How To
Summary
IBM i Guardium agent collects both SQL activity and QAUDJRN entries by default. Some customers already have other application to process audit journal entries and want to use IBM i Guardium agent to collect SQL activity only.
Objective
This technote shows how to configure IBM i Guardium agent not to capture audit journal entries.
Note that with the current suppported Guardium versions, there is no way to fully disable the collection of audit journal entries, but we can minimize them significantly.
Environment
IBM i (all versions)
Steps
When the IBM i Guardium agent starts, it reads the table QSYS2/SYSAUDIT to get the actual product configuration. In QSYS2/SYSAUDIT table, the column FILTER_AUDIT_ENTRY_TYPES tells the agent which audit journal entries must be collected.
By default, the following audit journal entries are to be collected:
AD - Auditing change
AF - Authority failure
AX - Row and column access control
CA - Authority change
CD - Command string (Note: CD is not included in the default settings of filter_audit_entry_types)
CO - Create object
CP - User Profile changes
DO - Delete object
GR - General purpose audit record
OM - Object moved or renamed
PG - Primary group change
PW - Invalid password or user ID
OW - Change owner
OR - Object restored
RA - Restore authority change
RO - Restore owner change
RZ - Restore primary group change
SV - System value change
ZR - Read object
ZC - Change object
AF - Authority failure
AX - Row and column access control
CA - Authority change
CD - Command string (Note: CD is not included in the default settings of filter_audit_entry_types)
CO - Create object
CP - User Profile changes
DO - Delete object
GR - General purpose audit record
OM - Object moved or renamed
PG - Primary group change
PW - Invalid password or user ID
OW - Change owner
OR - Object restored
RA - Restore authority change
RO - Restore owner change
RZ - Restore primary group change
SV - System value change
ZR - Read object
ZC - Change object
Refer to Audit Journal Entries and Guardium for further information about them how to filter some of them.
If you don't want Guardium agent on i to collect any of them, choose the most uncommon audit journal entry and update the table QSYS2/SYSAUDIT with it.
In this example, we'll use 'CD' = Command String Audit, because it's usually one that produces few entries in QAUDJRN.
Run the following SQL statement to find out which commands are being audited.
SELECT OBJNAME, OBJTYPE, OBJECT_AUDIT
FROM TABLE(QSYS2.OBJECT_STATISTICS('QSYS', '*CMD'))
WHERE OBJECT_AUDIT <> '*NONE';
FROM TABLE(QSYS2.OBJECT_STATISTICS('QSYS', '*CMD'))
WHERE OBJECT_AUDIT <> '*NONE';
If you have few commands being audited then 'CD' is a good candidate.
Otherwise you can analyze your QAUDJRN entries and choose one not frequently used instead.
As a good practice, take a backup of QSYS2/SYSAUDIT table before running the next step.
We'll change the QSYS2/SYSAUDIT table so the guardium agent will only capture the 'CD' audit journal entry.
-For that purpose, run the following SQL Statement from STRSQL or Access Client Solutions Run SQL Scripts:
UPDATE QSYS2.SYSAUDIT SET FILTER_AUDIT_ENTRY_TYPES = 'CD';
-Verify that the UPDATE was effective by running
SELECT FILTER_AUDIT_ENTRY_TYPES FROM QSYS2.SYSAUDIT;
The query result will show 'CD'
-Restart Guardium agent jobs for the change to be effective.
Refer to How to stop and start IBM i STAP? if you need assistance.
-After guardium jobs have been restarted, run the following SQL Statement:
CALL SYSPROC.SYSAUDIT_STATUS();
--Repeat it 4 or 5 times, once every 30 sec or 1 minute
-After repeating it several times, run the following one:
select status_time, server_started,
number_processed_sql_statements,
number_enqueued_sql_statements,
number_skipped_sql_statements,
number_processed_qaudjrn_entries,
number_enqueued_qaudjrn_entries,
number_skipped_QAUDJRN_entries
from
qtemp.sysaudsts;
number_processed_sql_statements,
number_enqueued_sql_statements,
number_skipped_sql_statements,
number_processed_qaudjrn_entries,
number_enqueued_qaudjrn_entries,
number_skipped_QAUDJRN_entries
from
qtemp.sysaudsts;
The SELECT output shows that the SQL activity is being captured but the audit journal entries are no longer being captured.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHeAAM","label":"IBM i Db2"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0;7.1.0;7.2.0;7.3.0;7.4.0;7.5.0;7.6.0"}]
Was this topic helpful?
Document Information
Modified date:
22 September 2025
UID
ibm17245325