www.halcyonsoftware.com sell a product called “Audit Journal Monitor” which provides real time escalation of QAUDJRN entries, including (and I quote)….
“Quickly detect when invalid attempts are made to signon – especially if this happens to be QSECOFR”
www.ahtechnology.com.au also sell an equivalent product called Audit+++ that claims to do the same thing.
The existence of these 2 products means that it is possible to write a real time monitor for QAUDJRN that doesn’t screw the system (you would hope).
Personally, I would have thought that a CLP that uses RTVJRNE ENTTYP(PW) in a never ending loop, with an updated FROMTIME/TOTIME range wouldn’t be intrusive (I just ran DSPJRN for a 10 second period and the response was instantaneous)
Alternatively, you could just create QSYSMSG message queue in QSYS. Disabled profile messages (CPF1393) are sent there, as well as QSYSOPR. Put QSYSMSG into *BREAK (it only receives security messages, unlike QSYSOPR). See…