Analyzing audit journal entries with query or a program

Overview:
Purpose:
Display or print selected information from journal entries.
How To:
DSPJRN OUTPUT(*OUTFILE), Create a query or program, or Run a query or program
Authority:
*USE authority to QSYS/QAUDJRN, *USE authority to journal receiver, and *ADD authority to library for output file

You can use the Display Journal (DSPJRN) command to write selected entries from the audit journal receivers to an output file. You can use a program or a query to view the information in the output file.

For the output parameter of the DSPJRN command, specify *OUTFILE. You see additional parameters prompting you for information about the output file:

                           
                          Display Journal (DSPJRN)
 
Type choices, press Enter.
⋮
Output . . . . . . . . . . . . . > *OUTFILE
Outfile format . . . . . . . . .   *TYPE5
File to receive output . . . . .   dspjrnout
  Library  . . . . . . . . . . .     mylib
Output member options:
  Member to receive output . . .   *FIRST
  Replace or add records . . . .   *REPLACE
Entry data length:
  Field data format  . . . . . .   *OUTFILFMT
  Variable length field length
  Allocated length . . . . . . .
 

All security-related entries in the audit journal contain the same heading information, such as the entry type, the date of the entry, and the job that caused the entry. The QADSPJR5 (with record format QJORDJE5) is provided to define these fields when you specify *TYPE5 as the output file format parameter. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) for more information.

For more information about other records and their output file formats, see Layout of audit journal entries.

If you want to perform a detailed analysis of a particular entry type, use one of the model database outfiles provided. Table 1 shows the name of the model database output file for each entry type. Layout of audit journal entries shows the file layouts for each model database output file.

For example, to create an output file called AUDJRNAF5 in QGPL that includes only authority failure entries:

  1. Create an empty output file with the format defined for AF journal entries:
    CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) +
      OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(AUDJRNAF5)
  2. Use the DSPJRN command to write selected journal entries to the output file:
    DSPJRN JRN(QAUDJRN) … +
       JRNCDE(T) ENTTYP(AF) OUTPUT(*OUTFILE) +
       OUTFILFMT(*TYPE5) OUTFILE(QGPL/AUDJRNAF5)
  3. Use Query or a program to analyze the information in the AUDJRNAF5 file.

Here are a few examples of how you might use QAUDJRN information:

  • If you suspect someone is trying to break into your system:
    1. Make sure the QAUDLVL system value includes *AUTFAIL.
    2. Use the CRTDUPOBJ object command to create an empty output file with the QASYPWJ5 format.
    3. A PW type journal entry is logged when someone enters an incorrect user ID or password on the Sign On display. Use the DSPJRN command to write PW type journal entries to the output file.
    4. Create a query program that displays or prints the date, time, and workstation for each journal entry. This information should help you determine where and when the attempts are occurring.
  • If you want to test the resource security you have defined for a new application:
    1. Make sure the QAUDLVL system value includes *AUTFAIL.
    2. Run application tests with different user IDs.
    3. Use the CRTDUPOBJ object command to create an empty output file with the QASYAFJ5 format.
    4. Use the DSPJRN command to write AF type journal entries to the output file.
    5. Create a query program that displays or prints information about the object, job and user. This information should help you to determine what users and application functions are causing authority failures.
  • If you are planning a migration to security level 40:
    1. Make sure the QAUDLVL system value includes *PGMFAIL and *AUTFAIL.
    2. Use the CRTDUPOBJ object command to create an empty output file with the QASYAFJ5 format.
    3. Use the DSPJRN command to write AF type journal entries to the output file.
    4. Create a query program that selects the type of violations you are experiencing during your test and prints information about the job and program that causes each entry.
      Note: Table 1 shows which journal entry is written for each authority violation message.