There is a much easier way to analyze audit journal entries other than going through the hassle of creating a library, PF and then an SQL.
The best way to do this efficiently is to display your audit journal to an output file and then query the file.
Execute a DSPJRN command and prompt it. The journal is QAUDJRN in QSYS. The starting journal receiver is either *current (current journal receiver being written to) or *curchain (all of the journal receivers on the system attached to the QAUDJRN. (WRKJRNA QAUDJRN will display this).
Enter in the starting date and time if using *curchain and the ending date and time. Enter in the journal entry type (example: CP for changed passwords) and output = *outfile. Enter in the name of an empty file in QGPL or your own library.
NOTE: Journal entry types can be found on pages 228 - 234 in the OS/400 Security Reference. The object auditing value must be turned on in order to cut audit journal records for a particular journal entry type.
Query the newly written to file.
If you want very detailed audit journal records, use the same procedure as above but use type 2 records.
In order to use type2 records, go to the OS/400 Security Reference, pages 471 - 525. Find the journal entry type you are looking for. IBM has empty files on the system for type2 records. These files should have a CRTDUPOBJ (create duplicate object), data *no executed on them. These files are formatted for type2 audit journal records. On page 481, you'll see that type2 record for audit journal entry type CP is QASYCPJE / QSYS. Create a duplicate of this called something like AUDJRNCP2 / QGPL.
Run your type2 DSPJRN to this outfile. Write a query against the records in this file.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Ask the Experts yourself: Our systems management gurus are waiting to answer your technical questions.