| Author |
Message
|
| watlerfore |
 Posted: Wed Jan 20, 2010 3:52 pm Post subject: WebSphere MQ user activity monitoring for Windows OS |
 |
|
Newbie
Joined: 20 Jan 2010
Posts: 5
|
| We have a new need for the ability to "monitor" our WMQ v6.0 middle tier servers for any kind of interactive logons taking place in regards to the WebSphere MQ. Can any suggest a tool that might be able to provide the timestamp, ip address of the person logging on, their id and what kind of activity they did with WMQ such as browsed a queue, check a channel status, queue status etc... We do have BMC patrol monitoring the QMGR's, queues and channels themselfs but I'm unaware if we could use that in some way. |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Jan 21, 2010 12:53 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Switch on Events, but if you allow your people to su to mqm then you are going to have a real problem collating who did what as that account, and it will be an even worse nightmare if they log in interactively as mqm. Consider using mqm only as a service account and or creating additional mqm-group accounts that are assigned to individuals.
EDIT: Doh! It's Windows 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Last edited by exerk on Fri Jan 22, 2010 12:50 am; edited 1 time in total |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 21, 2010 5:25 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5856
Location: UK
|
The free exit BlockIP2 can be installed and will log MQ client connections. It won't provide a direct link to actions done, but it helps.
However the key is to reduce the access granted so that you are not so concerned about "after the event", because you only allow the actions which are appropriate for each user role.
In other words, implement MQ security properly on a granular (group based) level instead of allowing peple mqm access rights (unless they really are MQ admins). |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 21, 2010 5:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 21, 2010 5:55 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5856
Location: UK
|
BlockIP2 with no additional configuration will just log to /var/mqm/exits and automatically keep a cycle of the log files.
Just copy the executable binary to /var/mqm/exits64 and set the name in the channel security exit something like this:
| Code: |
| ALTER CHANNEL(XXX) chltype(SVRCONN) SCYDATA('-i +b') SCYEXIT('BlockIP2(BlockExit)') |
|
|
| Back to top |
|
|
| watlerfore |
| Posted: Thu Jan 21, 2010 9:31 am Post subject: |
|
|
Newbie
Joined: 20 Jan 2010
Posts: 5
|
It's more important to log if a particular user id has browsed a queue, deleted the messages, possibly moving the messages - the report should log this activity even if it's a WMQ Admin or not - we have a need to know who has performed these functions on the server - this is for the PCI requirements to secure the data.
Operating system - Windows 2003
WMQ v.6.0.2
. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 21, 2010 9:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| watlerfore wrote: |
| moving the messages |
You can't move messages on Windows, only z/OS
| watlerfore wrote: |
| the report should log this activity even if it's a WMQ Admin or not |
If you're logging every user id that's browsing or deleting a message every time they do it that's going to be a long report. Every application does that.
| watlerfore wrote: |
this is for the PCI requirements to secure the data.
|
This doesn't secure the data. This just tells you what happened to it. Securing the data requires different thinking and set up.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| watlerfore |
| Posted: Thu Jan 21, 2010 9:57 am Post subject: |
|
|
Newbie
Joined: 20 Jan 2010
Posts: 5
|
I agree completely - this will not secure data - it seems more along the lines of "big brother" to me - however, there is a need so we are trying to accommodate. I also suspect that a monitoring log would be huge in relationship to this thread.
Let me ask in a different way - does Windows log this kind of activity in the Event and security logs already?
Would Tripwire Enterprise Agent be able to filter this information? |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 21, 2010 10:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| watlerfore wrote: |
| Let me ask in a different way - does Windows log this kind of activity in the Event and security logs already? |
No. Even the queue manager doesn't raise event messages unless specifically configured to do so (as mentioned earlier in the post). Be aware that all this logging will have an impact on performance (one of the reasons the queue manager doesn't log it by default).
| watlerfore wrote: |
| Would Tripwire Enterprise Agent be able to filter this information? |
No idea. Never heard of it.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jan 21, 2010 11:41 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.
|
(All of this is easily done on WMQ for z/OS, with SMF statistics and accounting records.)
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 21, 2010 11:55 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
| (All of this is easily done on WMQ for z/OS, with SMF statistics and accounting records.) |
Well yes, but I somehow doubt the OP will be able to swing a migration from Windows to z/OS on the strength of improved auditability alone.... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jan 21, 2010 12:15 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.
|
Of course... but it's stuff like this (and security, automation, high-availability, etc.) that is normally excluded from platform choice discussions and decisions, but becomes an afterthought. The OP asks for something that was available 30+ years ago on big iron.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 21, 2010 1:44 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| Of course... but it's stuff like this (and security, automation, high-availability, etc.) that is normally excluded from platform choice discussions and decisions, but becomes an afterthought. The OP asks for something that was available 30+ years ago on big iron. |
Agreed, however I cannot envisage any enterprise sanctioning a re-platform to z/OS for something that will run on a thin-and-crispy. Just because one requirement of an application is available on 'big iron' is not enough of a driver or justification to for putting it on that platform.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 21, 2010 3:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| bruce2359 wrote: |
| Of course... but it's stuff like this (and security, automation, high-availability, etc.) that is normally excluded from platform choice discussions and decisions, but becomes an afterthought. The OP asks for something that was available 30+ years ago on big iron. |
Agreed, however I cannot envisage any enterprise sanctioning a re-platform to z/OS for something that will run on a thin-and-crispy. Just because one requirement of an application is available on 'big iron' is not enough of a driver or justification to for putting it on that platform. |
I think we can all agree that z/OS is the best platform for scaleability, high availability, security, automation and just being better. 
But this does not help the OP one iota.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jan 21, 2010 3:15 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.
|
Whoa! I'm outnumbered. I made my seemingly harmless comment (parenthetically) for those who might not be familiar with the cost-benefit of z. z was not offered as a solution for this particular OP.
I am slinking away, tail between my legs...
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
