Security auditing journal entries

This topic provides information about the journal entries that are written for the action auditing values specified on the QAUDLVL and QAUDLVL2 system values and in the user profile.

It shows:
  • The type of entry written to the QAUDJRN journal.
  • The model database output file that can be used to define the record when you create an output file with the DSPJRN command. Complete layouts for the model database outfiles are found in Layout of audit journal entries.
  • The detailed entry type. Some journal entry types are used to log more than one type of event. The detailed entry type field in the journal entry identifies the type of event.
  • The ID of the message that can be used to define the entry-specific information in the journal entry.
Table 1. Security auditing journal entries
Action or object auditing value Journal entry type Model database outfile Detailed entry Description
Action Auditing:        
*ATNEVT IM QASYIMJ5 P A potential intrusion has been detected. Further evaluation is required to determine if this is an actual intrusion or an expected and permitted action.
*AUTFAIL AF QASYAFJE/J4/J5 A An attempt was made to access an object or perform an operation to which the user was not authorized.
    B Restricted instruction
    C Validation failure
    D Use of unsupported interface, object domain failure
    E Hardware storage protection error, program constant space violation
    F ICAPI authorization error.
    G ICAPI authentication error.
    H Scan exit program action.
    I System Java inheritance not allowed
    J An attempt was made to submit or schedule a job under a job description which has a user profile specified. The submitter did not have *USE authority to the user profile.
      K An attempt was made to perform an operation for which the user did not have the required special authority.
      N The profile token was not a regenerable profile token.
      O Optical Object Authority failure
      P An attempt was made to use a profile handle that is not valid on the QWTSETP API.
      R Hardware protection error
      S Default signon attempt.
      T Not authorized to TCP/IP port.
      U A user permission request was not valid.
      V The profile token was not valid for generating new profile token.
      W The profile token was not valid for exchange.
      X System violation, see description of AF (Authority Failure) journal entries for details
      Y Not authorized to the current JUID field during a clear JUID operation.
      Z Not authorized to the current JUID field during a set JUID operation.
  CV QASYCVJ4/J5 E Connection ended abnormally.
      R Connection rejected.
  DI QASYDIJ4/J5 AF Authority failures.
      PW Password failures.
  GR QASYGRJ4/J5 F Function registration operations.
  KF QASYKFJ4/J5 P An incorrect password was entered.
  IP QASYIPJE/J4/J5 F Authority failure for an IPC request.
  PW QASYPWJE/J4/J5 A APPC bind failure.
      C CHKPWD failure.
      D An incorrect service tool user ID was entered.
      E An incorrect service tool user ID password was entered.
      P An incorrect password was entered.
      Q Attempted signon (user authentication) failed because user profile was disabled.
      R Attempted signon (user authentication) failed because password was expired.
      S SQL decrypt a password that was not valid.
      U User name not valid.
      X Service tools user is disabled.
      Y Service tools user not valid.
      Z Service tools password not valid.
  VC QASYVCJE/J4/J5 R A connection was rejected because of incorrect password.
  VO QASYVOJ4/J5 U Unsuccessful verification of a validation list entry.
  VN QASYVNJE/J4/J5 R A network logon was rejected because of expired account, incorrect hours, incorrect user ID, or incorrect password.
  VP QASYVPJE/J4/J5 P An incorrect network password was used.
  X1 QASYX1J5 F Delegate of identity token failed.
      U Get user from identity token failed.
  XD QASYXDJ5 G Group names (associated with DI entry)
*CMD 1 CD QASYCDJE/J4/J5 C A command was run.
      L An S/36E control language statement was run.
      O An S/36E operator control command was run.
      P An S/36E procedure was run.
      S Command run after command substitution took place.
      U An S/36E utility control statement was run.
*CREATE 2 AU QASYAUJ5 A Add of an EIM association.
  CO QASYCOJE/J4/J5 N Creation of a new object, except creation of objects in QTEMP library.
      R Replacement of existing object.
  DI QASYDIJ4/J5 CO Object created.
  XD QASYXDJ5 G Group names (associated with DI entry)
*DELETE 2 AU QASYAUJ5 A Remove of an EIM association.
  DO QASYDOJE/J4/J5 A Object deleted.
      C Pending delete committed.
      D Pending create rolled back.
      P Delete pending.
      R Pending delete rolled back.
  DI QASYDIJ4/J5 DO Object deleted.
  LD QASYLDJE/J4/J5 U Unlink a directory.
  XD QASYXDJ5 G Group names (associated with DI entry)
*JOBBAS JS QASYJSJ5 A The ENDJOBABN command was used.
      B A job was submitted.
      C A job was changed.
      E A job was ended.
      H A job was held.
      I A job was disconnected.
      N The ENDJOB command was used.
      P A program start request was attached to a prestart job.
      Q Query attributes changed.
      R A held job was released.
      S A job was started.
      U CHGUSRTRC command.
*JOBCHGUSR JS QASYJSJ5 M Change profile or group profile.
      T Change profile or group profile using a profile token.
*JOBDTA JS QASYJSJE/J4/J5 A The ENDJOBABN command was used.
      B A job was submitted.
      C A job was changed.
      E A job was ended.
      H A job was held.
      I A job was disconnected.
      M Change profile or group profile.
      N The ENDJOB command was used.
      P A program start request was attached to a prestart job.
      Q Query attributes changed.
      R A held job was released.
      S A job was started.
      T Change profile or group profile using a profile token.
      U CHGUSRTRC command.
  SG QASYSGJE/J4/J5 A Asynchronous IBM i signal process.
      P Asynchronous Private Address Space Environment (PASE) signal processed.
  VC QASYVCJE/J4/J5 S A connection was started.
      E A connection was ended.
  VN QASYVNJE/J4/J5 F Logoff requested.
      O Logon requested.
  VS QASYVSJE/J4/J5 S A server session was started.
      E A server session was ended.
*NETBAS CV QASYCVJE/J4/J5 C Connection established.
      E Connection ended normally.
      R Rejected connection.
  IR QASYIRJ4/J5 L IP rules have been loaded from a file.
      N IP rules have been unloaded for an IP Security connection.
      P IP rules have been loaded for an IP Security connection.
      R IP rules have been read and copied to a file.
      U IP rules have been unloaded (removed).
  IS QASYISJ4/J5 1 Phase 1 negotiation.
      2 Phase 2 negotiation.
  ND QASYNDJE/J4/J5 A A violation was detected by the APPN Filter support when the Directory search filter was audited.
  NE QASYNEJE/J4/J5 A A violation is detected by the APPN Filter support when the End point filter is audited.
*NETCLU CU QASYCUJE/J4/J5 M Creation of an object by the cluster control operation.
      R Creation of an object by the Cluster Resource Group (*GRP) management operation.
*NETCMN CU QASYCUJE/J4/J5 M Creation of an object by the cluster control operation.
      R Creation of an object by the Cluster Resource Group (*GRP) management operation.
  CV QASYCVJ4/J5 C Connection established.
      E Connection ended normally.
  IR QASYIRJ4/J5 L IP rules have been loaded from a file.
      N IP rule have been unloaded for an IP Security connection.
      P IP rules have been loaded for an IP Security connection.
      R IP rules have been read and copied to a file.
      U IP rules have been unloaded (removed).
  IS QASYISJ4/J5 1 Phase 1 negotiation.
      2 Phase 2 negotiation.
  ND QASYNDJE/J4/J5 A A violation was detected by the APPN Filter support when the Directory search filter was audited.
  NE QASYNEJE/J4/J5 A A violation is detected by the APPN Filter support when the End point filter is audited.
  SK QASYSKJ4/J5 D DHCP address assigned
      F Filtered mail
      P Port unavailable
      R Reject mail
      U DHCP address denied
*NETFAIL SK QASYSKJ4/J5 P Port unavailable
*NETSCK 7,9 SK QASYSKJ4/J5 A Accept
      C Connect
      D DHCP address assigned
      F Filtered mail
      R Reject mail
      U DHCP address denied
*NETSECURE 8 SK QASYSKJ5 S Secure connection established.

This implies traffic flowing over the connection is now protected by a security protocol known to the system. The system explicitly audits System TLS and IPsec from operating system code responsible for creating the secure connection. IPsec entries for UDP are created using the same frequency as defined for *NETUDP6.

      X System TLS secure connection error
*NETTELSVR 9 SK QASYSKJ5 A Telnet Server Accept

Note: Telnet clients can be configured to retry the connection attempt after an attempt to establish a session is unsuccessful. These Telnet clients will retry indefinitely until the conditions causing the session to fail are eliminated. This can generate a large number of Telnet server audit journal entries.

*NETUDP 9 SK QASYSKJ5 I 6 User Datagram Protocol (UDP) inbound traffic
      O 6 UDP outbound traffic
*OBJMGT 2 DI QASYDIJ4/J5 OM Object rename
  OM QASYOMJE/J4/J5 M An object was moved to a different library.
      R An object was renamed.
*OFCSRV ML QASYMLJE/J4/J5 O A mail log was opened.
  SD QASYSDJE/J4/J5 S A change was made to the system distribution directory.
*OPTICAL O1 QASY01JE/J4/J5 R Open file or directory
      U Change or retrieve attributes
      D Delete file directory
      C Create directory
      X Release held optical file
  O2 QASY02JE/J4/J5 C Copy file or directory
      R Rename file
      B Back up file or directory
      S Save held optical file
      M Move file
  O3 QASY03JE/J4/J5 I Initialize volume
      B Backup volume
      N Rename volume
      C Convert backup volume to primary
      M Import
      E Export
      L Change authorization list
      A Change volume attributes
      R Absolute read
*PGMADP AP QASYAPJE/J4/J5 S A program started that adopts owner authority. The start entry is written the first time adopted authority is used to gain access to an object, not when the program enters the call stack.
      E A program ended that adopts owner authority. The end entry is written when the program leaves the call stack. If the same program occurs more than once in the call stack, the end entry is written when the highest (last) occurrence of the program leaves the stack.
      A Adopted authority was used during program activation.
*PGMFAIL AF QASYAFJE/J4/J5 B A program ran a restricted machine interface instruction.
      C A program which failed the restore-time program validation checks was restored. Information about the failure is in the Validation Value Violation Type field of the record.
      D A program accessed an object through an unsupported interface or callable program not listed as a callable API.
      E Hardware storage protection violation.
      R Attempt made to update an object that is defined as read-only. (Enhanced hardware storage protection is logged only at security level 40 and higher)
*PRTDTA PO QASYPOJE/J4/J5 D Printer output was printed directly to a printer.
      R Output sent to remote system to print.
      S Printer output was spooled and printed.
*PTFOBJ PU QASYPUJ5 D Directory PTF object was changed.
      L Library PTF object was changed.
      S LIC PTF object was changed.
*PTFOPR PF QASYPFJ5 I PTF IPL operation was performed.
      L PTF product(s) operation was performed.
      P PTF operation was performed.
*SAVRST 2 Start of changeGREnd of change Start of changeQASYGRJ5End of change Start of changeOEnd of change Start of changeObjectConnect operations.End of change
  OR QASYORJE/J4/J5 N A new object was restored to the system.
      E An object was restored that replaces an existing object.
  RA QASYRAJE/J4/J5 A The system changed the authority to an object being restored. 3
  RJ QASYRJJE/J4/J5 A A job description that contains a user profile name was restored.
  RO QASYROJE/J4/J5 A The object owner was changed to QDFTOWN during restore operation.3
  RP QASYRPJE/J4/J5 A A program that adopts owner authority was restored.
  RQ QASYRQJE/J4/J5 A A *CRQD object with PROFILE(*OWNER) was restored.
  RU QASYRUJE/J4/J5 A Authority was restored for a user profile using the RSTAUT command.
  RZ QASYRZJE/J4/J5 A The primary group for an object was changed during a restore operation.
      O Auditing of an object was changed with CHGOBJAUD command.
      U Auditing for a user was changed with CHGUSRAUD command.
*SECCFG AD QASYADJE/J4/J5 D Auditing of a DLO was changed with CHGDLOAUD command.
      O Auditing of an object was changed with CHGOBJAUD or CHGAUD commands.
      S The scan attribute was changed using CHGATR command or the Qp0lSetAttr API, or when the object was created.
      U Auditing for a user was changed with CHGUSRAUD command.
  AU QASYAUJ5 E Enterprise Identity Mapping (EIM) configuration change
  CP QASYCPJE/J4/J5 A Create, change, or restore operation of user profile when QSYSRESPA API is used.
  CQ QASYCQJE/J4/J5 A A *CRQD object was changed.
  CY QASYCYJ4/J5 A Access Control function
      F Facility Control function
      M Master Key function
  DO QASYDOJE/J4/J5 A Object was deleted not under commitment control
      C A pending object delete was committed
      D A pending object create was rolled back
      P The object delete is pending (the delete was performed under commitment control)
      R A pending object delete was rolled back
  DS QASYDSJE/J4/J5 A Request to reset DST QSECOFR password to system-supplied default using the CHGDSTPWD command.
      C DST profile changed using the QSYCHGDS API.
      Start of changeDEnd of change Start of changeDelete of a service tools user ID using the DLTSSTUSR command.End of change
      Start of changeHEnd of change Start of changeChange to a service tools user ID using the CHGSSTUSR command.End of change
      P Change to a service tools user ID password using the QSYCHGDS API.
      Start of changeREnd of change Start of changeCreate of a service tools user ID using the CRTSSTUSR command.End of change
      Start of changeSEnd of change Start of changeChange to the service tools security attributes using the CHGSSTSECA command.End of change
  EV QASYEVJ4/J5 A Add.
      C Change.
      D Delete.
      I Initialize environment variable space.
  GR QASYGRJ4/J5 A Exit program added
      D Exit program removed
      F Function registration operation
      R Exit program replaced
  JD QASYJDJE/J4/J5 A The USER parameter of a job description was changed.
  KF QASYKFJ4/J5 C Certificate operation.
      K Key ring file operation.
      T Trusted root operation.
  NA QASYNAJE/J4/J5 A A network attribute was changed.
  PA QASYPAJE/J4/J5 A A program was changed to adopt owner authority.
  SE QASYSEJE/J4/J5 A A subsystem routing entry was changed.
  SO QASYSOJ4/J5 A Add entry.
      C Change entry.
      R Remove entry.
  SV QASYSVJE/J4/J5 A A system value was changed.
      B Service attributes were changed.
      C Change to system clock.
      E Change to option
      F Change to system-wide journal attribute
  VA QASYVAJE/J4/J5 S The access control list was changed successfully.
      F The change of the access control list failed.
      V Successful verification of a validation list entry.
  VU QASYVUJE/J4/J5 G A group record was changed.
      M User profile global information changed.
      U A user record was changed.
*SECDIRSRV DI QASYDIJE/J4/J5 AD Audit change.
      BN Successful bind
      CA Authority change
      CP Password change
      OW Ownership change
      PO Policy change
      UB Successful unbind
*SECIPC IP QASYIPJE/J4/J5 A The ownership or authority of an IPC object was changed.
      C Create an IPC object.
      D Delete an IPC object.
      G Get an IPC object.
      M Shared memory attached.
      Z Close an IPC object.
*SECNAS X0 QASYX0J4/J5 1 Service ticket valid.
      2 Service principals do not match.
      3 Client principals do not match.
      4 Ticket IP address mismatch.
      5 Decryption of the ticket failed
      6 Decryption of the authenticator failed
      7 Realm is not within client and local realms
      8 Ticket is a replay attempt
      9 Ticket not yet valid
      A Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
      B Remote IP address mismatch
      C Local IP address mismatch
      D KRB_AP_PRIV or KRB_AP_SAFE timestamp error
      E KRB_AP_PRIV or KRB_AP_SAFE replay error
      F KRB_AP_PRIV KRB_AP_SAFE sequence order error
      K GSS accept - expired credential
      L GSS accept - checksum error
      M GSS accept - channel bindings
      N GSS unwrap or GSS verify expired context
      O GSS unwrap or GSS verify decrypt/decode
      P GSS unwrap or GSS verify checksum error
      Q GSS unwrap or GSS verify sequence error
*SECRUN AX QASYAXJ5 M Column mask created, altered, or dropped.
      P Row permission created, altered, or dropped.
      T Table altered.
  CA QASYCAJE/J4/J5 A Changes to authorization list or object authority.
  OW QASYOWJE/J4/J5 A Object ownership was changed.
  PG QASYPGJE/J4/J5 A The primary group for an object was changed.
  X2 None   Query manager profile was changed.
*SECSCKD GS QASYGSJE/J4/J5 G A socket descriptor was given to another job. (The GS audit record is created if it is not created for the current job.)
      R Receive descriptor.
      U Unable to use descriptor.
*SECURITY AD QASYADJE/J4/J5 D Auditing of a DLO was changed with CHGDLOAUD command.
      O Auditing of an object was changed with CHGOBJAUD or CHGAUD commands.
      S Scan attribute change by CHGATR command or Qp01SetAttr API
      U Auditing for a user was changed with CHGUSRAUD command.
      G Get user from identity token successful
  AU QASYAUJ5 E Enterprise Identity Mapping (EIM) configuration change
  AX QASYAXJ5 M Column mask created, altered, or dropped.
      P Row permission created, altered or dropped.
      T Table altered.
  CA QASYCAJE/J4/J5 A Changes to authorization list or object authority.
  CP QASYCPJE/J4/J5 A Create, change, or restore operation of user profile when QSYRESPA API is used
  CQ QASYCQJE/J4/J5 A A *CRQD object was changed.
  CV QASYCVJ4/J5 C Connection established.
      E Connection ended normally.
      R Connection rejected.
  CY QASYCYJ4/J5 A Access Control function
      F Facility Control function
      M Master Key function
  DI QASYDIJ4/J5 AD Audit change
      BN Successful bind
      CA Authority change
      CP Password change
      OW Ownership change
      PO Policy change
      UB Successful unbind
  DO QASYDOJE/J4/J5 A Object was deleted not under commitment control
      C A pending object delete was committed
      D A pending object create was rolled back
      P The object delete is pending (the delete was performed under commitment control)
      R A pending object delete was rolled back
  DS QASYDSJE/J4/J5 A Request to reset DST QSECOFR password to system-supplied default using the CHGDSTPWD command.
      C DST profile changed using the QSYCHGDS API.
      Start of changeDEnd of change Start of changeDelete of a service tools user ID using the DLTSSTUSR command.End of change
      Start of changeHEnd of change Start of changeChange to a service tools user ID using the CHGSSTUSR command.End of change
      P Change to a service tools user ID password using the QSYCHGDS API.
      Start of changeREnd of change Start of changeCreate of a service tools user ID using the CRTSSTUSR command.End of change
      Start of changeSEnd of change Start of changeChange to the service tools security attributes using the CHGSSTSECA command.End of change
  EV QASYEVJ4/J5 A Add.
      C Change.
      D Delete.
      I Initialize environment variable space.
  GR QASYGRJ4/J5 A Exit program added
      D Exit program removed
      F Function registration operation
      R Exit program replaced
  GS QASYGSJE/J4/J5 G A socket descriptor was given to another job. (The GS audit record is created if it is not created for the current job.)
      R Receive descriptor.
      U Unable to use descriptor.
  IP QASYIPJE/J4/J5 A The ownership or authority of an IPC object was changed.
      C Create an IPC object.
      D Delete an IPC object.
      G Get an IPC object.
  JD QASYJDJE/J4/J5 A The USER parameter of a job description was changed.
  KF QASYKFJ4/J5 C Certificate operation.
      K Key ring file operation.
      T Trusted root operation.
  NA QASYNAJE/J4/J5 A A network attribute was changed.
  OW QASYOWJE/J4/J5 A Object ownership was changed.
  PA QASYPAJE/J4/J5 A A program was changed to adopt owner authority.
  PG QASYPGJE/J4/J5 A The primary group for an object was changed.
  PS QASYPSJE/J4/J5 A A target user profile was changed during a pass-through session.
      E An office user ended work on behalf of another user.
      H A profile handle was generated through the QSYGETPH API.
      I All profile tokens were invalidated.
      M The maximum number of profile tokens have been generated.
      P Profile token generated for user.
      R All profile tokens for a user have been removed.
      S An office user started work on behalf of another user.
      Start of changeTEnd of change Start of changeTelnet QIBM_QTG_DEVINIT exit program profile swap.End of change
      Start of changeUEnd of change Start of changeTelnet QIBM_QTG_DEVINIT exit program profile override.End of change
      V User profile authenticated.
  SE QASYSEJE/J4/J5 A A subsystem routing entry was changed.
  SO QASYSOJ4/J5 A Add entry.
      C Change entry.
      R Remove entry.
  SV QASYSVJE/J4/J5 A A system value was changed.
      B Service attributes were changed.
      C Change to system clock.
      E Change to option
      F Change to system-wide journal attribute
  VA QASYVAJE/J4/J5 S The access control list was changed successfully.
      F The change of the access control list failed.
  VO   V Successful verify of a validation list entry.
  VU QASYVUJE/J4/J5 G A group record was changed.
      M User profile global information changed.
      U A user record was changed.
  X0 QASYX0J4/J5 1 Service ticket valid.
      2 Service principals do not match
      3 Client principals do not match
      4 Ticket IP address mismatch
      5 Decryption of the ticket failed
      6 Decryption of the authenticator failed
      7 Realm is not within client and local realms
      8 Ticket is a replay attempt
      9 Ticket not yet valid
      A Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
      B Remote IP address mismatch
      C Local IP address mismatch
      D KRB_AP_PRIV or KRB_AP_SAFE timestamp error
      E KRB_AP_PRIV or KRB_AP_SAFE replay error
      F KRB_AP_PRIV KRB_AP_SAFE sequence order error
      K GSS accept - expired credential
      L GSS accept - checksum error
      M GSS accept - channel bindings
      N GSS unwrap or GSS verify expired context
      O GSS unwrap or GSS verify decrypt/decode
      P GSS unwrap or GSS verify checksum error
      Q GSS unwrap or GSS verify sequence error
  X1 QASYX1J5 D Delegate of identity token successful
  X2 None   Query manager profile was changed
*SECVFY PS QASYPSJE/J4/J5 A A target user profile was changed during a pass-through session.
      E An office user ended work on behalf of another user.
      H A profile handle was generated through the QSYGETPH API.
      I All profile tokens were invalidated.
      M The maximum number of profile tokens have been generated.
      P Profile token generated for user.
      R All profile tokens for a user have been removed.
      S An office user started work on behalf of another user.
      Start of changeTEnd of change Start of changeTelnet QIBM_QTG_DEVINIT exit program profile swap.End of change
      Start of changeUEnd of change Start of changeTelnet QIBM_QTG_DEVINIT exit program profile override.End of change
      V User profile authenticated.
  X1 QASYX1J5 D Delegate of identity token successful
      G Get user from identity token successful
*SECVLDL VO   V Successful verification of a validation list entry.
*SERVICE ST QASYSTJE/J4/J5 A A service tool was used.
  VV QASYVVJE/J4/J5 C The service status was changed.
      E The server was stopped.
      P The server paused.
      R The server was restarted.
      S The server was started.
*SPLFDTA SF QASYSFJE/J4/J5 A A spooled file was read by someone other than the owner.
      C A spooled file was created.
      D A spooled file was deleted.
      H A spooled file was held.
      I An inline file was created.
      R A spooled file was released.
      S A spooled file was saved.
      T A spooled file was restored.
      U A spooled file was changed.
      V Only non-security relevant spooled files attributes changed.
*SYSMGT DI QASYDIJ4/J5 CF Configuration changes
      CI Create instance
      DI Delete instance
      RM Replication management
  SM QASYSMJE/J4/J5 B Backup options were changed.
      C Automatic cleanup options were changed.
      D A DRDA* change was made.
      F An HFS file system was changed.
      N A network file operation was performed.
      O A backup list was changed.
      P The power on/off schedule was changed.
      S The system reply list was changed.
      T The access path recovery times were changed.
  Start of change M0End of change Start of changeQASYM0J5End of change Start of changeAEnd of change Start of changeDb2 Mirror setup tools.End of change
  Start of change M6End of change Start of changeQASYM6J5End of change Start of changeAEnd of change Start of changeDb2 Mirror Communication Services - Add Network Redundancy Group (NRG).End of change
      Start of changeCEnd of change Start of changeDb2 Mirror Communication Services - Change NRG.End of change
      Start of changeREnd of change Start of changeDb2 Mirror Communication Services - Remove NRG.End of change
  Start of change M7End of change Start of changeQASYM7J5End of change Start of changeAEnd of change Start of changeDb2 Mirror Replication Services - Add active replication criteria rule.End of change
      Start of changeDEnd of change Start of changeDb2 Mirror Replication Services - Duplicate replication criteria rules.End of change
      Start of changePEnd of change Start of changeDb2 Mirror Replication Services - Activate pending replication criteria rules.End of change
      Start of changeREnd of change Start of changeDb2 Mirror Replication Services - Remove active replication criteria rule.End of change
      Start of changeSEnd of change Start of changeDb2 Mirror Replication Services - Resynchronization of eligible objects.End of change
      Start of changeUEnd of change Start of changeUser deferred or deleted entries in the Object Tracking List (OTL) using the SQL QSYS2.CHANGE_RESYNC_ENTRIES procedure.End of change
  Start of change M8End of change Start of changeQASYM8J5End of change Start of changeAEnd of change Start of changeDb2 Mirror Product Services - Add IASP.End of change
      Start of changeCEnd of change Start of changeDb2 Mirror Product Services - Change mirror.End of change
      Start of changeFEnd of change Start of changeDb2 Mirror Product Services - Change flight recorder.End of change
      Start of changeIEnd of change Start of changeDb2 Mirror Product Services - Set default inclusion state.End of change
      Start of changeOEnd of change Start of changeDb2 Mirror Product Services - Takeover.End of change
      Start of changeREnd of change Start of changeDb2 Mirror Product Services - Remove IASP.End of change
      Start of changeSEnd of change Start of changeDb2 Mirror Product Services - Setup mirror.End of change
      Start of changeTEnd of change Start of changeDb2 Mirror Product Services - Terminate mirror.End of change
      Start of changeWEnd of change Start of changeDb2 Mirror Product Services - Swap mirror roles.End of change
  Start of change M9End of change Start of changeQASYM9J5End of change Start of changeCEnd of change Start of changeDb2 Mirror Replication State - Change to the replication state of an ASP.End of change
  VL QASYVLJE/J4/J5 A The account is expired.
      D The account is disabled.
      L Logon hours were exceeded.
      U Unknown or unavailable.
      W Workstation not valid.
Object Auditing:        
*CHANGE DI QASYDIJ4/J5 IM LDAP directory import
      ZC Object change
  ZC QASYZCJ4/J5 C Object changes
      U Upgrade of open access to an object
  AD QASYADJEJ4/J5 D Auditing of an object was changed with CHGOBJAUD command.
      O Auditing of an object was changed with CHGOBJAUD command.
      S Scan attribute change by CHGATR command or Qp01SetAttr API
      U Auditing for a user was changed with CHGUSRAUD command.
  AU QASYAUJ5 E Enterprise Identity Mapping (EIM) configuration change
  CA QASYCAJE/J4/J5 A Changes to authorization list or object authority.
  OM QASYOMJE/J4/J5 M An object was moved to a different library.
      R An object was renamed.
  OR QASYORJE/J4/J5 N A new object was restored to the system.
      E An object was restored that replaces an existing object.
  OW QASYOWJE/J4/J5 A Object ownership was changed.
  PG QASYPGJE/J4/J5 A The primary group for an object was changed.
  RA QASYRAJE/J4/J5 A The system changed the authority to an object being restored.
  RO QASYROJE/J4/J5 A The object owner was changed to QDFTOWN during restore operation.
  RZ QASYRZJE/J4/J5 A The primary group for an object was changed during a restore operation.
  GR QASYGRJ4/J5 F Function registration operations5
  LD QASYLDJE/J4/J5 L Link a directory.
      U Unlink a directory.
  VF QASYVFJE/J4/J5 A The file was closed because of administrative disconnection.
      N The file was closed because of normal client disconnection.
      S The file was closed because of session disconnection.
  VO QASYVOJ4/J5 A Add validation list entry.
      C Change validation list entry.
      F Find validation list entry.
      R Remove validation list entry.
  VR QASYVRJE/J4/J5 F Resource access failed.
      S Resource access was successful.
  YC QASYYCJE/J4/J5 C A document library object was changed.
  ZC QASYZCJE/J4/J5 C An object was changed.
      U Upgrade of open access to an object.
*ALL 4 CD QASYCDJ4/J5 C Command run
  DI QASYDIJ4/J5 EX LDAP directory export
      ZR Object read
  GR QASYGRJ4/J5 F Function registration operations5
  LD QASYLDJE/J4/J5 K Search a directory.
  YR QASYYRJE/J4/J5 R A document library object was read.
  ZR QASYZRJE/J4/J5 R An object was read.
1
This value can only be specified for the AUDLVL parameter of a user profile. It is not a value for the QAUDLVL system value.
2
If object auditing is active for an object, an audit record is written for a create, delete, object management, or restore operation even if these actions are not included in the audit level.
3
See the topic Restoring objects for information about authority changes which might occur when an object is restored.
4
When *ALL is specified, the entries for both *CHANGE and *ALL are written.
5
When the QUSRSYS/QUSEXRGOBJ *EXITRG object is being audited.
6
UDP traffic for the same local and remote address and port is audited only once every 12 hours by default. Refer to The IPCONFIG macro for details on how to change the default interval.
7
Telnet server connections are not audited as part of *NETSCK. Use *NETTELSVR along with *NETSCK if Telnet server connections should be audited.
8
Telnet server secure connections are not audited as part of *NETSECURE. Use *NETTELSVR along with *NETSECURE if Telnet server secure connections should be audited.
9
To audit all TCP and UDP connections in and out of the system specify *NETSCK, *NETUDP, and *NETTELSVR.