Analyzing audit journal entries

After you have set up the security auditing function, you can use several different methods to analyze the events that are logged.

  • View selected entries at your workstation using the Display Journal (DSPJRN) command.
  • Copy selected entries to output files using the Copy Audit Journal Entries (CPYAUDJRNE) or DSPJRN command, and then using a query tool or program to analyze entries.
  • Use the Display Audit Journal Entries (DSPAUDJRNE) command.
    Note: IBM has stopped providing enhancements for the DSPAUDJRNE command. The command does not support all security audit record types, and the command does not list all the fields for the records it supports.
  • Use the Receive Journal Entry (RCVJRNE) command on the QAUDJRN journal to receive the entries as they are written to the QAUDJRN journal.
  • Use SQL to extract details about audit journal entries by using the QSYS2.DISPLAY_JOURNAL() User Defined Table Function (UDTF). For complete details about DISPLAY_JOURNAL(), see DISPLAY_JOURNAL table function.

    This is an example of using DISPLAY_JOURNAL() to find the Change Profile (CP) audit entries that have occurred within the last 24 hours.
    SELECT journal_code, journal_entry_type, object, object_type, X.* 
    'QSYS', 'QAUDJRN',               -- Journal library and name
    JOURNAL_ENTRY_TYPES => 'CP' ,    -- Journal entry types
    STARTING_TIMESTAMP => CURRENT TIMESTAMP - 24 HOURS  -- Time window for search
    ) ) AS x
    ORDER BY entry_timestamp DESC;