| Author |
Message
|
| Rahul999 |
 Posted: Tue Sep 21, 2010 3:29 am Post subject: Is it possible to trace the MQSC commands? |
 |
|
Centurion
Joined: 14 Mar 2007
Posts: 134
|
Is there any way to trace runmqsc commands run on a server(system log doesnt give any information about it).
It seems system admin of our server has deleted one of our queues without our knowledge and when we faced problem, we got the response from him that queue never existed.
Could we trace back the mqsc delete command somehow ?
Regards |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Sep 21, 2010 3:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
If you're running WMQ V7.0, you might want to investigate configuration events 
Comparing those events with server access (no one has the ability to log-on directly as mqm or MUSR_MQADMIN do they?) should help nail the culprit.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 21, 2010 4:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You could also institute a scheduled run of ms03 on a daily or hourly basis to keep track of changes.
There's otherwise little you can do to prevent the system's admin from mucking about with anything they choose, other than showing them the sharp end of a trout (in front of management when necessary) when they overstep their area of responsibility. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 21, 2010 4:16 am Post subject: Re: Is it possible to trace the MQSC commands? |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Rahul999 wrote: |
| Could we trace back the mqsc delete command somehow ? |
The queue manager takes the default view that anyone with mqm authority is trustworthy, and don't record their activities.
It should be fairly easy to prove this queue once existed (since the application once worked); this gives you a timeline of when the queue must have been deleted and from that the audit trail of log ons should yield a pool of suspects.
But pro-active control is really the only option.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Tue Sep 21, 2010 5:39 am Post subject: Re: Is it possible to trace the MQSC commands? |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| Vitor wrote: |
| Rahul999 wrote: |
| Could we trace back the mqsc delete command somehow ? |
The queue manager takes the default view that anyone with mqm authority is trustworthy, and don't record their activities. |
not entirely true... I have seen object creation and change information in the MQ Logs via a tool from one of the sponsors of this site (not my tools in this case), don't know about delete actions.
IMHO this information should be made available from the core of MQ I have been advocating this from day 1, config events are nice but can also be turned off... systems events (add, change, delete) should always be traceable, but that's just my 2 cents on this subject.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 21, 2010 6:00 am Post subject: Re: Is it possible to trace the MQSC commands? |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Michael Dag wrote: |
not entirely true... I have seen object creation and change information in the MQ Logs via a tool from one of the sponsors of this site (not my tools in this case), don't know about delete actions.
|
Alarmingly I knew that & forgot it in the heat of the moment. IIRC that only applies if linear logging is in use, but I'm use a qualified person will be along in a moment to comment.
I go to trout myself in shame. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
