PW (Password) journal entries

Information from this audit journal entry can be queried with the SYSTOOLS.AUDIT_JOURNAL_PW table function: AUDIT_JOURNAL_PW

Table 1. PW (Password) journal entries. QASYPWJE/J4/J5 Field Description File

Offset			Field	Format	Description
JE	J4	J5
1	1	1			Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5),Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4), and Standard heading fields for audit journal entries QJORDJE2 Record Format (*TYPE2) for field listing.
156	224	610	Violation Entry Type	Char(1)	The type of violation A APPC bind failure. C User authentication with the CHKPWD command failed. D Service tools user ID name not valid (QSYCHGDS API, CRTSSTUSR, CHGSSTUSR, DLTSSTUSR, CHGSSTSECA commands). E Service tools user ID password not valid (QSYCHGDS API, CRTSSTUSR, CHGSSTUSR, DLTSSTUSR, CHGSSTSECA commands). F Service tools user ID time-based one-time password (TOTP) not valid or recovery key not valid (QSYCHGDS API, CRTSSTUSR, CHGSSTUSR, DLTSSTUSR, CHGSSTKEY, CHGSSTSECA commands). G Authentication exit program returned failure. K Password specified on CHKTOTP command or QSYS2.CHECK_TOTP function not valid. O Time-based one-time password (TOTP) specified on CHKTOTP command or QSYS2.CHECK_TOTP function not valid. P Password not valid. Q Attempted signon (user authentication) failed because user profile is disabled. R Attempted signon (user authentication) failed because password was expired. This audit record might not occur for some user authentication mechanisms. Some authentication mechanisms do not check for expired passwords. S SQL decryption password is not valid. T Time-based one-time password (TOTP) not valid or recovery key not valid.
					U User name not valid. X Service tools user ID is disabled. Y Service tools user ID not valid (service tools interface). Z Service tools user ID password not valid (service tools interface).
157	225	611	User Name	Char(10)	The job user name or the service tools user ID name.
167	235	621	Device name	Char(40)	The name of the device or communications device on which the password or user ID was entered. When the entry type (J5 offset 610) is D, E, F, X, Y, or Z this field will contain the name of the interface being used.
207	275	661	Remote Location Name	Char(8)	Name of the remote location for the APPC bind.
215	283	669	Local Location Name	Char(8)	Name of the local location for the APPC bind.
223	291	677	Network ID	Char(8)	Network ID for the APPC bind.
		6852	Object Name	Char(10)	The name of the object being decrypted.
		695	Object Library	Char(10)	The library for the object being decrypted.
		705	Object Type	Char(8)	The type of object being decrypted.
		713	ASP Name1	Char(10)	The name of the ASP device.
		723	ASP Number1	Char(5)	The number of the ASP device.
		728	Authentication program reason code	Bin(10)	When entry type (J5 offset 610) is G this field contains the reason code for the failure. The reason code is returned by the additional authentication exit program registered under exit point QIBM_QSY_AUTH, format AUTH0100. Some reason codes are defined in the Additional Authentication Exit Program documentation. Other reason code definitions are specific to the authentication program provider and are not defined or documented by IBM.
1 If the object is in a library, this is the ASP information for the object's library. If the object is not in a library, this is the ASP information for the object. 2 If the object name is *N and the violation type is S, the user attempted to decrypt data in a host variable.