> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of FRANSISCUS KAURRANY > Sent: Thursday, August 07, 2008 12:07 PM > To: [email protected] > Subject: Tracing from a Terminal/Netname > > Dear All, > > We had a user trying to logon using somebody's elses user-id, and he > accidently (or on purpose) enter a wrong password for more > than 3 times, > that caused that id to actually revoked by RACF. > > Is there a way to trace that back to the computer names/IP? So we can > know for sure who or at least from whose terminal that does that? > > > > We saw the syslog and sees something like this > [snip] > > The terminal GI15126 is IP POOLed Terminal, dynamic depending on the > request. It stays on somebodys's emulator until he/she closes it. > > So if I want to know, during this time terminal GI15126 is > being opened > by whose PC's name/IP how? > > Any help and suggestion is highly appreciated. > > Thank you > > Regards, > > Frans
If you have the SMF type 119 records turned on, then you could try to find the connect record for that LU name in the given time period. I.e. start at the time the error occurred and go back in time until you find the first connection record for that LU. One problem: if the IP address is assigned via DHCP (as most are anymore), then the IP address may be insufficient to track down the perp. Most DHCP servers don't bother to log an IP address vs. MAC address association. No, I don't have such a routine. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
