11/19/08 Use the Security Audit journal to find out when an object was deleted and by whom

Ever wonder what happened to one an object that is missing on a system? If not too much time has elapsed, you might be able to track what happened to that object (or set of objects) by viewing the Security Audit journal on the local system (provided you have access to the journal and the Audit Journal is running).

Enter the following command:

DSPAUDJRNE ENTTYP(DO) OUTPUT(*PRINT) JRNRCV(*CURCHAIN)

The value in the ENTTYP parameter represents the type of audit entry to display. For example, ‘DO’ represents ‘object deletion’ actions. ‘CO’ represents ‘object creation‘ actions (to see the eligible values for this parameter and their meanings, press the Help key).

This command creates a spool file for each of the entry types specified on the ENTTYP parameter. View the resulting spool file and search for the name of the object and/or library for which you are interested. The entry, if found, will show the job name and the time of when the object was deleted.
There are other obvious audits that you can also accomplish with this tool, such as viewing when system values have changed and who may have changed them. The ENTTYP for system value changes/modifications is ‘SV’.

The DSPAUDJRNE command can be subset by starting and ending date/time if you know an approximate time period that is of interest to you.

The CPYAUDJRNE command provides similar functionality, except that output can be directed to an outfile, which may be more useful in an automated environment.

Disclaimer: Vision Solutions makes every effort to provide accurate system management information and programming code; however the company cannot be held liable for the accuracy of information nor its compatibility in your own environment. Please review and test thoroughly before implementing. © Copyright 2008, Vision Solutions, Inc. All rights reserved. IBM, System i, iSeries, i5/OS and AS/400 are trademarks of International Business Machines Corporation. All other brands are property of their respective registered owners.


No comments: