journal entry’s entry specific data
Hi,
I am trying to extract fields from security audit events. The problem comes when dealing with entry specific data field. This field contains lot of info which varies according to the entry type. Is there any API which returns information present in the entry specific data portion in a convenient format? Any suggestions or pointers would be very helpful.
Regards,
P.Prasad
Software/Hardware used:
Software/Hardware used:
ASKED:
August 4, 2005 11:15 AM
UPDATED:
October 31, 2010 11:12 AM
Answer Wiki:
The DSPAUDJRNE command can be used to print or display a query listing of a specific journal code or a list of codes from the audit journal. THis might be what you need.
If you need to put this data in PF with formatted fields, it should be easy to print a listing, dump it to a PF using CPYSPLF and map fields into a formatted file based on the journal entry type selected.
=====================================================
<i>Is there any API which returns information present in the entry specific data portion in a convenient format?</i>
No. Every entry type is different. It would take a different API for each format or a single API that returned a different format for each type which would be the situation that you have without an API now.
Tom
=====================================================
Each time you run the following command with a different code it creates a tempory file whether you display it or print it.
DSPAUDJRNE ENTTYP(CP) JRNRCV(*CURCHAIN) OUTPUT(*)
You can run a Query against this file or Copy it to a Permenant PF. Once you Log Off it is gone.
RUNQRY QRY(*NONE) QRYFILE((QTEMP/QASYCPJ4)) OUTTYPE(*DISPLAY) RCDSLT(*YES)
CP is for Profile Change
CPYF FROMFILE(QTEMP/QASYCPJ4) TOFILE(SAVAUDIT/CP110209) MBROPT(*REPLACE) CRTFILE(*YES)
MMDDYY
Regards,
Jeff
=====================================================
Jeff,
Nice tip !
Thanks,
Bill
To see all answers submitted to the Answer Wiki: View Answer History.
I want to do this from within the exit program which is registered using the RCVJRNE command. I get the entries currently in RJNE0200 format and have no problem with the fixed part of the entry. Only problem is with the variable length field particularly “entry specific data”. Currently I can get to the Entry specific data portion of the entry, decode the data according to the entry type but this becomes very cumbersome. There are around 80 entry types within journal code T and each entry type has a different layout for the entry specific data. I am looking out for some API which when given a pointer to the Entry specific data and also the journal entry type would itself decode the data present in the entry specific data, return the fields as say name/value pairs. I know this is a bit too much to ask but to code the layout for around 80 entry types would be too time-consuming and boring, so looking out for the remote possibility of such an API existing. If it’s not there, then the only way is take the layouts for each entry type’s entry specific data, create a corresponding structure(in C) for all the 80 entry types, and cast the pointer to the appropriate structure type.
P.Prasad
The formats are generally available as “model files” supplied by IBM with every AS/400. Enter this command to see examples on your system:
==> wrkf QASY*
Help text for DSPJRN parameters OUTPUT(), OUTFILFMT() and OUTFILE() provides some introduction though not specifically for individual entry types in the audit journal.
All of the entery types, file names and format names are documented in the Security Reference manual.
Note that file formats for the audit journal can, and often do, change from one OS/400 release to the next.
Tom
There is also the CPYAUDJRNE. This command creates seperate output files depending on the Journal code.
There is also the CPYAUDJRNE.
Neither CPYAUDJRNE nor DSPAUDJRNE help with the problem. They cannot be used with RCVJRNE nor with the RTVJRNE command or the Retrieve Journal Entries (QjoRetrieveJournalEntries) API.
Journal entries would be received with RCVJRNE to provide near real-time processing of journal entries. The formats must be decoded by the receiving program. The model files may be used as a basis for declaring data structures and saving some time in defining each field. But output to files is always historical rather than as events are logged.
Tom