DSPAUDLOG2 -- Display Audit Log 2 - Former TAA Vers of DSPAUDLOG

DSPAUDLOG2 DISPLAY AUDIT LOG 2 TAASECM
The DSPAUDLOG2 command is the old form of the AUDLOG tool. DSPAUDLOG2 displays the contents of the security audit journal (QAUDJRN). The output is always printed to a spooled file. The default will use DSPSPLF to display the printed output. An option can be used to select the level of detail to be presented. The system no longer provides message IDs for new audit entries. DSPAUDLOG2 will only perform correctly on audit entries that are supported by a message ID. The new tool AUDLOG should be used instead. A typical use of the command is: DSPAUDLOG2 All entries from the current audit journal receiver are displayed. Only the first level text appears. DSPAUDLOG2 OUTTYP(SECLVL) OUTPUT(PRINT) All entries from the current audit journal receiver are printed. The second level text is shown. DSPAUDLOG2 OPTION(yyyy/xxxx) OUTPUT(PRINT) Entries that have been stored in the specified file for the OPTION parameter are printed. If the default OPTION(CURRENT) is used, the file AUDITJRN will exist in QTEMP. It can be specified in another DSPAUDLOG2 command to use the information that has already been converted. Journal entry codes of 'T' and 'U' are always selected. All entry types are selected by default, but an option exists to select a type. Entry type codes ---------------- The following describes the entry types that are sent during security checking: AD Auditing changes AF Object authority failure AP Obtaining adopted authority CA Object authority change CD Command string audit CO New object created CP User profile created or changed CQ Change of CRQD object DO Object deleted DS DST Security Officer password reset FB Blocked instruction violation FC Program validation value error during restore FD Object domain violation FJ SBMJOB and not authorized to user in JOBD FP Profile handle specified on QWTSETP not valid FR Read only storage violation FS Signon requested using default user profile GS Give descriptor IP Interprocess communication JD Create/change of a JOBD with a user profile JS Actions that effect jobs ML Office services mail actions NA Network attribute changed OM Move or rename an object OR Restore of an object without ownership change OW Object owner change O1 (Optical access) Single file or directory O2 (Optical access) Dual file or directory O3 (Optical access) Volume PA CHGPGM used to change to program adopt PG Change of an object's primary group PO Printed output PS Target user profile changed during passthru or via QSYGETPH PW Invalid password RA Restore object and authority changed RJ Restoring job description with user profile specified RO Change of object owner during restore Entry type codes continued -------------------------- RP Restore of a program that adopts authority RQ Restoring a CRQD object RU Restoring user profile authority RZ Changing a primary group during restore SD Changes to system distribution directory SE Routing entry changed in a subsystem SF Actions to spooled files SM System management changes ST Use of service tools SV System value changed VA Changing an access control list VC Starting or ending a connection VF Closing server files VL Account limit exceeded VN Logging on and off the network VP Network password error VR Network resource access VS Starting or ending a server session VU Changing a network profile VV Changing a service status YC DLO object accessed (changed) YR DLO object accessed (read) ZC Object accessed (changed) ZM SOM method access ZR Object accessed (read) User entries sent to QAUDJRN ---------------------------- A user entry may be sent to QAUDJRN using SNDJRNE. If a user entry exists, the first 100 bytes of the entry are printed as if it was the first level text. The entry is flagged with 'U-'. No second level text will appear. Command parameters CMD ------------------ OPTION Selects the entries to be displayed. CURRENT - This option requests that all entries from the current journal receiver be displayed. A DSPJRN command will be used to retrieve the entries from the current journal receiver. filename - This option requests entries found in the named file be presented. The file named should be created using the following sample DSPJRN command. DSPJRN JRN(QAUDJRN) JRNCDE(T U) ENTDTALEN(357) + OUTPUT(OUTFILE) OUTFILFMT(TYPE2) + OUTFILE(mylib/myfile) + RCVRNG( ) ENTTYP( ) Use the file-name option when entries from other than the current journal receiver are needed. The RCVRNG keyword should be used to identify the required journal receivers. Another use of the filename option is when you want to use the existing AUDITJRN file in QTEMP created by a previous use of DSPAUDLOG2. STRDATE The start date of the journal entries to be converted. The default is TODAY meaning todays date. FIRST may be specified which means the first journal entry found. The date must be entered in job format. ENDDATE The end date of the journal entries to be converted. The default is LAST meaning all of the journal entries in the journal. TODAY may be specified to mean todays date. The date must be entered in job format and must be greater than the start date. If a date is specified, it must be in the same century as the STRDATE. ENTTYP ALL is the default to select all journal entry types. A list of up to 10 types may be named. See the previous section on the codes that are used. If user entries have been written to the journal, the entry type may also be specified. OUTTYP BASIC is the default and prints the first level text. SECLVL prints both the first and second level text. OUTPUT Selects where the output from the command is sent. - If interactive, display the information using DSPSPLF. If in batch, the information is printed. PRINT - Print the information. Restrictions ------------ To run DSPAUDLOG2 with OPTION(CURRENT), the user must meet the authorities required by the DSPJRN command. The user must have USE and OBJEXIST authority to the journal QAUDJRN. To run DSPAUDLOG2 with OPTION(file-name), the user must have USE authority to the file and library. A user with ALLOBJ authority may run the command without restrictions. Prerequisites ------------- The following TAA Tools must be on your system: EXTLST Extract list RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCMSG Send escape message SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSPAUDLOG2 CMD TAASECM QATTCMD TAASECMC PGM CL TAASECMC QATTCL TAASECMC2 PGM CL TAASECMC2 QATTCL TAASECMR PGM RPG TAASECMR QATTCL

DSPAUDLOG2     DISPLAY AUDIT LOG 2                     TAASECM


The  DSPAUDLOG2  command   is  the  old   form  of  the   AUDLOG  tool.
DSPAUDLOG2  displays  the   contents  of  the  security  audit  journal
(QAUDJRN).    The output  is always  printed to  a  spooled file.   The
default will  use DSPSPLF  to display the  printed output.   An  option
can be used to select the level of detail to be presented.

The  system no  longer  provides  message IDs  for  new audit  entries.
DSPAUDLOG2  will  only  perform correctly  on  audit  entries  that are
supported by  a  message  ID.   The  new  tool AUDLOG  should  be  used
instead.

A typical use of the command is:

               DSPAUDLOG2

       All  entries  from  the   current  audit  journal  receiver  are
       displayed.  Only the first level text appears.

               DSPAUDLOG2   OUTTYP(*SECLVL) OUTPUT(*PRINT)

       All  entries   from  the  current  audit  journal  receiver  are
       printed.  The second level text is shown.

               DSPAUDLOG2   OPTION(yyyy/xxxx) OUTPUT(*PRINT)

       Entries that  have been  stored in  the specified  file for  the
       OPTION parameter are printed.

If the default OPTION(*CURRENT)  is used, the file AUDITJRN  will exist
in QTEMP.   It can  be specified in  another DSPAUDLOG2 command  to use
the information that has already been converted.

Journal  entry codes  of 'T'  and 'U' are  always selected.   All entry
types are selected by default,  but an option exists to select  a type.

Entry type codes
----------------

The following describes  the entry types that are  sent during security
checking:

    AD     Auditing changes
    AF     Object authority failure
    AP     Obtaining adopted authority
    CA     Object authority change
    CD     Command string audit
    CO     New object created
    CP     User profile created or changed
    CQ     Change of *CRQD object
    DO     Object deleted
    DS     DST Security Officer password reset
    FB     Blocked instruction violation
    FC     Program validation value error during restore
    FD     Object domain violation
    FJ     SBMJOB and not authorized to user in JOBD
    FP     Profile handle specified on QWTSETP not valid
    FR     Read only storage violation
    FS     Signon requested using default user profile
    GS     Give descriptor
    IP     Interprocess communication
    JD     Create/change of a JOBD with a user profile
    JS     Actions that effect jobs
    ML     Office services mail actions
    NA     Network attribute changed
    OM     Move or rename an object
    OR     Restore of an object without ownership change
    OW     Object owner change
    O1     (Optical access) Single file or directory
    O2     (Optical access) Dual file or directory
    O3     (Optical access) Volume
    PA     CHGPGM used to change to program adopt
    PG     Change of an object's primary group
    PO     Printed output
    PS     Target user profile changed during passthru or via QSYGETPH
    PW     Invalid password
    RA     Restore object and authority changed
    RJ     Restoring job description with user profile specified
    RO     Change of object owner during restore

Entry type codes continued
--------------------------

    RP     Restore of a program that adopts authority
    RQ     Restoring a *CRQD object
    RU     Restoring user profile authority
    RZ     Changing a primary group during restore
    SD     Changes to system distribution directory
    SE     Routing entry changed in a subsystem
    SF     Actions to spooled files
    SM     System management changes
    ST     Use of service tools
    SV     System value changed
    VA     Changing an access control list
    VC     Starting or ending a connection
    VF     Closing server files
    VL     Account limit exceeded
    VN     Logging on and off the network
    VP     Network password error
    VR     Network resource access
    VS     Starting or ending a server session
    VU     Changing a network profile
    VV     Changing a service status
    YC     DLO object accessed (changed)
    YR     DLO object accessed (read)
    ZC     Object accessed (changed)
    ZM     SOM method access
    ZR     Object accessed (read)

User entries sent to QAUDJRN
----------------------------

A  user entry may be  sent to QAUDJRN  using SNDJRNE.   If a user entry
exists, the first 100 bytes of the  entry are printed as if it was  the
first level  text.  The  entry is flagged with  'U-'.  No  second level
text will appear.

Command parameters                                    *CMD
------------------

   OPTION        Selects the entries to be displayed.

                 *CURRENT  -  This  option  requests  that all  entries
                 from the  current journal  receiver be  displayed.   A
                 DSPJRN command  will be used  to retrieve  the entries
                 from the current journal receiver.

                 filename -  This option requests entries  found in the
                 named  file be  presented.   The file  named should be
                 created using the following sample DSPJRN command.

                   DSPJRN     JRN(QAUDJRN) JRNCDE(T U) ENTDTALEN(357) +
                               OUTPUT(*OUTFILE) OUTFILFMT(*TYPE2) +
                               OUTFILE(mylib/myfile)  +
                               RCVRNG(       )  ENTTYP(    )

                 Use  the file-name  option  when  entries  from  other
                 than  the current  journal receiver  are needed.   The
                 RCVRNG   keyword  should  be   used  to  identify  the
                 required  journal  receivers.    Another  use  of  the
                 filename option is  when you want to  use the existing
                 AUDITJRN  file in QTEMP  created by a  previous use of
                 DSPAUDLOG2.

   STRDATE       The  start  date   of  the  journal   entries  to   be
                 converted.    The default  is  *TODAY  meaning  todays
                 date.   *FIRST may be specified which  means the first
                 journal  entry  found.   The date  must be  entered in
                 job format.

   ENDDATE       The end date of  the journal entries to  be converted.
                 The  default  is  *LAST  meaning all  of  the  journal
                 entries  in the journal.   *TODAY may  be specified to
                 mean todays date.   The  date must be  entered in  job
                 format and  must be greater than  the start date.   If
                 a  date is specified, it  must be in  the same century
                 as the STRDATE.

   ENTTYP        *ALL is  the  default  to  select  all  journal  entry
                 types.  A  list of up to  10 types may be named.   See
                 the previous  section on the codes that  are used.  If
                 user  entries have  been written  to the  journal, the
                 entry type may also be specified.

   OUTTYP        *BASIC is  the  default  and prints  the  first  level
                 text.    *SECLVL  prints  both the  first  and  second
                 level text.

   OUTPUT        Selects where the output from the command is sent.

                 *  -  If interactive,  display  the  information using
                 DSPSPLF.  If in batch, the information is printed.

                 *PRINT - Print the information.

Restrictions
------------

To  run DSPAUDLOG2  with  OPTION(*CURRENT),  the  user  must  meet  the
authorities required  by the DSPJRN command.   The user must  have *USE
and *OBJEXIST authority to the journal QAUDJRN.

To  run  DSPAUDLOG2 with  OPTION(file-name),  the user  must  have *USE
authority to the file and library.

A  user   with  *ALLOBJ   authority  may   run  the   command   without
restrictions.

Prerequisites
-------------

The following TAA Tools must be on your system:

           EXTLST         Extract list
           RTVSYSVAL3     Retrieve system value 3
           SNDCOMPMSG     Send completion message
           SNDESCMSG      Send escape message
           SNDSTSMSG      Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type        Attribute      Src member    Src file
   ------        ----        ---------      ----------    ----------

   DSPAUDLOG2    *CMD                      TAASECM        QATTCMD
   TAASECMC      *PGM       CL             TAASECMC       QATTCL
   TAASECMC2     *PGM       CL             TAASECMC2      QATTCL
   TAASECMR      *PGM       RPG            TAASECMR       QATTCL

Added to TAA Productivity tools April 1, 1995

Home Page

Up to Top