Software files were deleted from AS/400 system

10 pts.
Tags:
AS/400
DSPLOG
OS/400
WRKSPLF
Dear docs,
I am very new to AS/400 administration. In our environment we have AS/400 server V6R1 with OS/400 OS and IBM MQ software installed in it. Recently we found some of the software files were deleted from the system. We have check the job logs with dsplog and wrksplf command but did not find anything related nor anything. So is there any way or any specified command to find it or any procedure for it?


Software/Hardware used:
MQ Software.AS400

Answer Wiki

Thanks. We'll let you know when a new response is added.

Unless you had auditing turned on you most likely are out of luck. Hopefully you can recover these files from a backup or archive. If this continues to be an issue you may need to address the issue of your system authority. Turn on auditing for starters. If these are key file to your business you may want to limit who has access to commands like DLTF. Check other possible area such as SQL using DB2 databases. Are any applications using DROP TABLE.  If this is a fairly new issues, I have seen it though, is may have been done by a disgruntled employee. If anyone has been let go recently make sure they do not have a valid sign on..

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • pdraebel
    Is Object auditing started on your system? Here you can check the DO entries (delete object) Another option would be to check your backups. What Backup software do you run?
    7,455 pointsBadges:
    report
  • ToddN2000
    What particular files are you missing, system, user or some other type? They may have been temporary files used by queries of installation of some utility. As for finding out how and who deleted them you may be out of luck unless you have journaling or auditing features enabled. Hopefully you can recover these file from a backup if they are needed.
    82,810 pointsBadges:
    report
  • TheRealRaven
    Unfortunately, spooled joblogs, dsplog and wrksplf are unlikely to show useful info about deleted files except by sheer luck. Assuming that your system has basic *DELETE auditing enabled, use DSPLOG over the QAUDJRN system audit journal to see DO entries for the suspected time frame. Beyond audits, it can be difficult.

    Other than maybe a couple system *SECOFR user profiles, there shouldn't be more than a couple user profiles authorized to delete any set of production files. By narrowing the time when any production file might have been deleted (when was it last needed/used), it might be possible to determine which user was logged on.

    Of course, if many, many users have been granted authority to delete production objects and no auditing is done, the decision was already made that it's not important enough to know.
    21,845 pointsBadges:
    report
  • azohawk
    I would agree that the ability to delete most objects should be limited to people in I.T. who know what they are doing (the exception to this would be temporary work files, but they should be created in library QTEMP which gets deleted when the job ends. On a side note: You indicated that your OS is V6.1 (which is no longer supported), the next releases are v7.1 (support ends 4/30/18), v7.2, and v7.3. You may be limited by your hardware. Suggest you get to Common next month (www.common.org) and I highly recommend you look for sessions by Larry Bolhuis (aka Dr. Frankeni) -he may suggest some session that he is not leading that you attend as well-.
    2,565 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: