Online Product Support

For more in-depth questions, or any question that is not included in the FAQ’s, please contact your local Safestone support office for assistance.

Troubleshooting Questions

  1. We are receiving the message … “DetectIT module ‘XXX’ is not valid. Please contact software supplier”. What does this mean?

    This message is generated because of a missing license key. It is sent when DetectIT attempts to execute a report or program for a module which is not valid.

    If you believe you should have a license for this module, contact your DetectIT supplier or Safestone Account Manager as soon as possible. However if you believe you do not utilize this module you can safely remove the message by executing this command:
    RVKMODUSE XXX

  2. I have noticed that the @MS library is getting bigger - why is this? How can I reduce it?

    If you are collecting a large amount of security data and not purging it regularly, then the @MS library will grow. You can take a number of steps to control this within the Security Audit and Detection menu:

    1. Ensure you are printing only the reports you need; using “Control Daily Reports Requirements”.
    2. Change some of the reports, so that they print in ’summary’ format rather than ‘detail’.
    3. Decide which events you don’t need to see on the reports and omit them using the “Post Filter Screening” option.
    4. Reduce the amount of history kept online - review the System Maintenance screen for the number of days that DetectIT is retaining in history.
    5. Review the “Set Up Auditing Details” program. Additional “retain” parameters can be altered here to reduce the size of the security repository.

    On request your DetectIT Technical Engineers can also provide interrogative tools to help further analyze the collected data.

  3. I have a systems monitoring package and I have noticed that jobs called ALERTF1, ALERTF2 and ALERTF3 are running on a regular basis. What do these jobs do?

    The ALERTF* jobs collect data for the DetectIT security repository, which is used to produce the End of Day reports and provide online enquiries. The 3 jobs are:

    ALERTF1 - data collection from QAUDJRN and QHST
    ALERTF2 - data collection for DetectIT file monitoring
    ALERTF3 - data collection for Network Traffic Controller

    You can specify how often these jobs run by changing the individual “Update Frequency (mins)” parameters in ‘Set Up Auditing Details’ in the Security Audit and Detection (NOTE: if you do not use this module then similar programs can be found in the Network Traffic Controller).

    If you specify a value of zero for these parameters, then no update will occur during the day, i.e. no ALERTF* job will run. The only update will occur during the End of Day run just before the DetectIT daily reporting.

    If you set the jobs to run at regular intervals throughout the day, only new events will be collected, i.e. those that have occurred since the last run. One consequence of this is that the End of Day process will take less time to run because most of the data it needs for reporting purposes has already been collected.

  4. My End of Day Audit reports are not running within DetectIT. Why?

    Please review the System Control Management program (option 1 on most native module menus or from the ‘System i Data’ drop down menu in DetectIT Graphical). The parameter ‘Daily Reporting Time’ should be set for a time that will not interfere with other processing on your system (for example backups or IPL, etc.).

    Another item to check is that the ALERT and TIMPGM subsystems are active. They must be active in order for the End of Day reports to run within DetectIT.

    To see whether previous End of Day processes ran correctly, and for how long, use the command DSPEODLOG.

  5. The reports generated by DetectIT End of Day contain information about events generated by users and programs that I don’t need to know about. How can I omit this information?

    Within the “Post Filter Screening” option in the Security Audit and Detection module you can define rules which will cause matching events to be omitted from the reports. You can filter using global rules (i.e. affecting all reports), or rules for each individual report. The events to be omitted can be defined by combinations of job name, user ID, message ID and program name.

    Please note that these events will still exist in the security repository for online interrogation, even though they are not printed on the End of Day reports.

  6. When I sign on as ALERT I receive the message “profile expired please contact your manager”. What do I need to do to fix this?

    When the ALERT profile is delivered the profile is set to never expire, therefore a parameter must have been changed at some point. Please contact your DetectIT Technical Engineer and request the procedures for resetting ALERT.

  7. We’ve received a CPF4128 error message about an object in DetectIT that is preventing other DetectIT jobs from processing. How can we prevent this from occurring?

    The error you mention has been seen in the situation where the backup process locks files in the Safestone @* libraries, but another DetectIT process tries to access the same file. This is normally because the DetectIT subsystems have not been ended. Cancel the job, and ensure that DetectIT subsystems are fully ended before the backup starts.

  8. I am experiencing communications errors and/or timeouts when trying to use one of the DetectIT Graphical modules. What could be wrong?

    Please check the following:

    • Ensure that DetectIT release level and all current PTFs have been installed and applied on the System i that you are trying to connect to. This information is included in the Deployment Guide.
    • Check that the System i that you are trying to connect to can be reached from the PC where the client is loaded - try to ping the System i using the system name/IP address that you have defined within DetectIT Graphical.
    • Check that the server jobs are active, on the System i that you are trying to connect to. From a command line on the System i, type WRKACTJOB SBS(TIMPGM). The jobs ALERTDS02 and ALERTDS03 should both be active with a status of TIMW.
    • Check the TCP/IP status on the System i. From a command line on the System i, type WRKTCPSTS and take option 3. Ensure that local ports 6969 and 7272 (or your selected ports if you changed the Safestone defaults) are both listening and that there is only one instance of each.
    • Try increasing the timeout period (from the ‘Environment’ drop down menu take ‘Settings’). The system may be busy and could be taking a long time to respond.

    Check that the relevant Graphical module libraries are installed on your System i. Library @MSE should always be present, and the following libraries should be present depending on which modules have been installed:

    Security Audit and Detection - @MSEAUD
    Risk and Compliance Monitor - @MSEEXM
    Network Traffic Controller - @MSECS

  9. Why do I fail the security check when trying to access my System i from the DetectIT Graphical module?

    This message suggests that the license key is not valid on the System i that you are trying to connect to.

  10. I cannot connect to a particular System i because it says that the DetectIT Graphical Software on my PC and/or the System i that I am connecting to are not compatible. Why?

    In order to run the software, there must be version match between DetectIT loaded on the System i, and the DetectIT Graphical client. A message of this type means that at least one part of this software is out of step with the other.

  11. Since upgrading to release 11 of DetectIT, the Network Traffic Controller logs do not always show the current data. Why?

    A new facility was introduced in release 11 of DetectIT called “Frequency Update for Client Server logs”. This was introduced in response to the increase in log size and activity we have noticed with recent versions of OS/400. It is designed to reduce the number of locks and rebuilds we had seen on the DetectIT Network Traffic Controller log files (MSF194*).

    In release 11, when events are recorded they are stored in a temporary transaction file before being updated into the permanent MSF194* files. The frequency of the data collection from temporary to permanent is controlled by a new parameter which is set to 00 on install - i.e. no update is scheduled, apart from when the EOD process runs. This allows you to tailor the parameter to your own environment.

    Please note that as the temporary file has been collecting data since your last EOD the first ALERTF3 job may take longer to run than normal.

  12. The DetectIT server jobs ALERTDS02 and ALERTDS03 do not appear in the TIMPGM subsystem. Consequently the DetectIT Graphical client cannot connect. Why is that?

    The jobs ALERTDS02 and ALERTDS03 only appear if you configure them to appear before the subsystems are started.

    To configure this:

    • Sign on to the green screen profile ALERT, and enter the command WRKDTITCP.
    • On the resulting screen, take F6 to ADD a new TCP/IP connection.
    • On the next screen select DTIE - GUI Work Server - by entering a 1 against that line. Press ENTER.
    • On the next screen you are permitted to change the ports that DetectIT will use to connect to the GUI. If you do not need to do this, just press ENTER.
    • Repeat steps 2-4 for the ‘product’ DTIERPT - GUI Work server.

    When you have added these two details return to the DetectIT menu and restart the subsystems. The DS02 and DS03 jobs should now appear.

    Please ensure that in the Graphical client the ports are consistent with the values you chose above.

    For further information see the document “DetectIT Graphical Getting Started Guide” - section 2 “graphical software configuration”.

  13. During a backup of the DetectIT libraries we received a message that the data area MSDTA82 was locked. Why would this be?

    The data area MSDTA82 is used to ensure that the ‘end of day’ process (started by job ALERTPRT), is complete before performing some ‘housekeeping’ procedures. Therefore if MSDTA82 is in use it is because the ALERTPRT procedure has not yet completed. If you are trying to save the @* libraries before ‘end of day’ completes, you will get this lock message.

    To rectify this:

    1. Check whether the end of day procedures normally complete in a ’sensible’ amount of time. Use the DetectIT command DSPEODLOG to review the recent runs of this process. Normally we would expect this process to take from 20 to 80 minutes.
      If it has recently started to take longer, then it is likely that you are generating more information than before, and this may be lengthening the collection process. Do you need to move the ‘endofday’ process to a different start time when the system is less busy?
    2. When preparing for your weekly saves it is important to check that the DetectIT subsystems have fully ended. If a critical job (such as the one with the lock on the MSDTA82 data area) cannot end, then the ENDSBS will not complete, unless you manually force the job to end. Please check the QSYSOPR messages for completion messages for ALERT and TIMPGM before progressing with the save.