Troubleshooting
Problem
This note documents how to audit for the delete of Integrated File System objects.
Resolving The Problem
When deleting an object in a directory, the following steps occur:
|
o |
Unlink This removes the name from the object and cuts an LD-U audit record. The name of the object is put into the audit record. |
| o | Destroy This destroys the object and cuts a DO audit record. However, the name of the object is not available at this time; therefore, the system cannot put it into the DO audit record. The destroy may be deferred to a later time if the object is actively being used (for example, a file is open). |
Setting the QAUDLVL system value to *DELETE monitors only for DO audit records.
To monitor for LD-U audit records, you should do the following:
To monitor for LD-U audit records, you should do the following:
| 1. | Set the system value, QAUDCTL, to *OBJAUD. |
| 2. | Use the CHGAUD or CHGOBJAUD command to set the object auditing value to *CHANGE or *ALL. NOTE: Setting a directory to *CHANGE or *ALL can cause many entries to be generated if there are many files being deleted/created. |
In the LD-U record, you will see the parent file ID and the name of the object within that parent directory.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
20153659
Was this topic helpful?
Document Information
Modified date:
07 October 2024
UID
nas8N1017716