Tip

Here's and easy way to analyze audit journal entries.

There is a much easier way to analyze audit journal entries other than going through the hassle of creating a library, PF and then an SQL.

The best way to do this efficiently is to display your audit journal to an output file and then query the file.

Execute a DSPJRN command and prompt it. The journal is QAUDJRN in QSYS. The starting journal receiver is either *current (current journal receiver being written to) or *curchain (all of the journal receivers on the system attached to the QAUDJRN. (WRKJRNA QAUDJRN will display this).

Enter in the starting date and time if using *curchain and the ending date and time. Enter in the journal entry type (example: CP for changed passwords) and output = *outfile. Enter in the name of an empty file in QGPL or your own library.

NOTE: Journal entry types can be found on pages 228 - 234 in the OS/400 Security Reference. The object auditing value must be turned on in order to cut audit journal records for a particular journal entry type.

Query the newly written to file.

If you want very detailed audit journal records, use the same procedure as above but use type 2 records.

In order to use type2 records, go to the OS/400 Security Reference, pages 471 - 525. Find the journal entry type you are looking for. IBM has empty files on the system for type2 records. These files should have a CRTDUPOBJ (create duplicate object), data *no executed on them. These files are formatted for type2 audit journal records. On page 481, you'll see that type2 record for audit journal entry type CP is QASYCPJE / QSYS. Create a duplicate of this called something like AUDJRNCP2 / QGPL.

Run your type2 DSPJRN to this outfile. Write a query against the records in this file.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: tips, tutorials and more.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Ask the Experts yourself: Our systems management gurus are waiting to answer your technical questions.


This was first published in November 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.