Stopping the audit function

You might want to use the audit function periodically, rather than all the time. For example, you might want to use it when testing a new application. Or you might use it to perform a quarterly security audit.

To stop the auditing function, do the following actions:

  1. Use the WRKSYSVAL command to change the QAUDCTL system value to *NONE. This stops the system from logging any more security events.
  2. Detach the current journal receiver using the CHGJRN command.
  3. Save and delete the detached receiver, using the SAVOBJ and DLTJRNRCV commands.
  4. You can delete the QAUDJRN journal after you change QAUDCTL to *NONE. If you plan to resume security auditing in the future, you should leave the QAUDJRN journal on the system.
    If the QAUDJRN journal is set up with MNGRCV(*SYSTEM), the system detaches the receiver and attaches a new one whenever you perform an IPL, whether security auditing is active. You need to delete these journal receivers. Saving them before deleting them is not necessary, because they do not contain any audit entries.