Auditing Level Extension (QAUDLVL2)

The Auditing Level Extension (QAUDLVL2) system value is required when more than sixteen auditing values are needed.

Specifying *AUDLVL2 as one of the values in the QAUDLVL system value will cause the system to also look for auditing values in the QAUDLVL2 system value. You can specify more than one value for the QAUDLVL2 system value, unless you specify *NONE. For the QAUDLVL2 system value to take effect, the QAUDCTL system value must include *AUDLVL and the QAUDLVL system value must include *AUDLVL2.

Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 1. Possible values for the QAUDLVL2 system value
Value Description
*NONE No auditing values are contained in this system value.
*NOTAVL This value is displayed to indicate that the system value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The system value cannot be set to this value.
*ATNEVT Attention events are logged.
*AUTFAIL Authority failure events are logged.
*CREATE Object create operations are logged.
*DELETE Object delete operations are logged.
*JOBBAS Job base functions are audited.
*JOBCHGUSR Changes to a thread's active user profile or its group profiles are audited.
*JOBDTA Actions that affect a job are logged.

*JOBDTA is composed of two values, which are *JOBBAS and *JOBCHGUSR, to enable you to better customize your auditing. If both of the values are specified, you will get the same auditing as if just *JOBDTA is specified.

*NETBAS Network base functions are audited.
*NETCLU Cluster and cluster resource group operations are audited.
*NETCMN Network and communication functions are audited.

*NETCMN is composed of several values to allow you to better customize your auditing. The following values make up *NETCMN:

The Mail and DHCP functions from *NETSCK

*NETFAIL Network failures are audited.
*NETSCK Socket tasks are audited.
Note: Telnet server connections are not audited as part of *NETSCK. Use *NETTELSVR along with *NETSCK if Telnet server connections should be audited.
Note: To audit all TCP and UDP connections in and out of the system specify *NETSCK, *NETUDP, and *NETTELSVR.
*NETSECURE Secure network connections are audited.
Note: This implies traffic flowing over the connection is now protected by a security protocol known to the system. The system explicitly audits System SSL/TLS and IPsec from operating system code responsible for creating the secure connection. IPsec entries for UDP are created using the same frequency as defined for *NETUDP. The system implicitly audits some non-operating system implemented security protocols by inspecting application layer data as it flows through the Sockets APIs.
Note: When *NETTELSVR is also specified, telnet secure network connections are audited.
*NETTELSVR Telnet Server connections are audited.
Note: Telnet clients can be configured to retry the connection attempt after an attempt to establish a session is unsuccessful. These Telnet clients will retry indefinitely until the conditions causing the session to fail are eliminated. This can generate a large number of Telnet server audit journal entries.
Note: To audit all TCP and UDP connections in and out of the system specify *NETSCK, *NETUDP, and *NETTELSVR.
*NETUDP User Datagram Protocol (UDP) traffic is audited.
Note: UDP traffic for the same local and remote address and port is audited only once every 12 hours by default. Refer to The IPCONFIG macro for details on how to change the default interval.
Note: To audit all TCP and UDP connections in and out of the system specify *NETSCK, *NETUDP, and *NETTELSVR.
*OBJMGT Object move and rename operations are logged.
*OFCSRV Changes to the system distribution directory and office mail actions are logged.
*OPTICAL Use of Optical Volumes is logged.
*PGMADP Obtaining authority from a program that adopts authority is logged.
*PGMFAIL System integrity violations are logged.
*PRTDTA Printing a spooled file, sending output directly to a printer, and sending output to a remote printer are logged.
*PTFOBJ Changes to PTF objects are logged.
*PTFOPR PTF operations are logged.
*SAVRST Restore operations are logged.
*SECCFG Security configuration is audited.
*SECDIRSRV Changes or updates when doing directory service functions are audited.
*SECIPC Changes to interprocess communications are audited.
*SECNAS Network authentication service actions are audited.
*SECRUN Security run time functions are audited.
*SECSCKD Socket descriptors are audited.
*SECURITY Security-related functions are logged.

*SECURITY is composed of several values to allow you to better customize your auditing. The following values make up *SECURITY:


*SECVFY Use of verification functions are audited.
*SECVLDL Changes to validation list objects are audited.
*SERVICE Using service tools is logged.
*SPLFDTA Actions performed on spooled files are logged.
*SYSMGT Use of systems management functions is logged.