A new audit log file is started after a predetermined time or when the modify switch operator command is issued. The old log file is saved as audit.log.yyyymmdd.hhmmss, where yyyymmdd.hhmmss is the date/timestamp when this log was closed. The system date/timestamp assigned to the file indicates the creation of the log file. The combination of the two dates shows the time period covered by this audit log file.
The audit.action* directives in rse.env allow you to specify a user exit (z/OS® UNIX shell script, z/OS UNIX REXX, or z/OS UNIX program) which will be invoked by RSE when an audit log is closed. This user exit can then process the data within the audit log.
Audit log files have permission bit mask 640 (-rw-r-----), if not changed by the audit.log.mode directive in rse.env. This means that the owner (RSE daemon z/OS UNIX uid) has read and write access, and the owner’s (default) group has read access. All other access attempts are denied, unless it is done by a super user (UID 0) or somebody with sufficient permission to the SUPERUSER.FILESYS profile in the UNIXPRIV security class.