Troubleshooting
Problem
This document provides information on using system auditing to track spooling activity and also provides information on job accounting.
Resolving The Problem
This document addresses two types of auditing: system auditing and job accounting. System auditing can be used to track spooling activity such as when a spooled file is created, read, deleted, printed, or sent to another system. Job accounting can be used to log the total number of pages and lines printed, the spooled file name, the spooled file number, the fully qualified job name, and other information.
This document was last updated on 21 May 2014.
Using System Auditing to Track Spooling Activity
Note: This document is not intended to contain complete information regarding setting up security auditing. For detailed information on system auditing, it is recommended that you refer to Chapter 9, Auditing Security on IBM i (or Auditing Security on the AS/400 System on older versions) in the IBM i Security Reference (SC41-5302) publication, which is available at:
For detailed information on setting up security auditing, please refer to the following document:
N1014712: Setting Up Security Auditing
| 1. | Use the Create Journal Receiver (CRTJRNRCV) and Create Journal (CRTJRN) commands as described in Rochester Support Center knowledgebase document New to setup the journal receiver and journal needed for system auditing. |
| 2. | Use the following Work with System Value (WRKSYSVAL) command to work with the system values associated with security auditing: WRKSYSVAL SYSVAL(QAUD*) Use Option 2 (Change) and Option 5 (Display) as necessary to make sure that the QAUDLVL (Security auditing level) system value includes *SPLFDTA and *PRTDTA, and that the QAUDCTL (Auditing control) system value includes *AUDLVL. |
| 3. | Type GO SECTOOLS on the operating system command line to bring up the Security Tools menu, then take Option 11 (Display security auditing) to make sure that security auditing is setup correctly. |
| 4. | If diagnosing a particular problem, reproduce the problem at this point. |
| 5a. | You can use the Display Audit Journal Entry (DSPAUDJRNE) command to write printed output (PO) or spooled file (SF) journal entries to a spooled file. However, the DSPAUDJRNE command is not supported. Also, SF and PO entries will not be shown for any spooled files associated with a QPRTJOB job. To use the DSPAUDJRNE command despite these issues, type one of the following commands: DSPAUDJRNE ENTTYP(PO) JRNRCV(*CURCHAIN) FROMTIME('01/28/09' '08:00:00') OUTPUT(*PRINT) DSPAUDJRNE ENTTYP(SF) JRNRCV(*CURCHAIN) FROMTIME('01/28/09' '08:00:00') OUTPUT(*PRINT) Both printed output (PO) and spooled file (SF) journal entries can be written to a spooled file at the same time using the following command: DSPAUDJRNE ENTTYP(PO SF) JRNRCV(*CURCHAIN) FROMTIME('01/28/09' '08:00:00') OUTPUT(*PRINT) As with the DSPJRN command, using the DSPAUDJRNE command to display both the SF and PO journal entries at the same time can be more difficult to read through the spooled file. Note: As mentioned above, the Display Audit Journal Entry (DSPAUDJRNE) command is not supported. It also does not provide the QSPL data base member name, only the QSPL data base file name, where the spooled file is stored; and does not provide the fully-qualified job name that owns the spooled file, it instead shows the job name issuing the audit. The output from the DSPAUDJRNE command is formatted, which can make it much easier to look through, particularly for system administrators, programmers and end-users. However, if the audit journal entries are being collected so that a Rochester Support Center represent or an IBM System i developer can diagnose a problem or a possible defect then the Display Journal (DSPJRN) command should be used instead, or in addition to the DSPAUDJRNE command. |
| 5b. | You can also use the Display Journal (DSPJRN) command to write either printed output (PO) or spooled file (SF) journal entries to a spooled file. On the command line, type one of the following commands: DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME('01/29/2007' '08:00:00') JRNCDE(*ALL) ENTTYP(SF) JOB(*ALL) OUTPUT(*PRINT) DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME('01/29/2007' '08:00:00') JRNCDE(*ALL) ENTTYP(PO) JOB(*ALL) OUTPUT(*PRINT) Both printed output (PO) and spooled file (SF) journal entries can be written to a spooled file at the same time using the following command, though it might be more difficult to read through the spooled file in this case: DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME('01/29/2007' '08:00:00') JRNCDE(*ALL) ENTTYP(SF PO) + JOB(*ALL) OUTPUT(*PRINT) Using the DSPJRN command to display both the SF and PO journal entries at the same time can be more difficult to read through the spooled file. Note: As mentioned above, the Display Audit Journal Entry (DSPAUDJRNE) command is not supported. It also does not provide the QSPL data base member name, only the QSPL data base file name, where the spooled file is stored; and does not provide the fully-qualified job name that owns the spooled file, it instead shows the job name issuing the audit. The output from the DSPAUDJRNE command is formatted, which can make it much easier to look through, particularly for system administrators, programmers and end-users. However, if the audit journal entries are being collected so that a Rochester Support Center represent or an IBM System i developer can diagnose a problem or a possible defect then the Display Journal (DSPJRN) command should be used instead, or in addition to the DSPAUDJRNE command. Note: An alternative is to use the instructions in the following Rochester Support Center knowledgebase document to output the SF or PO journal entries to an OUTFILE and then create a query to select and sequence whichever fields you need to display. For more information, please refer to the following document: N1019650: Security: User Auditing Example |
| 5c | If you plan on having an IBM i Global Support Center (iGSC) representative or IBM developer look at the audit journal entries, we recommend printing the SF and PO journal entries using both the the DSPAUDJRNE and DSPJRN commands, since the output from the DSPAUDJRNE command is easier to read but the output from the DSPJRN command provides more detailed information. |
Break Down of the PO and SF Entries
The printed output (PO) and spooled file (SF) entries are broken down as follows:
| Entry Type | Description |
| PO D | Printer output was printed directly to a printer. |
| PO R | Output was sent to a remote system to print. |
| PO S | Printer output was spooled and printed. |
| SF A | A spooled file was read (accessed) by someone other than the owner. |
| SF C | A spooled file was created. |
| SF D | A spooled file was deleted. |
| SF H | A spooled file was held. |
| SF I | An in-line file was created. |
| SF R | A spooled file was release. |
| SF S | A spooled file was saved. |
| SF T | A spooled file was restored. |
| SF U | A spooled file was changed (updated). |
| SF V | Only nonsecurity-relevant spooled file attributes changed. |
An alternative to the query program is to use the tool from the QUSRTOOL, DSPAUDLOG.
A good query format to analyze the AUDJRN *outfile created:
==> STRQRY
> Work with queries
> Select and sequence fields
Seq Field Seq Field
10 SFDATE 130 SFOLIB
20 SFTIME 140 SFNDEV
30 SFSNAM 150 SFNOTQ
40 SFSNUM
50 SFJOB
60 SFUSER
70 SFNBR
80 SFPGM
90 SFUSPF
100 SFENTT
110 SFETYP
120 SFONAM
Following is an example of usage. On the operating system command line, type the following:
DSPAUDLOG OPTION(QGPL/filename) OUTTYP(*SECLVL) OUTPUT(*PRINT)
This gives information on date, time, and *SECLVL information for message CPI2294. This includes the user and SFETYP information in a job log type format.
Job Accounting
Note: This document is not intended to contain complete information regarding setting up job accounting. For detailed information on job accounting, it is recommended that you refer to Chapter 15, Job Accounting in the IBM i Systems Management Work Management publication, which is available at:
For detailed information on job accounting, please refer to the following document:
N1014726: Setting Up Job Accounting
This journaling uses QSYS/QACGJRN journal.
Job accounting can be setup to do Resource or Printer file accounting. It can be used to log the total number of pages and lines printed, the spooled file name, the spooled file number, the fully qualified job name, and other information.
The QAJBACG4 file in library QSYS contains the record format QAWTJAJ4 and is used for JB entries, while the QAPTACG5 in library QSYS contains record format QSPJAPT5 and is used for DP or SP entries. The same format is used for all printer file entries regardless if the output is SP (spooled) or DP (non-spooled).
DP (non-spooled) entries are only created when performing direct printing, which is specified by setting the Spool the data (SPOOL) parameter to *NO or SPOOL(*NO), is only allowed with printers that are twinax attached through either a local or remote workstation controller. Twinax printers are becoming very rare, and IBM i POWER7 hardware does not have an option for a local workstation controller, so it is very unlikely that job accounting will generate any DP entries.
The following Create Duplicate Object (CRTDUPOBJ) and Display Journal (DSPJRN) commands can be used to generate an outfile containing the SP or DP entries generated by job accounting:
| CRTDUPOBJ OBJ(QAPTACG5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP) NEWOBJ(MYPTACG5) DSPJRN JRN(QACGJRN) FROMTIME('12/11/2013' '10:24:00') TOTIME('12/11/2013' '10:30:00') OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/MYPTACG5) |
Once the QTEMP/MYPTACG5 outfile has been generated, you can use SQL statements or create a query to display the SP journal entries by selecting all records where the JAENTT = 'SP'.
Job Accounting with *LAN 3812 DEVDs and RMTOUTQs
Testing has shown that the JATPAG (Total number of print pages produced) field will record the number of pages printed through a *LAN 3812 printer device descriptions.
This includes *LAN 3812 DEVDs that use the PJL and SNMP system driver programs, in order words *LAN 3812 DEVDs that have the System driver program (SYSDRVPGM) parameter set to *HPPJLDRV, *IBMPJLDRV or *IBMSNMPDRV, and also includes *LAN 3812 DEVDs that use the LPR Print Driver (TSPLPRD) utility.
Testing has also shown that although an SP entry is generated for spooled files that are printed using a Remote Output Queue (RMTOUTQ), the JATPAG (Total number of print pages produced) field is always set to 0. Therefore, RMTOUTQs should not be used if you need to collect job accounting for all spooled files printed from your IBM i system.
If job accounting is needed, your existing RMTOUTQs should be replaced with either *LAN 3812 PJL DEVDs or *LAN 3812 SNMP DEVDs, depending on whether the printer hardware supports either PJL or SNMP communications. If not you have printers that can communicate using LPR/LPD, but not using PJL or SNMP, then consider configuring a *LAN 3812 DEVD that uses the LPR Print Driver (TSPLPRD) utility instead.
Notes:
| o | Setup is documented in the section title Job accounting in the IBM i Systems Management Work Management publication. |
| o | The system attempts to record the actual number of pages, lines, and bytes printed, but cannot guarantee that it will be able to determine the exact number of pages, lines, and bytes are printed. For more information on this, refer to the section titled Printer file accounting in the IBM i Systems Management Work Management publication. |
For More Information (Reference)
For more information on setting up auditing, please refer to the IBM i Systems Management Work Management publication, which is available at the following URLs:
For more information on job accounting, please refer to the Converting job accounting journal entries topic in the IBM Infomation Center:
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]
Historical Number
8000840
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1010255