Copy Audit Journal Entries (CPYAUDJRNE)

Where allowed to run: All environments (*ALL)
Threadsafe: No

The Copy Audit Journal Entries (CPYAUDJRNE) command allows you to copy security audit records from the security auditing journal (QAUDJRN) into one or more outfiles. Each audit entry type selected is copied to a separate output file.

To view the audit journal entries copied to the output file, you can use the Run Query (RUNQRY) command to display the records with column headings. The combination of CPYAUDJRNE followed by RUNQRY provides function that is similar to the Display Audit Journal Entries (DSPAUDJRNE) command but with the advantages that:

All journal entry types are supported.
All audit journal entry fields are copied and available.

For information on all of the possible audit entries, see Chapter 9 of the System i Security Reference, SC41-5302.

Restrictions:

You must have *AUDIT special authority to use this command.
You must have *EXECUTE and *ADD authority to the specified library to create a new output file in that library.
You must have *OBJOPR *OBJMGT *ADD *DLT authority to add or update a member in an existing output file.

Top

Parameters

Keyword	Description	Choices	Notes
ENTTYP	Journal entry types	Single values: *ALL Other values (up to 78 repetitions): AD, AF, AP, AU, AX, CA, CD, CO, CP, CQ, CU, CV, CY, DI, DO, DS, EV, GR, GS, IM, IP, IR, IS, JD, JS, KF, LD, ML, NA, ND, NE, OM, OR, OW, O1, O2, O3, PA, PF, PG, PO, PS, PU, PW, RA, RJ, RO, RP, RQ, RU, RZ, SD, SE, SF, SG, SK, SM, SO, ST, SV, VA, VC, VF, VL, VN, VO, VP, VR, VS, VU, VV, XD, X0, X1, YC, YR, ZC, ZR	Optional, Positional 1
OUTFILE	Output file prefix	Qualified object name	Optional
	Qualifier 1: Output file prefix	Name, QAUDIT
	Qualifier 2: Library	Name, QTEMP, *CURLIB
OUTMBR	Output member options	Element list	Optional
	Element 1: Member to receive output	Name, *FIRST
	Element 2: Replace or add records	REPLACE, ADD
USRPRF	User profile	Name, *ALL	Optional
JRNRCV	Journal receiver searched	Single values: CURRENT, CURCHAIN Other values: Element list	Optional
	Element 1: Starting journal receiver	Qualified object name
	Qualifier 1: Starting journal receiver	Name
	Qualifier 2: Library	Name, LIBL, CURLIB
	Element 2: Ending journal receiver	Single values: *CURRENT Other values: Qualified object name
	Qualifier 1: Ending journal receiver	Name
	Qualifier 2: Library	Name, LIBL, CURLIB
FROMTIME	Starting date and time	Single values: *FIRST Other values: Element list	Optional
	Element 1: Starting date	Date
	Element 2: Starting time	Time
TOTIME	Ending date and time	Single values: *LAST Other values: Element list	Optional
	Element 1: Ending date	Date
	Element 2: Ending time	Time

Top

Journal entry types (ENTTYP)

Specifies the journal entry types to be copied to an output file.

Single value

*ALL: All audit record entry types are selected.

Entry types (up to 78 repetitions)

AF: Authorization failure.
AD: Auditing changes.
AP: Obtaining adopted authority.
AU: Attribute changes.
AX: Row and colum access control.
CA: Change authority.
CD: Command string.
CO: Create object.
CP: Change user profile.
CQ: Change of *CRQD object.
CU: Cluster management operations.
CV: Connection verification.
CY: Cryptographic configuration.
DI: Directory services.
DO: Delete object.
DS: DST security password reset.
EV: Environment variable operations.
GR: Generic record.
GS: Socket descriptor was given to another job.
IM: Intrusion monitor.
IP: Interprocess communication.
IR: IP rules action.
IS: Internet security management.
JD: Change to a user parameter of a job description.
JS: Actions against jobs entries.
KF: Key ring file.
LD: Link, unlink, or lookup directory entry.
ML: Office services mail actions.
NA: Network attribute changed.
ND: Directory search filter violations.
NE: End point filter violations.
OM: Object move or rename.
OR: Object restored.
OW: Object ownership changed.
O1: (Optical access) single file or directory.
O2: (Optical access) dual file or directory.
O3: (Optical access) volume.
PA: Program changed to adopt authority.
PG: Change of an object's primary group.
PF: Program Temporary Fix (PTF) operations.
PO: Printed output entries.
PS: Profile swap.
PU: Changes to Program Temporary Fix (PTF) objects.
PW: Invalid password entries.
RA: Authority change during restore.
RJ: Restoring job description with user profile specified.
RO: Change of object owner during restore.
RP: Restoring adopted authority program.
RQ: Restoring a *CRQD object.
RU: Restoring user profile authority.
RZ: Changing a primary group during restore.
SD: Changes to system distribution directory.
SE: Subsystem routing entry changed.
SF: Action on spooled files entries.
SG: Asynchronous signals.
SK: Secure sockets connections.
SM: System management changes.
SO: Server security user information actions.
ST: Use of service tools.
SV: System values changed entries.
VA: Changing an access control list.
VC: Starting or ending a connection.
VF: Closing server files.
VL: Account limit exceeded.
VN: Logging on and off the network.
VO: Validation list actions.
VP: Network password error.
VR: Network resource access.
VS: Starting or ending a server session.
VU: Changing a network profile.
VV: Changing service status.
XD: Directory services extension.
X0: Network Authentication.
X1: Identity token.
YC: DLO object changed entries.
YR: DLO object read entries.
ZC: Object changed entries.
ZR: Object read entries.

Top

Output file prefix (OUTFILE)

Specifies the prefix for each database file to which the output of the command is directed. If an output file does not exist, this command creates the file in the specified library. If an output file is created by this command, the public authority for the file is set to *EXCLUDE.

Qualifier 1: Output file prefix

QAUDIT: Each output database file name will begin with 'QAUDIT' with the audit entry type appended to form the complete file name. For example, QAUDITZR would be the file name if ENTTYP(ZR) was specified.
name prefix: Specify the first 1 to 8 characters of the name of each database file to which the audit entries will be copied. The audit entry type will be appended to the name prefix to form the complete database file name. For example, if FEB2004 is specified as the name prefix and ENTTYP(AF) is specified, the database file name used is FEB2004AF.

Qualifier 2: Library

QTEMP: The QTEMP library for the job is used to locate the file.
*CURLIB: The current library for the thread is used to locate the file. If no library is specified as the current library for the thread, the QGPL library is used.

name: Specify the name of the library to be searched.

Top

Output member options (OUTMBR)

Specifies the name of the database file member that receives the output of the command.

Element 1: Member to receive output

*FIRST: The first member in the file receives the output. If OUTMBR(*FIRST) is specified and the file has no members, the system creates a member with the name of the file generated from the Output file prefix (OUTFILE) and Journal entry types (ENTTYP) parameters. If the member already exists, you have the option to add new records to the end of the existing member or clear the member and then add the new records.

name: Specify the name of the file member that receives the output. If it does not exist, the system creates it.

Element 2: Replace or add records

*REPLACE: The system clears the existing member and adds the new records.

*ADD: The system adds the new records to the end of the existing records.

Top

User profile (USRPRF)

Specifies which user profile's journal entries are to be included in the output files.

*ALL: The output files will include entries for all user profiles.
name: Specify the name of the user profile whose journal entries are to be copied to the output files.

Top

Journal receiver searched (JRNRCV)

Specifies the starting (first) and ending (last) journal receivers whose journal entries are searched.

Note: If the maximum number of receivers (256) in the range is surpassed, an error occurs and no journal entries are copied.

Single values

*CURRENT: Journal entries in the currently attached journal receiver are searched.
*CURCHAIN: Journal entries in the currently attached journal receiver chain are searched. If there is a break in the chain, the receiver range is from the most recent break in the chain through the receiver that is attached when starting to convert journal entries.

Element 1: Starting journal receiver

Qualifier 1: Starting journal receiver

name: Specify the name of the first journal receiver from which entries are searched.

Qualifier 2: Library

*LIBL: The library list is used to locate the journal receiver.
*CURLIB: The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used.
name: Specify the name of the library where the journal receiver is located.

Element 2: Ending journal receiver

Single values

*CURRENT: The journal receiver that is currently attached is used as the ending journal receiver.

Qualifier 1: Ending journal receiver

name: Specify the name of the last journal receiver from which entries are searched.

Qualifier 2: Library

*LIBL: The library list is used to locate the journal receiver.
*CURLIB: The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used.
name: Specify the name of the library where the journal receiver is located.

Top

Starting date and time (FROMTIME)

Specifies the date and time of the first journal entry to be searched.

Single values

*FIRST: The search is to begin with the first record in the journal receiver.

Element 1: Starting date

date: Specify the starting date. The starting date and time of the first journal entry occurring at or after the specified starting date and time becomes the starting point for the range of entries to be searched.

Element 2: Starting time

time

Specify the starting time. The starting date and time of the first journal entry occurring at or after the specified starting date and time becomes the starting point for the range of entries to be searched.

The time can be specified with or without a time separator:

Without a time separator, specify a string of 4 or 6 digits (hhmm or hhmmss) where hh = hours, mm = minutes, and ss = seconds.
With a time separator, specify a string of 5 or 8 digits where the time separator specified for your job is used to separate the hours, minutes, and seconds. If you enter this command from the command line, the string must be enclosed in apostrophes. If a time separator other than the separator specified for your job is used, this command will fail.

Top

Ending date and time (TOTIME)

Specifies the creation date and time of the last journal entry to be searched.

Single values

*LAST: The search is to end with the last record in the journal receiver.

Element 1: Ending date

date: Specify the ending date. The ending date and time of the first journal entry occurring at or before the specified ending time on the specified ending date becomes the ending point for the range of entries to be searched.

Element 2: Ending time

time

Specify the ending time. The ending date and time of the first journal entry occurring at or before the specified ending time on the specified ending date becomes the ending point for the range of entries to be searched.

The time can be specified with or without a time separator:

Without a time separator, specify a string of 4 or 6 digits (hhmm or hhmmss) where hh = hours, mm = minutes, and ss = seconds.
With a time separator, specify a string of 5 or 8 digits where the time separator specified for your job is used to separate the hours, minutes, and seconds. If you enter this command from the command line, the string must be enclosed in apostrophes. If a time separator other than the separator specified for your job is used, this command will fail.

Top

Examples

Example 1: Copy Authority Failure (AF) Records

CPYAUDJRNE   ENTTYP(AF)

This command copies all 'Authority Failure' audit records in the current journal receiver and puts them in member QAUDITAF in database file QTEMP/QAUDITAF.

The copied audit records can be displayed by a RUNQRY command, such as:

RUNQRY   QRY(*NONE) QRYFILE((QTEMP/QAUDITAF))

Example 2: Copy Two Entry Types

CPYAUDJRNE   ENTTYP(CO DO) OUTFILE(AUDITLIB/SYSTEM1)

This command copies all 'Create Object' and 'Delete Object' audit records in the current journal receiver and puts them in database files AUDITLIB/SYSTEM1CO and AUDITLIB/SYSTEM1DO respectively.

The copied audit records can be displayed by RUNQRY commands, such as:

RUNQRY   QRY(*NONE) QRYFILE((AUDITLIB/SYSTEM1CO))
         OUTTYPE(*DISPLAY) OUTFORM(*RUNOPT)

RUNQRY   QRY(*NONE) QRYFILE((AUDITLIB/SYSTEM1DO))
         OUTTYPE(*DISPLAY) OUTFORM(*RUNOPT)

Example 3: Copy All Entry Types

CPYAUDJRNE   ENTTYP(*ALL) OUTFILE(SAVEAUDIT/JUNE)
             OUTMBR(SMITHJ *REPLACE) USRPRF(SMITHJ)
             JRNRCV(*CURCHAIN)
             FROMTIME('06/01/2004' '00:00:00')
             TOTIME('07/01/2004' '00:00:00')

This command copies all audit entries for user profile SMITHJ to a set of database files in library SAVEAUDIT that have names like JUNExx where the xx is the audit record entry type. The search for audit records will be performed for all journal receivers in the current chain of journal receivers. Only audit records that were written between midnight on June 01, 2004 and midnight on July 01, 2004 will be copied.

Note: This command may run for a very long time. The entire chain of journal receivers will be searched repeatedly for each audit record entry type.

Top

Error messages

*ESCAPE Messages

CPFB303: Cannot access data from QAUDJRN.
CPFB304: User does not have required special authorities.
CPFB30A: Record format name &2 does not match expected name &1.
CPF4AA4: No records copied for some ENTTYP values.
CPF9801: Object &2 in library &3 not found.
CPF9802: Not authorized to object &2 in &3.
CPF9810: Library &1 not found.
CPF9820: Not authorized to use library &1.

Top