Security events turn IBM MQ authorization failures into structured signals your security operations center can correlate with firewalls, identity systems, and application logs. When a misconfigured service account attempts PUT on a payroll queue, the client sees reason 2035 MQRC_NOT_AUTHORIZED; security events copy that fact to SYSTEM.ADMIN.SECURITY.EVENT for automated triage. Beginners enable SECEV after an audit, never deploy a reader, and miss brute-force patterns on SVRCONN listeners until a penetration test report arrives. This tutorial covers enabling security events, typical failure scenarios (CONNAUTH, CHLAUTH, OAM, RACF on z/OS), event message handling, SIEM rule examples, relationship to configuration and performance events, reducing false positives from development environments, and coordinated response with middleware and InfoSec teams.
Each event message encodes context: queue manager, object name, user identifier, connection type, and reason information parsers map to tickets. Exact fields follow IBM event message reference for your release.
| Failure type | Client sees | Operations checks |
|---|---|---|
| Application PUT denied | 2035 on PUT | Security event, OAM profile, app user |
| SVRCONN login failed | 2059 or auth error | CONNAUTH, LDAP, event queue |
| SDR blocked at connect | Channel error | CHLAUTH, TLS, security event |
| Browse production queue | 2035 on OPEN | SOC rule on repeated OPEN fails |
123456ALTER QMGR SECLEV(ENABLED) DISPLAY QMGR SECLEV DISPLAY QLOCAL('SYSTEM.ADMIN.SECURITY.EVENT') CURDEPTH MAXDEPTH * After test failure from unauthorized user: * Confirm CURDEPTH increased on security event queue
Verify attribute name SECLEV versus SECEV in your version documentation—IBM has used SECEV in materials; always DISPLAY QMGR after ALTER to confirm active values. Protect the security event queue with strict OAM: only the event consumer service account may GET; admins may DISPLAY depth.
CHLAUTH ADDRESSMAP and USERMAP rules block connections before full session establishment. Logs show AMQERR messages; security events give SOC a stream without shell access to MQ servers. After rule changes, configuration events record the ALTER CHLAUTH while security events should drop if the change fixed legitimate partners—validate both streams during change windows.
On z/OS, RACF profiles govern queue manager and queue profiles in addition to distributed-style OAM on some setups. Security events still centralize middleware perspective; RACF SMF and audit cover platform identity. Mainframe security reviews expect both. Document which queue managers forward events to enterprise SIEM versus platform-only tools.
Security events are the alarm on the server room door when someone uses the wrong badge—whether they got in or not, the attempt is recorded centrally.
When someone tries to open a toy box they are not allowed to use, a helper writes their name and what they tried in a special notebook for grown-up guards.
Write three SIEM rules with thresholds for production MQ security events.
Map investigation steps for ten 2035 errors in one minute on ORDERS.IN.
Explain difference between security event and configuration event when CHLAUTH is ALTERed.
1. Security events help detect:
2. SECEV on queue manager enables:
3. CHLAUTH block may appear as:
4. Reason code 2035 means: