Depending on how your system audit journal QAUDJRN is configured, it contains a wealth of information that not only reveals ongoing system activity, but also documents possible attempts to compromise system security and access controls. Given this comprehensive source of audit and security information and the enormous amount of data often available, the challenge quickly becomes the task of filtering out the events and actions of specific interest to security officers responsible for system security in general, and of course to internal and external system auditors in particular. This article explains how to filter out those events and actions using the preferred Analyze Audit Journal (ANZAUDJRN) command.
Audit Tools on Board
IBM i has available to it a number of native audit tools in the form of CL commands, including the Display Journal (DSPJRN) and Display Audit Journal Entry (DSPAUDJRNE) commands, which have been in service for quite a while, as well as the latest addition to the collection: the Copy Audit Journal Entry (CPYAUDJRNE) command. The latter especially is useful when you’re performing an investigation because it maps all the information in the journal entry’s entry-specific data section into individual data fields. This, in turn, lets you interrogate the entry event type, name, library, and type of object associated with the journal entry and other crucial entry-specific information.
The CPYAUDJRNE does, however, as its name implies, copy the retrieved information to an output file that you must process using Query/400 or a similar tool—turning the investigation into a two-step procedure. Too, the CPYAUDJRNE command lacks some of the parameters available on the DSPJRN command, eliminating the option of excluding journal entries up front based on, for example, job name or program name. What fascinates me about encountering situations like this is that the comprehensive toolset available on IBM i lets me easily devise and build utilities that meet my specific needs—doing so even on a tight budget. All it takes is the ILE RPG compiler and the API manual.
When it comes to processing journal entries, though, options other than APIs exist. For realtime processing of journal entries I’ve often used the Receive Journal Entry (RCVJRNE) command, which makes it possible to retrieve and process journal entries as they arrive in the journal receiver. There’s also a Retrieve Journal Entry (RTVJRNE) command targeted at extracting journal entries into a CL program. However, for the purpose of specifying an arbitrary subset of journal entries, the Retrieve Journal Entries (QjoRetrieveJournalEntries) API is hard to beat, both in terms of the extensive parameter set offered as well as the speed by which it processes and returns the journal entries selected.