If the error is similar to below, then is is a user based error.
Subsystem QINTER disabled user profile ALDON on device QPADEV0001.
Subsystem QINTER varied off work station QPADEV0001 for user ALDON.
I thought this has to do with the Invalid sign on attempts by the user, so whatsover is the AS400 ID we can easily find out the user name and trace his Comp.
I think if you check the details of the message in the QHST log (using DSPLOG) it should tell you the IP address where the error originated.
You could also use the Audit Journal. At a minimum, you will need to have system value QAUDCTL set to *AUDLVL and QAUDLVL set to *AUTFAIL and *SECURITY. Easiest to set these from the security tools menu (GO SECTOOLS)
Use option 12 on the security tools menu to copy the audit journal entries for for journal entry type “CP” and “PW”. This will create two tables. The default is QAUDITCP and QAUDITPW in QTEMP).
In QAUDITCP, any records where field CPSTAT=”*DISABLED” will give you the User name in field CPONAM and the IP address in field CPRADR. But, that is only for a green-screen signon. If the user is disabled at the initial grey window (iSeries Access) the address may be blank.
The PW records will give you any invalid password entries and invalid user account entries. In QAUDITPW , field PWUSRN is the user ID, PWTYPE is the type of error (P=Password, U=User Profile) and PWRADR is the IP Address.
Simple enough to write a program to extract all that information. Hope this helps.