I have put the auditing option on with Security and Autfail options set. I want to extract some of the information from this log and it should be some meaningful information. Is there any script that can be used to get meaningful information out of the log? Please guide me.
You have three choices for pulling information out of the security audit journal. One way, is to pull the information out of the audit journal, QAUDJRN, yourself. You can do this using the DSPJRN (Display Journal)command and dump the information to an outfile. But before you do that, I recommend that you create a duplicate of the model outfile for the particular entry types you're looking for and use that file OUTFILE parameter of the DSPJRN command. Then you can run queries over the outfile based on the entry specific data. The name of the model outfile is always QASYxxJ4, where xx is the journal entry type. For example, QASYAFJ4 is the model outfile for the authority failure or AF entry types. The model file formats are all documented in Appendix F in the iSeries Security Reference manual.
Your second choice would be to use the reports provided by OS/400. You can use the DSPAUDJRNE (Display Audit Journal Entry) which is one of the tools in SECTOOLS and specify the journal entry types (AF, CO, DO, etc) that you're interested in. OS/400 then does the CRTDUPOBJ of the model file for you and provides some selection criteria to narrow down the search. Then a printed report is produced or the results is displayed to the screen. The command also leaves the file, QASYxxJE (where xx is the journal entry type) in library QUSRSYS that you can use to run queries against.
Finally, you can purchase third-party solutions that help decipher the contents of the audit journal. There are probably others, but at least Bsafe Solutions, Raz-Lee Security Ltd, PentaSafe and SafeStone all have products that help you get data out of the audit journal. These vendors typically spell out or provide more of an explanation as to what each field means. Also, these products allow you to enter selection criteria so that you can get a report with only the information you're looking for, rather than getting a report with ALL of the data in the audit journal entry.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400 Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading