Real-Time Auditing

This chapter presents a detailed discussion of the real-time auditing features. The discussion begins with a conceptual introduction and continues with the most commonly used features and parameters. Practical examples are presented together with detailed procedures.

Real-Time Detection

The principal feature of Audit is its ability to examine and respond to security related events in real time. When the IBM i (OS/400) current audit settings detect an event, an entry is recorded in the security audit journal. At the same time, Audit looks for a real time detection rule for this event.

If such a rule exists, Auditrecords the event in a history log and optionally triggers an alert message or command script as specified by the rule definition. Action (sold as a separate product) performs these responsive actions.

The powerful query and reporting features of Audit use the contents of the history log. You must define real time detection rules to capture and record events in the history log, even if no responsive action is necessary. In fact, you will likely create most of your real time detection rules solely for the purpose of recording events in the history log for subsequent audit and analysis.

It is important to note that an event must first be detected by the current IBM i (OS/400) audit settings in order for real-time detection to capture and record it in the history log and/or trigger an action.

Figure 2: Audit’s Real-Time Detection Process

Integration with Action

As you can see from the above chart, one of the main advantages of real-time detection lies in its integration with the Action product. Action physically sends the alert messages and executes command scripts triggered by Audit.