Tracing from a Terminal/Netname

FRANSISCUS KAURRANY Thu, 07 Aug 2008 10:17:13 -0700

Dear All,


We had a user trying to logon using somebody's elses user-id, and he
accidently (or on purpose) enter a wrong password for more than 3 times,
that caused that id to actually revoked by RACF.

 

Is there a way to trace that back to the computer names/IP? So we can
know for sure who or at least from whose terminal that does that?

 

We saw the syslog and sees something like this

 

M 0080000 ESAT     08218 16:31:53.52          00000294  ICH408I
USER(USERID1 ) GROUP(APLIDS1 ) NAME(USER ID ONE NAME    ) 855

E                                         855 00000294    LOGON/JOB
INITIATION - INVALID PASSWORD ENTERED AT TERMINAL GI15126

M 0080000 ESAT     08218 16:31:54.25          00000294  ICH408I
USER(USERID1 ) GROUP(APLIDS1 ) NAME(USER ID ONE NAME    ) 856

E                                         856 00000294    LOGON/JOB
INITIATION - INVALID PASSWORD ENTERED AT TERMINAL GI15126

M 0080000 ESAT     08218 16:31:54.99          00000294  ICH408I
USER(USERID1 ) GROUP(APLIDS1 ) NAME(USER ID ONE NAME    ) 857

E                                         857 00000294    LOGON/JOB
INITIATION - INVALID PASSWORD ENTERED AT TERMINAL GI15126

M 0080000 ESAT     08218 16:31:55.69          00000294  ICH408I
USER(USERID1 ) GROUP(APLIDS1 ) NAME(USER ID ONE NAME    ) 858

E                                         858 00000294    LOGON/JOB
INITIATION - INVALID PASSWORD ENTERED AT TERMINAL GI15126

M 0080000 ESAT     08218 16:31:56.52          00000294  ICH408I
USER(USERID1 ) GROUP(APLIDS1 ) NAME(USER ID ONE NAME    ) 859

E                                         859 00000294    LOGON/JOB
INITIATION - INVALID PASSWORD ENTERED AT TERMINAL GI15126

M 0080000 ESAT     08218 16:31:57.35          00000294  ICH408I
USER(USERID1 ) GROUP(APLIDS1 ) NAME(USER ID ONE NAME    ) 860

E                                         860 00000294    LOGON/JOB
INITIATION - EXCESSIVE PASSWORDS OR INACTIVE USER        

 

The terminal GI15126 is IP POOLed Terminal, dynamic depending on the
request. It stays on somebodys's emulator until he/she closes it.

 

So if I want to know, during this time terminal GI15126 is being opened
by whose PC's name/IP how?

 

Any help and suggestion is highly appreciated.

 

Thank you

 

Regards,

Frans


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Tracing from a Terminal/Netname

Reply via email to