Using journals to monitor object activity

If you include the *AUTFAIL value for system action auditing (the QAUDLVL system value), the system writes an audit journal entry for every unsuccessful attempt to access a resource. For critical objects, you can also set up object auditing so the system writes an audit journal entry for each successful access.

The audit journal records only that the object was accessed. It does not log every transaction to the object. For critical objects on your system, you might want more detailed information about the specific data that was accessed and changed. Object journaling can provide you with those details. Object journaling is used primarily for object integrity and recovery. Refer to the Journal management topic for a list of object types which can be journaled, and what is journaled for each object type. A security officer or auditor can also use these journal entries to review object changes. Do not journal any objects to the QAUDJRN journal.

Journal entries can include:
  • Identification of the job, user, and the time of access
  • Before- and after-images of all object changes
  • Records of when the object was opened, closed, changed, saved, created, deleted, and so on.

A journal entry cannot be altered by any user, even the security officer. A complete journal or journal receiver can be deleted, but this is easily detected.

If you are journaling a database file, data area, data queue, library, or integrated file system object, you can use the DSPJRN command to print all the changes for that particular object. Here are some examples: 
Type the following command for a particular database file.
DSPJRN JRN(library/journal) +
       FILE(library/file) OUTPUT(*PRINT)

Type the following command for a particular data area.
DSPJRN JRN(library/journal) +
       OBJ((library/object name *DTAARA))  OUTPUT(*PRINT)

Type the following command for a particular data queue.
DSPJRN JRN(library/journal) +
       OBJ((library/object name *DTAQ)  OUTPUT(*PRINT)

Type the following command for a particular integrated file system object.
DSPJRN JRN(library/journal) +
       OBJPATH(('path name')) OUTPUT(*PRINT)

Type the following command for a particular library.
DSPJRN JRN(library/journal) +
       OBJ(*LIBL/library-name *LIB) OUTPUT(*PRINT)
For example, if journal JRNCUST in library CUSTLIB is used to record information about file CUSTFILE (also in library CUSTLIB), the command can be: 
DSPJRN JRN(CUSTLIB/JRNCUST) +
       FILE(CUSTLIB/CUSTFILE) OUTPUT(*PRINT)
You can also create an output file and do a query or use SQL to select all of the records from the output file for a specific output.
Type the following command to create an output file for a particular database file. 
DSPJRN JRN(library/journal) + 
                   FILE(library/file name) +    
               OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)
Type the following command to create an output file for a particular data area. 
DSPJRN JRN(library/journal) + 
                   OBJ((library/object name *DTAARA)) +    
               OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)
Type the following command to create an output file for a particular data queue. 
DSPJRN JRN(library/journal) + 
                   OBJ((library/object name *DTAQ)) +    
               OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)
Type the following command to create an output file for a particular integrated file system object. 
DSPJRN JRN(library/journal) + 
                   OBJPATH(('path name')) +    
               OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)
Type the following command to create an output file for a particular library.
DSPJRN JRN(library/journal) + 
                   OBJ((*LIBL/library-name *LIB)) +    
               OUTPUT(*OUTFILE) OUTFILEFMT(*TYPE5) OUTFILE(library/outfile) ENTDTALEN(*CALC)

If you want to find out which journals are on the system, use the Work with Journals (WRKJRN) command. If you want to find out which objects are being journaled by a particular journal, use the Work with Journal Attributes (WRKJRNA) command.