Security auditing journal entries

This topic provides information about the journal entries that are written for the action auditing values specified on the QAUDLVL and QAUDLVL2 system values and in the user profile.

It shows:

The type of entry written to the QAUDJRN journal.
The model database output file that can be used to define the record when you create an output file with the DSPJRN command. Complete layouts for the model database outfiles are found in Layout of audit journal entries.
The detailed entry type. Some journal entry types are used to log more than one type of event. The detailed entry type field in the journal entry identifies the type of event.
The ID of the message that can be used to define the entry-specific information in the journal entry.

Table 1. Security auditing journal entries
Action or object auditing value	Journal entry type	Model database outfile	Detailed entry	Description
Action Auditing:
*ATNEVT	IM	QASYIMJ5	P	A potential intrusion has been detected. Further evaluation is required to determine if this is an actual intrusion or an expected and permitted action.
*AUTFAIL	AF	QASYAFJE/J4/J5	A	An attempt was made to access an object or perform an operation to which the user was not authorized.
			B	Restricted instruction
			C	Validation failure
			D	Use of unsupported interface, object domain failure
			E	Hardware storage protection error, program constant space violation
			F	ICAPI authorization error.
			G	ICAPI authentication error.
			H	Scan exit program action.
			I	System Java inheritance not allowed
			J	An attempt was made to submit or schedule a job under a job description which has a user profile specified. The submitter did not have *USE authority to the user profile.
			K	An attempt was made to perform an operation for which the user did not have the required special authority.
			N	The profile token was not a regenerable profile token.
			O	Optical Object Authority failure
			P	An attempt was made to use a profile handle that is not valid on the QWTSETP API.
			R	Hardware protection error
			S	Default signon attempt.
			T	Not authorized to TCP/IP port.
			U	A user permission request was not valid.
			V	The profile token was not valid for generating new profile token.
			W	The profile token was not valid for exchange.
			X	System violation, see description of AF (Authority Failure) journal entries for details
			Y	Not authorized to the current JUID field during a clear JUID operation.
			Z	Not authorized to the current JUID field during a set JUID operation.
	CV	QASYCVJ4/J5	E	Connection ended abnormally.
			R	Connection rejected.
	DI	QASYDIJ4/J5	AF	Authority failures.
			PW	Password failures.
	GR	QASYGRJ4/J5	F	Function registration operations.
	KF	QASYKFJ4/J5	P	An incorrect password was entered.
	IP	QASYIPJE/J4/J5	F	Authority failure for an IPC request.
	PW	QASYPWJE/J4/J5	A	APPC bind failure.
			C	CHKPWD failure.
			D	An incorrect service tool user ID was entered.
			E	An incorrect service tool user ID password was entered.
			P	An incorrect password was entered.
			Q	Attempted signon (user authentication) failed because user profile was disabled.
			R	Attempted signon (user authentication) failed because password was expired.
			S	SQL decrypt a password that was not valid.
			U	User name not valid.
			X	Service tools user is disabled.
			Y	Service tools user not valid.
			Z	Service tools password not valid.
	VC	QASYVCJE/J4/J5	R	A connection was rejected because of incorrect password.
	VO	QASYVOJ4/J5	U	Unsuccessful verification of a validation list entry.
	VN	QASYVNJE/J4/J5	R	A network logon was rejected because of expired account, incorrect hours, incorrect user ID, or incorrect password.
	VP	QASYVPJE/J4/J5	P	An incorrect network password was used.
	X1	QASYX1J5	F	Delegate of identity token failed.
			U	Get user from identity token failed.
	XD	QASYXDJ5	G	Group names (associated with DI entry)
*CMD ¹	CD	QASYCDJE/J4/J5	C	A command was run.
			L	An S/36E control language statement was run.
			O	An S/36E operator control command was run.
			P	An S/36E procedure was run.
			S	Command run after command substitution took place.
			U	An S/36E utility control statement was run.
*CREATE ²	AU	QASYAUJ5	A	Add of an EIM association.
	CO	QASYCOJE/J4/J5	N	Creation of a new object, except creation of objects in QTEMP library.
			R	Replacement of existing object.
	DI	QASYDIJ4/J5	CO	Object created.
	XD	QASYXDJ5	G	Group names (associated with DI entry)
*DELETE ²	AU	QASYAUJ5	A	Remove of an EIM association.
	DO	QASYDOJE/J4/J5	A	Object deleted.
			C	Pending delete committed.
			D	Pending create rolled back.
			P	Delete pending.
			R	Pending delete rolled back.
	DI	QASYDIJ4/J5	DO	Object deleted.
	LD	QASYLDJE/J4/J5	U	Unlink a directory.
	XD	QASYXDJ5	G	Group names (associated with DI entry)
*JOBBAS	JS	QASYJSJ5	A	The ENDJOBABN command was used.
			B	A job was submitted.
			C	A job was changed.
			E	A job was ended.
			H	A job was held.
			I	A job was disconnected.
			N	The ENDJOB command was used.
			P	A program start request was attached to a prestart job.
			Q	Query attributes changed.
			R	A held job was released.
			S	A job was started.
			U	CHGUSRTRC command.
*JOBCHGUSR	JS	QASYJSJ5	M	Change profile or group profile.
			T	Change profile or group profile using a profile token.
*JOBDTA	JS	QASYJSJE/J4/J5	A	The ENDJOBABN command was used.
			B	A job was submitted.
			C	A job was changed.
			E	A job was ended.
			H	A job was held.
			I	A job was disconnected.
			M	Change profile or group profile.
			N	The ENDJOB command was used.
			P	A program start request was attached to a prestart job.
			Q	Query attributes changed.
			R	A held job was released.
			S	A job was started.
			T	Change profile or group profile using a profile token.
			U	CHGUSRTRC command.
	SG	QASYSGJE/J4/J5	A	Asynchronous IBM i signal process.
			P	Asynchronous Private Address Space Environment (PASE) signal processed.
	VC	QASYVCJE/J4/J5	S	A connection was started.
			E	A connection was ended.
	VN	QASYVNJE/J4/J5	F	Logoff requested.
			O	Logon requested.
	VS	QASYVSJE/J4/J5	S	A server session was started.
			E	A server session was ended.
*NETBAS	CV	QASYCVJE/J4/J5	C	Connection established.
			E	Connection ended normally.
			R	Rejected connection.
	IR	QASYIRJ4/J5	L	IP rules have been loaded from a file.
			N	IP rules have been unloaded for an IP Security connection.
			P	IP rules have been loaded for an IP Security connection.
			R	IP rules have been read and copied to a file.
			U	IP rules have been unloaded (removed).
	IS	QASYISJ4/J5	1	Phase 1 negotiation.
			2	Phase 2 negotiation.
	ND	QASYNDJE/J4/J5	A	A violation was detected by the APPN Filter support when the Directory search filter was audited.
	NE	QASYNEJE/J4/J5	A	A violation is detected by the APPN Filter support when the End point filter is audited.
*NETCLU	CU	QASYCUJE/J4/J5	M	Creation of an object by the cluster control operation.
			R	Creation of an object by the Cluster Resource Group (*GRP) management operation.
*NETCMN	CU	QASYCUJE/J4/J5	M	Creation of an object by the cluster control operation.
			R	Creation of an object by the Cluster Resource Group (*GRP) management operation.
	CV	QASYCVJ4/J5	C	Connection established.
			E	Connection ended normally.
	IR	QASYIRJ4/J5	L	IP rules have been loaded from a file.
			N	IP rule have been unloaded for an IP Security connection.
			P	IP rules have been loaded for an IP Security connection.
			R	IP rules have been read and copied to a file.
			U	IP rules have been unloaded (removed).
	IS	QASYISJ4/J5	1	Phase 1 negotiation.
			2	Phase 2 negotiation.
	ND	QASYNDJE/J4/J5	A	A violation was detected by the APPN Filter support when the Directory search filter was audited.
	NE	QASYNEJE/J4/J5	A	A violation is detected by the APPN Filter support when the End point filter is audited.
	SK	QASYSKJ4/J5	D	DHCP address assigned
			F	Filtered mail
			P	Port unavailable
			R	Reject mail
			U	DHCP address denied
*NETFAIL	SK	QASYSKJ4/J5	P	Port unavailable
*NETSCK ^7,9	SK	QASYSKJ4/J5	A	Accept
			C	Connect
			D	DHCP address assigned
			F	Filtered mail
			R	Reject mail
			U	DHCP address denied
*NETSECURE ⁸	SK	QASYSKJ5	S	Secure connection established. This implies traffic flowing over the connection is now protected by a security protocol known to the system. The system explicitly audits System TLS and IPsec from operating system code responsible for creating the secure connection. IPsec entries for UDP are created using the same frequency as defined for *NETUDP⁶.
			X	System TLS secure connection error
*NETTELSVR ⁹	SK	QASYSKJ5	A	Telnet Server Accept Note: Telnet clients can be configured to retry the connection attempt after an attempt to establish a session is unsuccessful. These Telnet clients will retry indefinitely until the conditions causing the session to fail are eliminated. This can generate a large number of Telnet server audit journal entries.
*NETUDP ⁹	SK	QASYSKJ5	I ⁶	User Datagram Protocol (UDP) inbound traffic
			O ⁶	UDP outbound traffic
*OBJMGT ²	DI	QASYDIJ4/J5	OM	Object rename
	OM	QASYOMJE/J4/J5	M	An object was moved to a different library.
			R	An object was renamed.
*OFCSRV	ML	QASYMLJE/J4/J5	O	A mail log was opened.
	SD	QASYSDJE/J4/J5	S	A change was made to the system distribution directory.
*OPTICAL	O1	QASY01JE/J4/J5	R	Open file or directory
			U	Change or retrieve attributes
			D	Delete file directory
			C	Create directory
			X	Release held optical file
	O2	QASY02JE/J4/J5	C	Copy file or directory
			R	Rename file
			B	Back up file or directory
			S	Save held optical file
			M	Move file
	O3	QASY03JE/J4/J5	I	Initialize volume
			B	Backup volume
			N	Rename volume
			C	Convert backup volume to primary
			M	Import
			E	Export
			L	Change authorization list
			A	Change volume attributes
			R	Absolute read
*PGMADP	AP	QASYAPJE/J4/J5	S	A program started that adopts owner authority. The start entry is written the first time adopted authority is used to gain access to an object, not when the program enters the call stack.
			E	A program ended that adopts owner authority. The end entry is written when the program leaves the call stack. If the same program occurs more than once in the call stack, the end entry is written when the highest (last) occurrence of the program leaves the stack.
			A	Adopted authority was used during program activation.
*PGMFAIL	AF	QASYAFJE/J4/J5	B	A program ran a restricted machine interface instruction.
			C	A program which failed the restore-time program validation checks was restored. Information about the failure is in the Validation Value Violation Type field of the record.
			D	A program accessed an object through an unsupported interface or callable program not listed as a callable API.
			E	Hardware storage protection violation.
			R	Attempt made to update an object that is defined as read-only. (Enhanced hardware storage protection is logged only at security level 40 and higher)
*PRTDTA	PO	QASYPOJE/J4/J5	D	Printer output was printed directly to a printer.
			R	Output sent to remote system to print.
			S	Printer output was spooled and printed.
*PTFOBJ	PU	QASYPUJ5	D	Directory PTF object was changed.
			L	Library PTF object was changed.
			S	LIC PTF object was changed.
*PTFOPR	PF	QASYPFJ5	I	PTF IPL operation was performed.
			L	PTF product(s) operation was performed.
			P	PTF operation was performed.
*SAVRST ²	GR	QASYGRJ5	O	ObjectConnect operations.
	OR	QASYORJE/J4/J5	N	A new object was restored to the system.
			E	An object was restored that replaces an existing object.
	RA	QASYRAJE/J4/J5	A	The system changed the authority to an object being restored. ³
	RJ	QASYRJJE/J4/J5	A	A job description that contains a user profile name was restored.
	RO	QASYROJE/J4/J5	A	The object owner was changed to QDFTOWN during restore operation.³
	RP	QASYRPJE/J4/J5	A	A program that adopts owner authority was restored.
	RQ	QASYRQJE/J4/J5	A	A CRQD object with PROFILE(OWNER) was restored.
	RU	QASYRUJE/J4/J5	A	Authority was restored for a user profile using the RSTAUT command.
	RZ	QASYRZJE/J4/J5	A	The primary group for an object was changed during a restore operation.
			O	Auditing of an object was changed with CHGOBJAUD command.
			U	Auditing for a user was changed with CHGUSRAUD command.
*SECCFG	AD	QASYADJE/J4/J5	D	Auditing of a DLO was changed with CHGDLOAUD command.
			O	Auditing of an object was changed with CHGOBJAUD or CHGAUD commands.
			S	The scan attribute was changed using CHGATR command or the Qp0lSetAttr API, or when the object was created.
			U	Auditing for a user was changed with CHGUSRAUD command.
	AU	QASYAUJ5	E	Enterprise Identity Mapping (EIM) configuration change
	CP	QASYCPJE/J4/J5	A	Create, change, or restore operation of user profile when QSYSRESPA API is used.
	CQ	QASYCQJE/J4/J5	A	A *CRQD object was changed.
	CY	QASYCYJ4/J5	A	Cryptographic Coprocessor Access Control function
			F	Cryptographic Coprocessor Facility Control function
			K	Cryptographic Services Master Key function
			M	Cryptographic Coprocessor Master Key function
	DO	QASYDOJE/J4/J5	A	Object was deleted not under commitment control
			C	A pending object delete was committed
			D	A pending object create was rolled back
			P	The object delete is pending (the delete was performed under commitment control)
			R	A pending object delete was rolled back
	DS	QASYDSJE/J4/J5	A	Request to reset DST QSECOFR password to system-supplied default using the CHGDSTPWD command.
			C	DST profile changed using the QSYCHGDS API.
			D	Delete of a service tools user ID using the DLTSSTUSR command.
			H	Change to a service tools user ID using the CHGSSTUSR command.
			P	Change to a service tools user ID password using the QSYCHGDS API.
			R	Create of a service tools user ID using the CRTSSTUSR command.
			S	Change to the service tools security attributes using the CHGSSTSECA command.
	EV	QASYEVJ4/J5	A	Add.
			C	Change.
			D	Delete.
			I	Initialize environment variable space.
	GR	QASYGRJ4/J5	A	Exit program added
			D	Exit program removed
			F	Function registration operation
			R	Exit program replaced
	JD	QASYJDJE/J4/J5	A	The USER parameter of a job description was changed.
	KF	QASYKFJ4/J5	C	Certificate operation.
			K	Key ring file operation.
			T	Trusted root operation.
	NA	QASYNAJE/J4/J5	A	A network attribute was changed.
	PA	QASYPAJE/J4/J5	A	A program was changed to adopt owner authority.
	SE	QASYSEJE/J4/J5	A	A subsystem routing entry was changed.
	SO	QASYSOJ4/J5	A	Add entry.
			C	Change entry.
			R	Remove entry.
	SV	QASYSVJE/J4/J5	A	A system value was changed.
			B	Service attributes were changed.
			C	Change to system clock.
			E	Change to option
			F	Change to system-wide journal attribute
	VA	QASYVAJE/J4/J5	S	The access control list was changed successfully.
			F	The change of the access control list failed.
			V	Successful verification of a validation list entry.
	VU	QASYVUJE/J4/J5	G	A group record was changed.
			M	User profile global information changed.
			U	A user record was changed.
*SECDIRSRV	DI	QASYDIJE/J4/J5	AD	Audit change.
			BN	Successful bind
			CA	Authority change
			CP	Password change
			OW	Ownership change
			PO	Policy change
			UB	Successful unbind
*SECIPC	IP	QASYIPJE/J4/J5	A	The ownership or authority of an IPC object was changed.
			C	Create an IPC object.
			D	Delete an IPC object.
			G	Get an IPC object.
			M	Shared memory attached.
			Z	Close an IPC object.
*SECNAS	X0	QASYX0J4/J5	1	Service ticket valid.
			2	Service principals do not match.
			3	Client principals do not match.
			4	Ticket IP address mismatch.
			5	Decryption of the ticket failed
			6	Decryption of the authenticator failed
			7	Realm is not within client and local realms
			8	Ticket is a replay attempt
			9	Ticket not yet valid
			A	Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
			B	Remote IP address mismatch
			C	Local IP address mismatch
			D	KRB_AP_PRIV or KRB_AP_SAFE timestamp error
			E	KRB_AP_PRIV or KRB_AP_SAFE replay error
			F	KRB_AP_PRIV KRB_AP_SAFE sequence order error
			K	GSS accept - expired credential
			L	GSS accept - checksum error
			M	GSS accept - channel bindings
			N	GSS unwrap or GSS verify expired context
			O	GSS unwrap or GSS verify decrypt/decode
			P	GSS unwrap or GSS verify checksum error
			Q	GSS unwrap or GSS verify sequence error
*SECRUN	AX	QASYAXJ5	M	Column mask created, altered, or dropped.
			P	Row permission created, altered, or dropped.
			T	Table altered.
	CA	QASYCAJE/J4/J5	A	Changes to authorization list or object authority.
	OW	QASYOWJE/J4/J5	A	Object ownership was changed.
	PG	QASYPGJE/J4/J5	A	The primary group for an object was changed.
	X2	None		Query manager profile was changed.
*SECSCKD	GS	QASYGSJE/J4/J5	G	A socket descriptor was given to another job. (The GS audit record is created if it is not created for the current job.)
			R	Receive descriptor.
			U	Unable to use descriptor.
*SECURITY	AD	QASYADJE/J4/J5	D	Auditing of a DLO was changed with CHGDLOAUD command.
			O	Auditing of an object was changed with CHGOBJAUD or CHGAUD commands.
			S	Scan attribute change by CHGATR command or Qp01SetAttr API
			U	Auditing for a user was changed with CHGUSRAUD command.
			G	Get user from identity token successful
	AU	QASYAUJ5	E	Enterprise Identity Mapping (EIM) configuration change
	AX	QASYAXJ5	M	Column mask created, altered, or dropped.
			P	Row permission created, altered or dropped.
			T	Table altered.
	CA	QASYCAJE/J4/J5	A	Changes to authorization list or object authority.
	CP	QASYCPJE/J4/J5	A	Create, change, or restore operation of user profile when QSYRESPA API is used
	CQ	QASYCQJE/J4/J5	A	A *CRQD object was changed.
	CV	QASYCVJ4/J5	C	Connection established.
			E	Connection ended normally.
			R	Connection rejected.
	CY	QASYCYJ4/J5	A	Cryptographic Coprocessor Access Control function
			F	Cryptographic Coprocessor Facility Control function
			K	Cryptographic Services Master Key function
			M	Cryptographic Coprocessor Master Key function
	DI	QASYDIJ4/J5	AD	Audit change
			BN	Successful bind
			CA	Authority change
			CP	Password change
			OW	Ownership change
			PO	Policy change
			UB	Successful unbind
	DO	QASYDOJE/J4/J5	A	Object was deleted not under commitment control
			C	A pending object delete was committed
			D	A pending object create was rolled back
			P	The object delete is pending (the delete was performed under commitment control)
			R	A pending object delete was rolled back
	DS	QASYDSJE/J4/J5	A	Request to reset DST QSECOFR password to system-supplied default using the CHGDSTPWD command.
			C	DST profile changed using the QSYCHGDS API.
			D	Delete of a service tools user ID using the DLTSSTUSR command.
			H	Change to a service tools user ID using the CHGSSTUSR command.
			P	Change to a service tools user ID password using the QSYCHGDS API.
			R	Create of a service tools user ID using the CRTSSTUSR command.
			S	Change to the service tools security attributes using the CHGSSTSECA command.
	EV	QASYEVJ4/J5	A	Add.
			C	Change.
			D	Delete.
			I	Initialize environment variable space.
	GR	QASYGRJ4/J5	A	Exit program added
			D	Exit program removed
			F	Function registration operation
			R	Exit program replaced
	GS	QASYGSJE/J4/J5	G	A socket descriptor was given to another job. (The GS audit record is created if it is not created for the current job.)
			R	Receive descriptor.
			U	Unable to use descriptor.
	IP	QASYIPJE/J4/J5	A	The ownership or authority of an IPC object was changed.
			C	Create an IPC object.
			D	Delete an IPC object.
			G	Get an IPC object.
	JD	QASYJDJE/J4/J5	A	The USER parameter of a job description was changed.
	KF	QASYKFJ4/J5	C	Certificate operation.
			K	Key ring file operation.
			T	Trusted root operation.
	NA	QASYNAJE/J4/J5	A	A network attribute was changed.
	OW	QASYOWJE/J4/J5	A	Object ownership was changed.
	PA	QASYPAJE/J4/J5	A	A program was changed to adopt owner authority.
	PG	QASYPGJE/J4/J5	A	The primary group for an object was changed.
	PS	QASYPSJE/J4/J5	A	A target user profile was changed during a pass-through session.
			E	An office user ended work on behalf of another user.
			H	A profile handle was generated through the QSYGETPH API.
			I	All profile tokens were invalidated.
			M	The maximum number of profile tokens have been generated.
			P	Profile token generated for user.
			R	All profile tokens for a user have been removed.
			S	An office user started work on behalf of another user.
			T	Telnet QIBM_QTG_DEVINIT exit program profile swap.
			U	Telnet QIBM_QTG_DEVINIT exit program profile override.
			V	User profile authenticated.
	SE	QASYSEJE/J4/J5	A	A subsystem routing entry was changed.
	SO	QASYSOJ4/J5	A	Add entry.
			C	Change entry.
			R	Remove entry.
	SV	QASYSVJE/J4/J5	A	A system value was changed.
			B	Service attributes were changed.
			C	Change to system clock.
			E	Change to option
			F	Change to system-wide journal attribute
	VA	QASYVAJE/J4/J5	S	The access control list was changed successfully.
			F	The change of the access control list failed.
	VO		V	Successful verify of a validation list entry.
	VU	QASYVUJE/J4/J5	G	A group record was changed.
			M	User profile global information changed.
			U	A user record was changed.
	X0	QASYX0J4/J5	1	Service ticket valid.
			2	Service principals do not match
			3	Client principals do not match
			4	Ticket IP address mismatch
			5	Decryption of the ticket failed
			6	Decryption of the authenticator failed
			7	Realm is not within client and local realms
			8	Ticket is a replay attempt
			9	Ticket not yet valid
			A	Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
			B	Remote IP address mismatch
			C	Local IP address mismatch
			D	KRB_AP_PRIV or KRB_AP_SAFE timestamp error
			E	KRB_AP_PRIV or KRB_AP_SAFE replay error
			F	KRB_AP_PRIV KRB_AP_SAFE sequence order error
			K	GSS accept - expired credential
			L	GSS accept - checksum error
			M	GSS accept - channel bindings
			N	GSS unwrap or GSS verify expired context
			O	GSS unwrap or GSS verify decrypt/decode
			P	GSS unwrap or GSS verify checksum error
			Q	GSS unwrap or GSS verify sequence error
	X1	QASYX1J5	D	Delegate of identity token successful
	X2	None		Query manager profile was changed
*SECVFY	PS	QASYPSJE/J4/J5	A	A target user profile was changed during a pass-through session.
			E	An office user ended work on behalf of another user.
			H	A profile handle was generated through the QSYGETPH API.
			I	All profile tokens were invalidated.
			M	The maximum number of profile tokens have been generated.
			P	Profile token generated for user.
			R	All profile tokens for a user have been removed.
			S	An office user started work on behalf of another user.
			T	Telnet QIBM_QTG_DEVINIT exit program profile swap.
			U	Telnet QIBM_QTG_DEVINIT exit program profile override.
			V	User profile authenticated.
	X1	QASYX1J5	D	Delegate of identity token successful
			G	Get user from identity token successful
*SECVLDL	VO		V	Successful verification of a validation list entry.
*SERVICE	ST	QASYSTJE/J4/J5	A	A service tool was used.
	VV	QASYVVJE/J4/J5	C	The service status was changed.
			E	The server was stopped.
			P	The server paused.
			R	The server was restarted.
			S	The server was started.
*SPLFDTA	SF	QASYSFJE/J4/J5	A	A spooled file was read by someone other than the owner.
			C	A spooled file was created.
			D	A spooled file was deleted.
			H	A spooled file was held.
			I	An inline file was created.
			R	A spooled file was released.
			S	A spooled file was saved.
			T	A spooled file was restored.
			U	A spooled file was changed.
			V	Only non-security relevant spooled files attributes changed.
*SYSMGT	DI	QASYDIJ4/J5	CF	Configuration changes
			CI	Create instance
			DI	Delete instance
			RM	Replication management
	SM	QASYSMJE/J4/J5	B	Backup options were changed.
			C	Automatic cleanup options were changed.
			D	A DRDA* change was made.
			F	An HFS file system was changed.
			N	A network file operation was performed.
			O	A backup list was changed.
			P	The power on/off schedule was changed.
			S	The system reply list was changed.
			T	The access path recovery times were changed.
	M0	QASYM0J5	A	Db2 Mirror setup tools.
	M6	QASYM6J5	A	Db2 Mirror Communication Services - Add Network Redundancy Group (NRG).
			C	Db2 Mirror Communication Services - Change NRG.
			R	Db2 Mirror Communication Services - Remove NRG.
	M7	QASYM7J5	A	Db2 Mirror Replication Services - Add active replication criteria rule.
			D	Db2 Mirror Replication Services - Duplicate replication criteria rules.
			P	Db2 Mirror Replication Services - Activate pending replication criteria rules.
			R	Db2 Mirror Replication Services - Remove active replication criteria rule.
			S	Db2 Mirror Replication Services - Resynchronization of eligible objects.
			U	User deferred or deleted entries in the Object Tracking List (OTL) using the SQL QSYS2.CHANGE_RESYNC_ENTRIES procedure.
	M8	QASYM8J5	A	Db2 Mirror Product Services - Add IASP.
			C	Db2 Mirror Product Services - Change mirror.
			F	Db2 Mirror Product Services - Change flight recorder.
			I	Db2 Mirror Product Services - Set default inclusion state.
			O	Db2 Mirror Product Services - Takeover.
			R	Db2 Mirror Product Services - Remove IASP.
			S	Db2 Mirror Product Services - Setup mirror.
			T	Db2 Mirror Product Services - Terminate mirror.
			W	Db2 Mirror Product Services - Swap mirror roles.
	M9	QASYM9J5	C	Db2 Mirror Replication State - Change to the replication state of an ASP.
	VL	QASYVLJE/J4/J5	A	The account is expired.
			D	The account is disabled.
			L	Logon hours were exceeded.
			U	Unknown or unavailable.
			W	Workstation not valid.
Object Auditing:
*CHANGE	DI	QASYDIJ4/J5	IM	LDAP directory import
			ZC	Object change
	ZC	QASYZCJ4/J5	C	Object changes
			U	Upgrade of open access to an object
	AD	QASYADJEJ4/J5	D	Auditing of an object was changed with CHGOBJAUD command.
			O	Auditing of an object was changed with CHGOBJAUD command.
			S	Scan attribute change by CHGATR command or Qp01SetAttr API
			U	Auditing for a user was changed with CHGUSRAUD command.
	AU	QASYAUJ5	E	Enterprise Identity Mapping (EIM) configuration change
	CA	QASYCAJE/J4/J5	A	Changes to authorization list or object authority.
	OM	QASYOMJE/J4/J5	M	An object was moved to a different library.
			R	An object was renamed.
	OR	QASYORJE/J4/J5	N	A new object was restored to the system.
			E	An object was restored that replaces an existing object.
	OW	QASYOWJE/J4/J5	A	Object ownership was changed.
	PG	QASYPGJE/J4/J5	A	The primary group for an object was changed.
	RA	QASYRAJE/J4/J5	A	The system changed the authority to an object being restored.
	RO	QASYROJE/J4/J5	A	The object owner was changed to QDFTOWN during restore operation.
	RZ	QASYRZJE/J4/J5	A	The primary group for an object was changed during a restore operation.
	GR	QASYGRJ4/J5	F	Function registration operations⁵
	LD	QASYLDJE/J4/J5	L	Link a directory.
			U	Unlink a directory.
	VF	QASYVFJE/J4/J5	A	The file was closed because of administrative disconnection.
			N	The file was closed because of normal client disconnection.
			S	The file was closed because of session disconnection.
	VO	QASYVOJ4/J5	A	Add validation list entry.
			C	Change validation list entry.
			F	Find validation list entry.
			R	Remove validation list entry.
	VR	QASYVRJE/J4/J5	F	Resource access failed.
			S	Resource access was successful.
	YC	QASYYCJE/J4/J5	C	A document library object was changed.
	ZC	QASYZCJE/J4/J5	C	An object was changed.
			U	Upgrade of open access to an object.
*ALL ⁴	CD	QASYCDJ4/J5	C	Command run
	DI	QASYDIJ4/J5	EX	LDAP directory export
			ZR	Object read
	GR	QASYGRJ4/J5	F	Function registration operations⁵
	LD	QASYLDJE/J4/J5	K	Search a directory.
	YR	QASYYRJE/J4/J5	R	A document library object was read.
	ZR	QASYZRJE/J4/J5	R	An object was read.
¹ This value can only be specified for the AUDLVL parameter of a user profile. It is not a value for the QAUDLVL system value. ² If object auditing is active for an object, an audit record is written for a create, delete, object management, or restore operation even if these actions are not included in the audit level. ³ See the topic Restoring objects for information about authority changes which might occur when an object is restored. ⁴ When ALL is specified, the entries for both CHANGE and ALL are written. ⁵ When the QUSRSYS/QUSEXRGOBJ EXITRG object is being audited. ⁶ UDP traffic for the same local and remote address and port is audited only once every 12 hours by default. Refer to The IPCONFIG macro for details on how to change the default interval. ⁷ Telnet server connections are not audited as part of NETSCK. Use NETTELSVR along with NETSCK if Telnet server connections should be audited. ⁸ Telnet server secure connections are not audited as part of NETSECURE. Use NETTELSVR along with NETSECURE if Telnet server secure connections should be audited. ⁹ To audit all TCP and UDP connections in and out of the system specify NETSCK, NETUDP, and *NETTELSVR.