Analyze socket connection auditing records

There are several different methods available to analyze the journal entries that are logged for socket connection auditing.

The security audit journal (QAUDJRN in library QSYS) is the primary source of auditing information on your system. When a socket connection event is audited, the system writes a socket connection journal entry (type SK) in the current journal receiver for QAUDJRN. Each journal entry has a detailed entry type that indicates what kind of socket connection event was audited. For more information about using QAUDJRN and journal entries, see Using the security audit journal. For more information about the format of the journal entries, see SK (Sockets Connections) journal entries.

You can use a query or program to analyze socket connection audit journal entries. One method is to copy selected entries to output files by using the Copy Audit Journal Entries (CPYAUDJRNE) or Display Journal (DSPJRN) CL commands. The output files that contain the audit entry information can then be analyzed by a query or program. For more information, see Viewing audit journal entries and Analyzing audit journal entries with query or a program in the IBM Knowledge Center.

Another method to retrieve socket connection audit journal entries is using a program that calls the Retrieve Journal Entries (QjoRetrieveJournalEntries) API. The API provides access to journal entry information similar to what is provided by the DSPJRN CL command. Journal entries can be retrieved based on a number of different keys, including journal entry types, job name, user profile, and a specific range of times. For more information about retrieving and parsing journal entries with the QjoRetrieveJournalEntries API, see Retrieve Journal Entries (QjoRetrieveJournalEntries) API.