Auditing Change Operations on QSYSOPR Message Queue

Question & Answer

Question

How do you create a report of what jobs are adding or removing messages from the QSYSOPR Message Queue.

Cause

Answer

The Security Audit journal can be used to track jobs/users that are adding or removing messages on the QSYSOPR message queue.

Steps

First, verify that the QAUDJRN journal exists and that you are tracking for Object Auditing operations *OBJAUD. Use the DSPSECAUD command and make sure the following settings are configured on your system:

  Security journal QAUDJRN exists . . . . . :  YES    
Current QAUDCTL system value  . . . . . . :  *OBJAUD

If not listed, use the CHGSECAUD command to add them to your system. The value *OBJAUD for the QAUDCTL system value is required to audit the use or change of objects.

Start auditing the QSYSOPR message queue for change operations.

Step 1. Turn on object auditing on the object:

  CHGOBJAUD OBJ(QSYSOPR) OBJTYPE(*MSGQ) OBJAUD(*CHANGE)

Note: Once auditing is active for the QSYSOPR message queue, the system will add an audit entry every time a message is added or removed from the QSYSOPR Message queue.

Analyzing the Results.

Method 1 for releases 7.4, 7.5:

NOTE: This SQL sample uses the AUDIT_JOURNAL_ZC table function only available on Releases 7.4 and 7.5. For older releases, use Method 2.

NOTE 2: The SQL table function is available with the following PTFs:

R750: SF99950 Level 2
R740: SF99704 Level 23

Step 1: Using the Run SQL Scripts tool, run the following SQL Statement:

SELECT ENTRY_TIMESTAMP,
       JOB_NAME,
       JOB_USER,
       JOB_NUMBER,
       ACCESS_TYPE_DETAIL AS Message_added_or_removed,
       OBJECT_NAME,
       OBJECT_TYPE
    FROM TABLE (
            SYSTOOLS.AUDIT_JOURNAL_ZC(STARTING_TIMESTAMP => CURRENT TIMESTAMP - 8 DAYS)
        )
    WHERE OBJECT_NAME = 'QSYSOPR'
    ORDER BY ENTRY_TIMESTAMP DESC

NOTE: Modify the CURRENT TIMESTAMP to specify the number of days to included in the report.

Method 2 for older releases.

Step 1:

Create a file with the contents of ZC (Change Operations) Operations:

CPYAUDJRNE ENTTYP(ZC) OUTFILE(V6CASTIL/QAUDIT) JRNRCV(*CURCHAIN) FROMTIME(081923 070000) TOTIME(082123 090000)

NOTE: Adjust the Time and Date.

NOTE 2: Replace V6CASTIL with the name of the library where the file QAUDITZC is created.

Step 2:

Using the STRSQL command, run the following SQL Statement:

SELECT ZCENTT,                
       ZCJOB,                 
       ZCUSER,                
       ZCNBR,                 
       ZCETYP,                
       ZCACTP,                
       ZCONAM,                
       ZCOTYP                 
    FROM v6castil/qauditzc    
where zconam = 'QSYSOPR'

NOTE: Access Code and Access type for Add and remove messages:

Access Code	Access Type
38 51	Remove Send

For the Numeric codes for access types see the link below:

https://www.ibm.com/docs/en/i/7.3?topic=entries-numeric-codes-access-types

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS013932215","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0;7.3.0;7.4.0;7.5.0"}]

Was this topic helpful?

Document Information

More support for:
IBM i

Component:
Security

Software version:
7.2.0, 7.3.0, 7.4.0, 7.5.0

Operating system(s):
IBM i

Document number:
7028213

Modified date:
21 August 2023

UID

ibm17028213

IBM Support

Tips