Display Audit Journal Entries (DSPAUDJRNE)
| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Display Audit Journal Entries (DSPAUDJRNE) command allows you to generate security journal audit reports. The reports are based on the audit entry types and the user profile specified on the command. Reports can be limited to specific time frames and detached journal receivers can be searched. The reports are directed to the active display or a spooled file.
The audit entries for which you can run reports is a subset of the audit entries that may be generated. For information on all of the possible audit entries, see Chapter 9 of the System i Security Reference, SC41-5302.
Restriction: You must have audit (*AUDIT) special authority to run this command.
| Top |
Parameters
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| ENTTYP | Journal entry types | Values (up to 30 repetitions): AF, CA, CD, CO, CP, CU, CV, DO, EV, GR, IP, JS, ND, NE, OM, OR, OW, PA, PG, PO, PS, PW, SF, SO, SV, VO, YC, YR, ZC, ZR | Optional, Positional 1 |
| USRPRF | User profile | Name, *ALL | Optional, Positional 2 |
| JRNRCV | Journal receiver searched | Single values: *CURRENT, *CURCHAIN Other values: Element list |
Optional |
| Element 1: Starting journal receiver | Qualified object name | ||
| Qualifier 1: Starting journal receiver | Name | ||
| Qualifier 2: Library | Name, *LIBL, *CURLIB | ||
| Element 2: Ending journal receiver |
Single values: *CURRENT Other values: Qualified object name |
||
| Qualifier 1: Ending journal receiver | Name | ||
| Qualifier 2: Library | Name, *LIBL, *CURLIB | ||
| FROMTIME | Starting date and time | Single values: *FIRST Other values: Element list |
Optional |
| Element 1: Starting date | Date | ||
| Element 2: Starting time | Time | ||
| TOTIME | Ending date and time | Single values: *LAST Other values: Element list |
Optional |
| Element 1: Ending date | Date | ||
| Element 2: Ending time | Time | ||
| OUTPUT | Output | *PRINT, * | Optional |
| Top |
Journal entry types (ENTTYP)
The journal entry types to be included in the report.
You can specify 30 values for this parameter.
- AF
- Authorization failure entries.
- CA
- Change authority entries.
- CD
- Command string entries.
- CO
- Create object entries.
- CP
- Change user profile entries.
- CU
- Cluster management operations.
- CV
- Connection verification.
- DO
- Delete object entries.
- EV
- Environment variable operations.
- GR
- Generic record.
- IP
- Interprocess communication
- JS
- Actions against jobs entries.
- ND
- Directory search filter violations.
- NE
- End point filter violations.
- OM
- Object move or rename.
- OR
- Object restored entries.
- OW
- Object ownership changed entries.
- PG
- Change of an object's primary group.
- PO
- Printed output entries.
- PS
- Profile swap.
- PW
- Invalid password entries.
- SF
- Action on spooled files entries.
- SO
- Server security user information actions.
- SV
- System values changed entries.
- VO
- Validation list actions.
- YC
- DLO object changed entries.
- YR
- DLO object read entries.
- ZC
- Object changed entries.
- ZR
- Object read entries.
| Top |
User profile (USRPRF)
Journal entries created for a user profile's actions are included in the report.
- *ALL
- The report will include entries for all user profiles.
- name
- Specify the name of the user profile whose journal entries are to be included in the report.
| Top |
Journal receiver searched (JRNRCV)
The name of the starting (first) and ending (last) journal receivers whose journal entries are searched.
Note: If the maximum number of receivers (256) in the range is surpassed, an error occurs and no journal entries are converted.
Single values
- *CURRENT
- Journal entries in the currently attached journal receiver are searched.
- *CURCHAIN
- Journal entries in the currently attached journal receiver chain are searched. If there is a break in the chain, the receiver range is from the most recent break in the chain through the receiver that is attached when starting to convert journal entries.
Element 1: Starting journal receiver
Qualifier 1: Starting journal receiver
- name
- The name of the first journal receiver from which entries are searched.
Qualifier 2: Library
- *LIBL
- The library list is used to locate the journal receiver.
- *CURLIB
- The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used.
- name
- Specify the name of the library where the journal receiver is located.
Element 2: Ending journal receiver
Single values
- *CURRENT
- The journal receiver that is currently attached is used as the ending journal receiver.
Qualifier 1: Ending journal receiver
- name
- Specify the name of the last journal receiver from which entries are searched.
Qualifier 2: Library
- *LIBL
- The library list is used to locate the journal receiver.
- *CURLIB
- The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used.
- name
- Specify the name of the library where the journal receiver is located.
| Top |
Starting date and time (FROMTIME)
The date and time of the first journal entry to be searched.
Single values
- *FIRST
- Specifies that the search is to begin with the first record in the journal receiver.
Element 1: Starting date
- date
- The starting date. The starting date and time of the first journal entry occurring at or after the specified starting date and time becomes the starting point for the range of entries to be searched.
Element 2: Starting time
- time
- The starting time. The starting date and time of the first journal entry occurring at or after the specified starting date and time becomes the starting point for the range of entries to be searched.
The time can be specified with or without a time separator:
- Without a time separator, specify a string of 4 or 6 digits (hhmm or hhmmss) where hh = hours, mm = minutes, and ss = seconds.
- With a time separator, specify a string of 5 or 8 digits where the time separator specified for your job is used to separate the hours, minutes, and seconds. If you enter this command from the command line, the string must be enclosed in apostrophes. If a time separator other than the separator specified for your job is used, this command will fail.
| Top |
Ending date and time (TOTIME)
The creation date and time of the last journal entry to be searched.
Single values
- *LAST
- Specifies that the search is to end with the last record in the journal receiver.
Element 1: Ending date
- date
- The ending date. The ending date and time of the first journal entry occurring at or before the specified ending time on the specified ending date becomes the ending point for the range of entries to be searched.
Element 2: Ending time
- time
- The ending time. The ending date and time of the first journal entry occurring at or before the specified ending time on the specified ending date becomes the ending point for the range of entries to be searched.
The time can be specified with or without a time separator:
- Without a time separator, specify a string of 4 or 6 digits (hhmm or hhmmss) where hh = hours, mm = minutes, and ss = seconds.
- With a time separator, specify a string of 5 or 8 digits where the time separator specified for your job is used to separate the hours, minutes, and seconds. If you enter this command from the command line, the string must be enclosed in apostrophes. If a time separator other than the separator specified for your job is used, this command will fail.
| Top |
Output (OUTPUT)
Specifies whether the output from the command is displayed at the requesting work station or printed with the job's spooled output.
- The output is printed with the job's spooled output.
- *
- The output is shown (if requested by an interactive job) or printed with the job's spooled output (if requested by a batch job).
| Top |
Examples
DSPAUDJRNE ENTTYP(AF) OUTPUT(*)
This command displays all 'Authority Failure' audit records in the current journal receiver.
| Top |
| Top |