Restore History Logs and Audit Journal from tape backup
1. How do you restore History logs and audit journals from tape full system backup (e.g. rstobj qsys/qhst* and rstobj qsys/quadjrn)?
2. Can this be stored in a temporary library without effects on the system?
3. How do you read the logs (history and audjrn)?
Thanks!
Software/Hardware used:
2. Can this be stored in a temporary library without effects on the system?
3. How do you read the logs (history and audjrn)?
Thanks!
Software/Hardware used:
ASKED:
April 8, 2010 11:17 PM
UPDATED:
April 12, 2010 4:48 PM
Answer Wiki:
The QHST* files shouldn't be much of a problem since they are named in relation to the Julian date and include a sequencing character. They can be restored to QSYS or to any user library. Viewing them, however, may be tricky if they're not restored to QSYS. The DSPLOG command isn't going to know anything about them unless they're in QSYS.
As for QAUDJRN, it's almost certain that you don't want to restore the <i>journal.</i> Most likely you actually want to restore a particular range of <i>journal receivers</i>. These can be restored to any library, but it's also best to restore them to the library you normally create them in. In order to access them, use the DSPJRN RCVRNG() parameter to list explicitly the first and last receiver that you will be searching.
You should restore receivers so that there are no gaps between the first receiver you list and the last one you list. You can have gaps between different groups that you restore and between any group that you restore and receivers that are live in the current receiver chain. You just don't want to mess with trying to search across a group that has a receiver missing in the middle of your range.
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
Need to search logs on a specific date for access and changes on a specific library
I wouldn’t expect the QHST* files to have anything useful that is directly related to accessing or changing any common objects. They might be helpful in guiding review of what user profiles were associated with which jobs during a time span.
Your QAUDJRN receivers should be the authoritative source, assuming object access/change auditing is enabled. For database data changes, the database journals would be more specific.
For any journal, the DSPJRN command provides review of journal entries. Parameters provided to the command would vary depending on whether it was an audit or a database journal and on what particular kinds of activities would be sought.
Tom
Thank you Tom. This is very helpful.