journal entry’s entry specific data

pts.
Tags:
Backup and Recovery
i5
IBM iSeries
OS/400
PC/Windows Connectivity
Security
tips and tricks
Tools
Hi, I am trying to extract fields from security audit events. The problem comes when dealing with entry specific data field. This field contains lot of info which varies according to the entry type. Is there any API which returns information present in the entry specific data portion in a convenient format? Any suggestions or pointers would be very helpful. Regards, P.Prasad

Answer Wiki

Thanks. We'll let you know when a new response is added.

The DSPAUDJRNE command can be used to print or display a query listing of a specific journal code or a list of codes from the audit journal. THis might be what you need.

If you need to put this data in PF with formatted fields, it should be easy to print a listing, dump it to a PF using CPYSPLF and map fields into a formatted file based on the journal entry type selected.

=====================================================

<i>Is there any API which returns information present in the entry specific data portion in a convenient format?</i>

No. Every entry type is different. It would take a different API for each format or a single API that returned a different format for each type which would be the situation that you have without an API now.

Tom

=====================================================

Each time you run the following command with a different code it creates a tempory file whether you display it or print it.

DSPAUDJRNE ENTTYP(CP) JRNRCV(*CURCHAIN) OUTPUT(*)

You can run a Query against this file or Copy it to a Permenant PF. Once you Log Off it is gone.

RUNQRY QRY(*NONE) QRYFILE((QTEMP/QASYCPJ4)) OUTTYPE(*DISPLAY) RCDSLT(*YES)
CP is for Profile Change

CPYF FROMFILE(QTEMP/QASYCPJ4) TOFILE(SAVAUDIT/CP110209) MBROPT(*REPLACE) CRTFILE(*YES)
MMDDYY

Regards,
Jeff

=====================================================
Jeff,

Nice tip !

Thanks,
Bill

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Pprasad123
    I want to do this from within the exit program which is registered using the RCVJRNE command. I get the entries currently in RJNE0200 format and have no problem with the fixed part of the entry. Only problem is with the variable length field particularly "entry specific data". Currently I can get to the Entry specific data portion of the entry, decode the data according to the entry type but this becomes very cumbersome. There are around 80 entry types within journal code T and each entry type has a different layout for the entry specific data. I am looking out for some API which when given a pointer to the Entry specific data and also the journal entry type would itself decode the data present in the entry specific data, return the fields as say name/value pairs. I know this is a bit too much to ask but to code the layout for around 80 entry types would be too time-consuming and boring, so looking out for the remote possibility of such an API existing. If it's not there, then the only way is take the layouts for each entry type's entry specific data, create a corresponding structure(in C) for all the 80 entry types, and cast the pointer to the appropriate structure type. P.Prasad
    0 pointsBadges:
    report
  • TomLiotta
    The formats are generally available as "model files" supplied by IBM with every AS/400. Enter this command to see examples on your system: ==> wrkf QASY* Help text for DSPJRN parameters OUTPUT(), OUTFILFMT() and OUTFILE() provides some introduction though not specifically for individual entry types in the audit journal. All of the entery types, file names and format names are documented in the Security Reference manual. Note that file formats for the audit journal can, and often do, change from one OS/400 release to the next. Tom
    125,585 pointsBadges:
    report
  • pdraebel
    There is also the CPYAUDJRNE. This command creates seperate output files depending on the Journal code.
    3,090 pointsBadges:
    report
  • TomLiotta
    There is also the CPYAUDJRNE. Neither CPYAUDJRNE nor DSPAUDJRNE help with the problem. They cannot be used with RCVJRNE nor with the RTVJRNE command or the Retrieve Journal Entries (QjoRetrieveJournalEntries) API. Journal entries would be received with RCVJRNE to provide near real-time processing of journal entries. The formats must be decoded by the receiving program. The model files may be used as a basis for declaring data structures and saving some time in defining each field. But output to files is always historical rather than as events are logged. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following