Here's and easy way to analyze audit journal entries.

Here's and easy way to analyze audit journal entries.

There is a much easier way to analyze audit journal entries other than going through the hassle of creating a library,

PF and then an SQL.

The best way to do this efficiently is to display your audit journal to an output file and then query the file.

Execute a DSPJRN command and prompt it. The journal is QAUDJRN in QSYS. The starting journal receiver is either *current (current journal receiver being written to) or *curchain (all of the journal receivers on the system attached to the QAUDJRN. (WRKJRNA QAUDJRN will display this).

Enter in the starting date and time if using *curchain and the ending date and time. Enter in the journal entry type (example: CP for changed passwords) and output = *outfile. Enter in the name of an empty file in QGPL or your own library.

NOTE: Journal entry types can be found on pages 228 - 234 in the OS/400 Security Reference. The object auditing value must be turned on in order to cut audit journal records for a particular journal entry type.

Query the newly written to file.

If you want very detailed audit journal records, use the same procedure as above but use type 2 records.

In order to use type2 records, go to the OS/400 Security Reference, pages 471 - 525. Find the journal entry type you are looking for. IBM has empty files on the system for type2 records. These files should have a CRTDUPOBJ (create duplicate object), data *no executed on them. These files are formatted for type2 audit journal records. On page 481, you'll see that type2 record for audit journal entry type CP is QASYCPJE / QSYS. Create a duplicate of this called something like AUDJRNCP2 / QGPL.

Run your type2 DSPJRN to this outfile. Write a query against the records in this file.


The Best Web Links: tips, tutorials and more.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Ask the Experts yourself: Our systems management gurus are waiting to answer your technical questions.

This was first published in November 2001

Dig deeper on Performance



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: