SCNAUDLOG -- Scan Audit Log

SCNAUDLOG SCAN AUDIT LOG TAASEHJ
The Scan Audit Log command provides a different method of displaying or listing audit entries from the Audit Log data base file provided by the AUDLOG tool. In addition to standard selection fields such as date, time, user profile, etc, SCNAUDLOG allows a search on the entry data field. This can be particularly helpful for the 'T' Journal code (audit entries) where most of the data is in the entry data field. You must be using the AUDLOG tool which provides conversion from the QAUDJRN journal entries to the AUDLOG data base files. You must have USE authority to the AUDLOGP file. A typical SCNAUDLOG command would be: SCNAUDLOG SEARCH(PAYROLL) If you had been auditing the PAYROLL file for CHANGE action (see the later discussion), you would see all of the current entries for changes to the PAYROLL file. A display would appear that is similar to that used by DSPAUDLOG for the audit entries containing the value 'PAYROLL' in the entry data. A listing may be optionally output. Note that though the AUDLOGP file has a field for object name (AUOBJ), most of the audit entries do not fill this field. Instead, the name of the object is within in the entry data field. Auditing entries ---------------- Auditing journal entries are optional and occur if you have specified auditing system values and the CHGOBJAUD or CHGUSRAUD commands. For an overview of auditing on the system, see the TAA documentation member AUDITING. SCNAUDLOG escape messages you can monitor for --------------------------------------------- None. Escape messages from based on functions will be re-sent. SCNAUDLOG Command parameters CMD ---------------------------- SEARCH The value to be searched for in the entry data field of the converted journal entry. ALL is the default to request any entries that match the other selection criteria. The field that is scanned is the AUDATA field in AUDLOGP. AUDLOGP must be created by the CRTAUDLOG command of the AUDLOG tool. This field is a fixed length field in AUDLOGP. You can vary the length of AUDATA for all records by use of the ENTDTALEN parameter on CRTAUDLOG. If the field length is shorter than the entry data of the journal entry, truncation will occur and any excess data will not be scanned for. AUDLOGLIB The library where the AUDLOGP file exists. LIBL is the default. A specific name or CURLIB may be entered. The AUDLOGP file must be created by the AUDLOG tool (CRTAUDLOG command) and entries must be converted to the AUDLOGP file using one of the CVTAUDLOG commands. PERIOD The Begin/End Date/Time values to select on. The 'Beginning time' value defaults to AVAIL meaning the Begin Time value is not considered. If a time is entered, it is used in conjunction with the 'Beginning Date' to determine selection. The 'Beginning Date' value defaults to CURRENT meaning the current date. BEGIN may be entered to mean the first record in the AUDLOGP file. If a date is entered, it must be in job format and is used in conjunction with the 'Beginning Time' to determine selection. The 'Ending time' value defaults to AVAIL meaning the End Time value is not considered. If a time is entered, it is used in conjunction with the 'Ending Date' to determine selection. The 'Ending Date' value defaults to END meaning the End Date value is not considered. If a date is entered it must be in job format, and is used in conjunction with the 'Ending Time' to determine selection. JOB The job name to be selected. ALL is the default meaning all jobs. USER The user profile to be selected. ALL is the default meaning all user profiles. The user is the one who caused the entry and may not be the user of the job. If a user profile swap occurs, the user name will differ from the user name of the qualified job name. BYPUSER A list of up to 10 user profile names that will be bypassed. NONE is the default meaning no user profile names are bypassed. If a user profile name is entered, it is not checked to see if it exists or is in conflict with the user name in the USER parameter. JRNCDE A 3 part parameter to select the journal code, type, and subtype. ALL is the default for journal code meaning all journal codes. This will include some general journal codes such as 'J' meaning the entry relates to the journal. The journal code for audit entries is 'T'. ALL is the default for journal entry types meaning all journal entry types such as 'AF' for audit failure. A specific entry type may be named. ALL is the default for journal entry sub type meaning all sub types. A specific sub type type may be named. Only the journal entries of JOCODE = T, provide a sub type. If a sub type is entered, the journal code and journal type may not be ALL. PGM The program that caused the entry. The default is ALL meaning all programs are considered. In some entries the program name may be blank. If a command is entered from a command entry display, the program may appear as QCMD or the program name of a higher program in the stack. SYSTEM The system name on which the entry occurred. The default is CURRENT meaning the current system. The AUDLOG tool allows the entries from multiple systems to be placed in a single AUDLOGP file. OUTPUT How to output the results. * is the default to display the entries if the command is entered interactively. If the command is entered in batch or PRINT is specified, a spooled file is output. Restrictions ------------ You must be using the AUDLOG tool. Prerequisites ------------- The following TAA Tools must be on your system: AUDLOG Audit log CRTDUPPF Create duplicate data base file CVTDAT Convert date CVTDSPDTA Convert display data CVTTIM Convert time DSPDBFDTA Display data base file data DSPJRNCDE Display journal code EDTVAR Edit variable FILEFDBCK File feedback HLRMVMSG HLL Remove message RTVDAT Retrieve date RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- SCNAUDLOG CMD TAASEHJ QATTCMD TAASEHJC PGM CLP TAASEHJC QATTCL TAASEHJR PGM RPG TAASEHJR QATTRPG TAASEHJR2 PGM RPG TAASEHJR2 QATTRPG TAASEHJD FILE DSPF TAASEHJD QATTDDS

SCNAUDLOG       SCAN AUDIT LOG                         TAASEHJ


The Scan Audit  Log command provides  a different method  of displaying
or  listing audit entries  from the Audit  Log data base  file provided
by  the AUDLOG tool.  In addition  to standard selection fields such as
date, time, user profile, etc,  SCNAUDLOG allows a search on  the entry
data  field.   This can  be particularly  helpful for  the  'T' Journal
code  (audit  entries) where  most of  the data  is  in the  entry data
field.

You must be using  the AUDLOG tool  which provides conversion from  the
QAUDJRN journal entries to  the AUDLOG data base files.   You must have
*USE authority to the AUDLOGP file.

A typical SCNAUDLOG command would be:

         SCNAUDLOG   SEARCH(PAYROLL)

If you  had been auditing the PAYROLL file  for *CHANGE action (see the
later discussion),  you  would  see  all of  the  current  entries  for
changes to the  PAYROLL file.  A  display would appear that  is similar
to that  used by DSPAUDLOG  for the audit entries  containing the value
'PAYROLL' in the entry data.  A listing may be optionally output.

Note  that  though  the  AUDLOGP  file  has  a  field  for  object name
(AUOBJ), most of  the audit entries do  not fill this field.   Instead,
the name of the object is within in the entry data field.

Auditing entries
----------------

Auditing journal entries  are optional and occur if  you have specified
auditing  system values and  the CHGOBJAUD or CHGUSRAUD  commands.  For
an overview  of  auditing on  the  system,  see the  TAA  documentation
member AUDITING.

SCNAUDLOG escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

SCNAUDLOG Command parameters                          *CMD
----------------------------

   SEARCH        The value to  be searched for in the  entry data field
                 of the  converted journal entry.   *ALL is the default
                 to  request   any  entries   that  match   the   other
                 selection criteria.

                 The  field that  is  scanned is  the  AUDATA field  in
                 AUDLOGP.   AUDLOGP  must be  created by  the CRTAUDLOG
                 command  of the  AUDLOG tool.   This field  is a fixed
                 length field in AUDLOGP.   You can vary the  length of
                 AUDATA  for  all  records  by  use  of  the  ENTDTALEN
                 parameter  on  CRTAUDLOG.    If  the  field  length is
                 shorter than  the  entry data  of the  journal  entry,
                 truncation will  occur and  any excess  data will  not
                 be scanned for.

   AUDLOGLIB     The library  where the AUDLOGP file  exists.  *LIBL is
                 the default.    A  specific name  or  *CURLIB  may  be
                 entered.

                 The AUDLOGP  file must be  created by the  AUDLOG tool
                 (CRTAUDLOG command)  and entries must  be converted to
                 the   AUDLOGP   file  using   one  of   the  CVTAUDLOG
                 commands.

   PERIOD        The Begin/End Date/Time values to select on.

                 The  'Beginning   time'  value   defaults  to   *AVAIL
                 meaning the  Begin Time value  is not considered.   If
                 a  time is  entered,  it is  used in  conjunction with
                 the 'Beginning Date' to determine selection.

                 The  'Beginning  Date'  value  defaults  to   *CURRENT
                 meaning the  current date.   *BEGIN may be  entered to
                 mean  the first  record  in the  AUDLOGP file.    If a
                 date is  entered, it  must  be in  job format  and  is
                 used  in  conjunction with  the  'Beginning  Time'  to
                 determine selection.

                 The  'Ending time'  value defaults  to  *AVAIL meaning
                 the  End Time value  is not considered.   If a time is
                 entered, it is  used in  conjunction with the  'Ending
                 Date' to determine selection.

                 The 'Ending  Date' value defaults to  *END meaning the
                 End  Date  value is  not  considered.   If  a  date is
                 entered it  must be  in  job format,  and is  used  in
                 conjunction  with  the  'Ending   Time'  to  determine
                 selection.

   JOB           The  job name  to be  selected.   *ALL is  the default
                 meaning all jobs.

   USER          The  user  profile  to  be  selected.    *ALL  is  the
                 default meaning all user profiles.

                 The user is the  one who caused the entry  and may not
                 be  the user  of  the job.    If a  user  profile swap
                 occurs,  the user name will  differ from the user name
                 of the qualified job name.

   BYPUSER       A list  of up to  10 user profile  names that will  be
                 bypassed.    *NONE  is  the default  meaning  no  user
                 profile names are bypassed.

                 If  a user profile name is  entered, it is not checked
                 to see if it  exists or is in  conflict with the  user
                 name in the USER parameter.

   JRNCDE        A 3 part  parameter to select the  journal code, type,
                 and subtype.

                 *ALL  is  the default  for  journal  code meaning  all
                 journal  codes.    This  will  include  some   general
                 journal codes  such as 'J'  meaning the  entry relates
                 to the  journal.  The  journal code for  audit entries
                 is 'T'.

                 *ALL  is the  default for journal  entry types meaning
                 all  journal  entry  types  such  as  'AF'  for  audit
                 failure.  A specific entry type may be named.

                 *ALL  is  the  default  for  journal  entry  sub  type
                 meaning  all sub types.  A  specific sub type type may
                 be named.   Only the  journal entries of  JOCODE =  T,
                 provide a sub type.

                 If  a  sub  type  is entered,  the  journal  code  and
                 journal type may not be *ALL.

   PGM           The  program that  caused the entry.   The  default is
                 *ALL meaning all programs are considered.

                 In some entries the program name  may be blank.  If  a
                 command is entered  from a command entry  display, the
                 program may  appear as QCMD  or the program  name of a
                 higher program in the stack.

   SYSTEM        The  system  name on  which the  entry occurred.   The
                 default is *CURRENT meaning the current system.

                 The  AUDLOG  tool allows  the  entries  from  multiple
                 systems to be placed in a single AUDLOGP file.

   OUTPUT        How  to output  the  results.   *  is  the default  to
                 display   the  entries  if  the   command  is  entered
                 interactively.

                 If the  command  is  entered  in batch  or  *PRINT  is
                 specified, a spooled file is output.


Restrictions
------------

You must be using the AUDLOG tool.

Prerequisites
-------------

The following TAA Tools must be on your system:

     AUDLOG          Audit log
     CRTDUPPF        Create duplicate data base file
     CVTDAT          Convert date
     CVTDSPDTA       Convert display data
     CVTTIM          Convert time
     DSPDBFDTA       Display data base file data
     DSPJRNCDE       Display journal code
     EDTVAR          Edit variable
     FILEFDBCK       File feedback
     HLRMVMSG        HLL Remove message
     RTVDAT          Retrieve date
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   SCNAUDLOG     *CMD                   TAASEHJ       QATTCMD
   TAASEHJC      *PGM       CLP         TAASEHJC      QATTCL
   TAASEHJR      *PGM       RPG         TAASEHJR      QATTRPG
   TAASEHJR2     *PGM       RPG         TAASEHJR2     QATTRPG
   TAASEHJD      *FILE      DSPF        TAASEHJD      QATTDDS

Added to TAA Productivity tools March 21, 2008

Home Page

Up to Top