Preventing loss of auditing information

Two system values control what the system does when error conditions might cause the loss of audit journal entries.

Audit force level

The QAUDFRCLVL system value determines how often the system writes audit journal entries from memory to auxiliary storage.

The QAUDFRCLVL system value works like the force level for database files. You should follow similar guidelines in determining the correct force level for your installation.

If you allow the system to determine when to write entries to auxiliary storage, the system balances the performance effect against the potential loss of information in a power outage. *SYS is the default choice.

If you set the force level to a low number, you minimize the possibility of losing audit records, but you might notice a negative performance effect. If your installation requires that no audit records be lost in a power failure, you must set the QAUDFRCLVL to 1.

Audit end action

The Auditing End Action (QAUDENDACN) system value determines what the system does if it is unable to write an entry to the audit journal.

The default value is *NOTIFY. The system performs the following tasks if it is unable to write audit journal entries and QAUDENDACN is *NOTIFY:

  1. The QAUDCTL system value is set to *NONE to prevent additional attempts to write entries.
  2. Message CPI2283 is sent to the QSYSOPR message queue and the QSYSMSG message queue (if it exists) every hour until auditing is successfully restarted.
  3. Normal processing continues.
  4. If an IPL is performed on the system, message CPI2284 is sent to the QSYSOPR and QSYSMSG message queues during the IPL.
Note: In most cases, performing an IPL resolves the problem that caused auditing to fail. After you have restarted your system, set the QAUDCTL system value to the correct value. The system attempts to write an audit journal record whenever this system value is changed.

You can set the QAUDENDACN to turn off your system if auditing fails (*PWRDWNSYS). Use this value only if your installation requires that auditing be active for the system to run. If the system is unable to write an audit journal entry and the QAUDENDACN system value is *PWRDWNSYS, the following events take place:

  1. The system shuts down immediately (the equivalent of issuing the PWRDWNSYS *IMMED command).
  2. SRC code B900 3D10 is displayed.

Next, you must do the following actions:

  1. Start an IPL from the system unit. Make sure that the device specified in the console (QCONSOLE) system value is powered on.
  2. To complete the IPL, sign on at the console using a user with *ALLOBJ and *AUDIT special authority.

    The system starts in a restricted state with a message indicating that an auditing error caused the system to stop.

  3. The QAUDCTL system value is set to *NONE.
  4. To restore the system to normal, set the QAUDCTL system value to a value other than *NONE. When you change the QAUDCTL system value, the system attempts to write an audit journal entry. If it is successful, the system returns to a normal state.

    If the system does not successfully return to a normal state, use the job log to determine why auditing has failed. Correct the problem and reset the QAUDCTL value.

Parent topic: Planning security auditing