Managing the audit journal and journal receivers

The system provides a mechanism for managing the audit journal and journal receivers. You can use the methods described in this topic to audit the security on your system.

The auditing journal QSYS/QAUDJRN is intended solely for security auditing. Objects should not be journaled to the audit journal. Commitment control should not use the audit journal. User entries should not be sent to this journal using the Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE) API.

The system uses special locking protection to make sure that it can write audit entries to the audit journal. When auditing is active (the QAUDCTL system value is not *NONE), the system arbitrator job (QSYSARB) holds a lock on the QSYS/QAUDJRN journal. You cannot perform certain operations on the audit journal when auditing is active, such as:

DLTJRN command
Moving the journal
Restoring the journal
WRKJRN command

The information recorded in the security journal entries is described in Layout of audit journal entries. All security entries in the audit journal have a journal code of T. In addition to security entries, system entries also appear in the journal QAUDJRN. These are entries with a journal code of J, which relate to initial program load (IPL) and general operations performed on journal receivers (for example, saving the receiver).

If damage occurs to the journal or to its current receiver so that the auditing entries cannot be journaled, the QAUDENDACN system value determines what action the system takes. Recovery from a damaged journal or journal receiver is the same as for other journals.

You might want to have the system manage the changing of journal receivers. Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change the journal to that value. If you specify MNGRCV(*SYSTEM), the system automatically detaches the receiver when it reaches its threshold size and creates and attaches a new journal receiver. This is called system change-journal management.

If you specify MNGRCV(*USER) for the QAUDJRN, a message is sent to the threshold message queue that was specified for the journal when the journal receiver reaches a storage threshold. The message indicates that the receiver has reached its threshold. Use the CHGJRN command to detach the receiver and attach a new journal receiver. This prevents Entry not journaled error conditions. If you do receive a message, you must use the CHGJRN command in order for security auditing to continue.

The default message queue for a journal is QSYSOPR. If your installation has a large volume of messages in the QSYSOPR message queue, you can associate a different message queue, such as AUDMSG, with the QAUDJRN journal. You can use a message handling program to monitor the AUDMSG message queue. When a journal threshold warning is received (CPF7099), you can automatically attach a new receiver. If you use system change-journal management, then message CPF7020 is sent to the journal message queue when a system change journal completes. You can monitor for this message so that you can know when to do a save of the detached journal receivers.

Attention: The automatic cleanup function that is provided when using Operational Assistant menus does not clean up the QAUDJRN receivers. To avoid problems with disk space, regularly detach, save, and delete QAUDJRN receivers.

See the Journal management topic for complete information about managing journals and journal receivers.

The QAUDJRN journal is created during an IPL if it does not exist and the QAUDCTL system value is set to a value other than *NONE. This occurs only after an unusual situation, such as replacing a disk device or clearing an auxiliary storage pool.