and failed, to successfully log on the FTP server on the IBM System i products. The release the system is at determines how to find this Remote Address field.

V5R2 and V5R3

If the system is at V5R2 or V5R3, do the following:

1.On the operating system command line, type the following:

CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(PASSWORD)

Press the Enter key.
2.On the operating system command line, type the following:

DSPJRN JRN(QAUDJRN) ENTTYP(PW) OUTPUT(*OUTFILE) INCHIDENT(*YES) OUTFILFMT(*TYPE5) +
OUTFILE(QGPL/PASSWORD)

Press the Enter key.
3.On the operating system command line, type the following:

RUNQRY QRY(*NONE) QRYFILE((QGPL/password))

Press the Enter key. Scroll over to column 395 to view the Remote Address of the system that initiated the connection attempt. You will see entries similar to the following (which show the violating TCP/IP address to be 1.1.1.1 in this case):
                                             Display Report

 Report width . . . . . :     850
 Position to line  . . . . .
Shift to column  . . . . . .   300
 Line               0....+...31....+...32....+...33....+...34....+...35....+...36....+...37....+...38....+...39....+...40....+...41....+...42..
        Receiver    Receiver    Receiver  Arm      Thread    Thread            Address family  Remote   Remote
        Library     ASP         ASP       number   ID        ID                                port     address
                   device      number                       hex
 000001 GPL        *SYSBAS           1       10          *  000000000000002C        4          2,666   1.1.1.1
 000002 GPL        *SYSBAS           1        7         *Æ  000000000000019E        4          2,668   1.1.1.1
 ****** ********  End of report  ********

V5R4 and above

If the system is at V5R4 (or above), do the following:
1.On the operating system command line, type the following:

DSPJRN JRN(QAUDJRN) ENTTYP(PW)

Press the Enter key. The following screen will appear:
                            Display Journal Entries                            
                                                                               
 Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   QSYS        
 Largest sequence number on this screen  . . . . . . : 00000000000000016347    
 Type options, press Enter.                                                    
   5=Display entire entry                                                      
                                                                               
                                                                               
 Opt    Sequence  Code  Type  Object      Library     Job         Time          
           15507   T     PW                           QTFTP00343  12:19:47      
           15666   T     PW                           QINTER      13:00:08      
           15952   T     PW                           QZSOSIGN    13:52:56      
           15957   T     PW                           QZSOSIGN    13:53:09      
           16137   T     PW                           QINTER      14:38:37      
           16260   T     PW                           QZSOSIGN    15:09:50      
           16342   T     PW                           QTFTP02912  15:31:15      
           16347   T     PW                           QTFTP02912  15:32:15      
                                                                               
                                                                               
                                                                               
                                                                               
                                                                         Bottom
 F3=Exit   F12=Cancel
2.Select Option 5 next to the entry corresponding to the QTFTPxxxxx job that potentially encountered the problem, and press the Enter key.
3.After the entry is displayed, press the F10 key to display the entry details.
4.In the Entry Details screen, page down. You will see a screen similar to the following:
                        Display Journal Entry Details

 Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   QSYS

 Sequence . . . . . . :   15507
 Code . . . . . . . . :   T  - Audit trail entry
 Type . . . . . . . . :   PW - Invalid password or user ID

 Trigger  . . . . . . :   No
 Program  . . . . . . :   QTMFSRVR
   Library  . . . . . :     QTCP
   ASP device . . . . :     *SYSBAS
 System sequence  . . :   10207734176441131008
 Thread identifier  . :   0000000000000093
 Receiver . . . . . . :   ISAJ000004
   Library  . . . . . :     QGPL
   ASP device . . . . :     *SYSBAS
 Journal identifier . :   X'00000000000000000000'
 Remote address . . . :   2.2.2.2
 Address family . . . :   IPv4
                                                                        More...
 F3=Exit   F10=Display entry   F12=Cancel   F14=Display previous entry
 F15=Display only entry specific data                                  
5.Look at the Remote address field. In this case, a user at the system with the TCP/IP address 2.2.2.2 caused this entry.

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Historical Number

460243427

Document Information

More support for:
IBM i

Software version:
Version Independent

Operating system(s):
IBM i

Document number:
636419

Modified date:
11 November 2019

UID

nas8N1014194

Manage My Notification Subscriptions

Page Feedback