Auditing an AS/400 Server
Hi Gilly400:
please, is there any way to know who viewed or accessed my spoolfile???????
Software/Hardware used:
Software/Hardware used:
ASKED:
November 13, 2009 5:54 AM
UPDATED:
November 22, 2009 4:15 PM
Answer Wiki:
Assuming you're auditing against *SPLFDTA, then T/SF entries should be written to QAUDJRN when spooled files are accessed. Review the <help> for system value QAUDLVL to see what *SPLFDTA audits. (And to see what other options audit.)
Of course, if auditing isn't activated, then your system isn't keeping track because its instructions tell it not to keep track. (That's the default behavior.)
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
Thanks Tom :
I understand what you explained so can you tell me the way that I can view QAUDJRN contents or write it in a file or spool….. Please tell me the CL commands which can do that …but my user is PGM ……….
@Happydayforus2000:
The DSPJRN command is your most likely tool.
First, it can be used to view T/SF audit entries. As for what parameters to give it, I can only make some basic suggestions. I have no info on how many entries are generated on your system over any period of time, no info on how your QAUDJRN receivers are defined or managed, and no info on the date/time of the events you might be interested in.
A possible example:
DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME(110109 1330) JRNCDE((T)) ENTTYP(SF)That should list the T/SF entries that are in the current chain of receivers if the entries were created from 13:30 on 11/01/2009 until now. You can also specify a ending date/time if you can pin down the time range better.
Second, DSPJRN can populate a database file that can be queried:
CRTDUPOBJ OBJ(QASYSFJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP) NEWOBJ(TSF) DATA(*NO) DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME(111309 1030) JRNCDE((T)) ENTTYP(SF) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/TSF)The CRTDUPOBJ duplicates a system-supplied “model file” into your QTEMP library. The DSPJRN command displays the entries from 10:30 on 11/13/2009 and later into the file that you created. The model file has the sub-field definitions that would allow you to run a meaningful query against data you extract. (Do NOT trying putting data into the model file. Duplicate it and use the copy.)
That’s most of what I can help with in this case. My employer provides auditing software products for System i. You need to know that in order to keep your eyes open about anything I say and to understand why I can only go so far in giving away stuff that my boss prefers to sell. (Direct technical questions are fine.)
Good luck.
Tom
Thank You sooooo much Tom