I view our iSeries Security Audit Journals on a daily basis. I am wondering what the recommended time is to hold...
onto the previous journals I have already viewed for violations. In other words, should I save more than one months worth of journal logs before I delete them from the iSeries? Should I be archiving these journals onto tape or just delete them?
I hate to do this to you, but this is one of those "it depends" questions. The answer to this question should be found in your corporate security policy. Vital records retention schedules typically vary by industry. Some industries, like financial, healthcare and government have much longer retention schedules than, say, hospitality or retail.
If you have no regulatory statues or industry standards to guide you, then you have to start thinking about why you would want to keep the audit records around. Beyond being legally required to keep audit logs, the primary reason companies keep them is so they will have forensics data in case they ever need to go back and investigate some action that occurred on their system. Without audit logs you might not have proof an activity occurred; therefore, proving a case in court might prove very difficult. How long do you keep audit logs around? That's a business choice that only you can make. Hopefully this has given you some help so you can make that decision.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading