On the MQ ListServer, there has been a recent discussion that MQ does not have the built-in ability to audit what users and/or applications do when connected to a queue manager. Here is some of the comments:
Hubert said:
What’s about implementing an API exit? You could create a new MQ operator account (e. g. “mqoper”) which is able to read specific queues. The API exit then could report the change in a file or database, which is not readable by the mqoper account. Instead of such an API exit IBM could provide auditing events, to report such gets and puts.
Ian said:
On using an API exit, we had mooted writing an API exit to do just that. However management did not want a custom in-house solution to what is perceived as a blind-spot for the MQ product and possibly more importantly, an API exit can be disabled by the very person you are trying to audit. I think the idea of having an id such as mqoper would only work if you never allowed an MQ Administrator to switch to the real mqm userid.
Michael said:
same applies to reading/writing of messages by mqm, it’s all in the logs… when using circular logging mqm activity should be ‘kept/flagged’ as long as possible, to provide a meaningful audit trail. Lastly the log only contains information about persistent messages, for now I could live with that…
Ian said:
Thinking about this, I am more convinced than ever that any audit trail, if one is ever created, should be configurable at the queue level. One way of doing this was my suggestion to add an AUDIT attribute to the Queue definition. That would allow you to only audit particularly important queues. But there would be many ways of achieving the same functionality and the IBM Labs of course is the best place to decide how to do it.
I cannot comment on whether or not IBM will ever add auditing to MQ but many releases ago, IBM added API Exit functionality so that customers and/or 3rd party vendors could add auditing or other features to MQ. Capitalware’s MQ Auditor is one such product that makes full use of the API Exit functionality for auditing.
MQ Auditor is a solution that allows a company to audit/track all MQ API calls performed by MQ applications that are connected to a queue manager. MQ Auditor can log all API calls (MQCONN, MQOPEN, MQGET, MQPUT, etc..) issued by an application. It does not matter what application or UserID the user is using, by default, everything will be written to the MQ Auditor’s audit files.
MQ Auditor’s default behavior is to log all MQ API calls issued by all applications (users) but MQ Auditor can be tailored to only audit/track by Applications, UserIDs and/or Queues.
- By Applications means that MQ Auditor will log all MQ API calls whose application name matches the filter value.
- By UserIDs means that MQ Auditor will log all MQ API calls whose UserID matches the filter value.
- By Queues means that MQ Auditor will log all MQ API calls whose queue name matches the filter value.
For a FREE 60-day trial of MQ Auditor on AIX, HP-UX, IBM i 5.4 & 6.1, i5/OS V5R3, OS/400, Linux x86, Linux x64, Linux on POWER, Linux on zSeries, Solaris or Windows, please send an email to support@capitalware.com to request a trial.
Regards,
Roger Lacroix
Capitalware Inc.
