What is the link between audit events & message IDs

Jack Jie - Forgive me if I interpret your question wrong - it appears that you want to create a report from your journal entries. If so, you are making the process much harder by trying to link msg IDs to journal events. Use the DSPJRN command to create an OUTFILE of your journal entries and then create the report with either a program or a query. There is an appendix in the OS/400 Backup and Recovery Guide which lists Journal Entries, Codes, and their meaning. HTH, Steve

What is the link between audit events & message IDs

Steve, Thanks for your reply. It is not a problem to make a query producing a report from DSPJRN output file. The problem is that the report directly retrived from DSPJRN is not user friendly. Since there is 1-1 relationship between event type and message ID in QCPFMSG messsage file. The variable field portion of event entry can provide necessary information for RTVMSG command returning a user-friendly formatted message text. The difficulty is that I can not find a document describing such relation. The relation is actually there. For example QUSRTOOL command DSPAUDLOG can provide such nice formatted message text. Jack

What is the link between audit events & message IDs

It looks like QUSRTOOL's DSPAUDLOG is faking it. We have our old V3R1 QUSRTOOLs, so I decided to check out the source. It turns out that it uses a hardcoded lookup table to find the MSGID associated with a journal entry. DSPAUDLOG does a DSPJRN to a *TYPE2 outfile, then pgm TAASECMR concatenates JOCODE (1-byte Journal Code), JOTENTT (2-byte Entry Type), and the first byte of JOESD (Entry-Specific Data) to get a 4-byte code like TOMR. It looks up that code in the table to get the MSGID. The table looks like this: .... TNAACPI2257 Network attribute changed TOMMCPI2281 Move object TOMRCPI2282 Rename object TORNCPI2279 Restore object of a new object TORECPI2280 Restore object over previously existing object TOWACPI2254 Object owner change .... It then puts the JOESD in the variables of that MSGID, and there it is. Apparently, audit entries no longer necessarily work this way. I checked Jim Sloan's TAA Productivity Tools (the TAA programs that used to be in QUSRTOOL), www.taatool.com. His documentation on the equivalent tool says (text c. Jim Sloan, Inc.): The DSPAUDLOG2 command is the old form of the AUDLOG tool. DSPAUDLOG2 displays the contents of the security audit journal (QAUDJRN). The output is always printed to a spooled file. The default will use DSPSPLF to display the printed output. An option can be used to select the level of detail to be presented. The system no longer provides message IDs for new audit entries. DSPAUDLOG2 will only perform correctly on audit entries that are supported by a message ID. The new tool AUDLOG should be used instead. So it appears that some audit entries no longer have corresponding MSGIDs. In any case, my DSPAUDLOG uses *TYPE2 journal entries, but now *TYPE3 & 4 exist, though they don't appear to offer info that would let you select a MSGID, if any. I was going to say to email Mr. Sloan in case he knows where the Journal/MSGID correspondences are, but his site says he does "NOT supply support" for QUSRTOOL. If you don't have the V3R1 DSPAUDLOG source, I could post the lookup table here; it's "considered to be in the public marketplace" according to Sloan's QUSRTOOL FAQs.

What is the link between audit events & message IDs

Jack - Granted DSPJRN is not user friendly but, with a little effort, you can create a user friendly report from the information generated (as you can see):

 USER SEQ NBR JOB NAME & NUMBER CO TP ENT DATE ENT TIME STEVE 0004000147 QPADEV0012 298911 T CA 06/28/00 10:05:37 REVOKED AUTHORITY TO STEVE/MQTC001 TYPE *QRYDFN BY USER STEVE 

HTH, Steve

What is the link between audit events & message IDs

Thanks Ken, for your great ideas. Message ID Solution =================== Yes, you are right currently my program is exactly running in DSPAUDLOG's way. I do not use 'T' as a part of the key but do use 2-digit type, 1-digit subtype to look for CPI message ID in order to pass in varaible and get formatted message text return. That's why I try very hard fighting for the correspondences even though the outcome seems not very closed to the original idea. V3R1 DSPAUDLOG Lookup Table =========================== Yes. Please post such information or send it to me at chenjjs@yahoo.com. We have moved from V3R1 long time ago. Why you still own such machine? It's my luck talking to you. TAA & How to Get a Good Solution ================================ As per your suggestion, I went through the TAA documentation web page about AUDLOG tool. 1) They provide an useful information is that, "Each 2 byte audit entry type is supported by the system with a data base file that describes the layout of each entry. The file formats exist in QSYS and are named QASYxxJE. For example, the ZC entry has a format of QASYZCJE." 2) The above description prompts us making use of QASYxxJE as the template to break down the subfields for event entries. Currently, I am thinking that we may rerieve the template file structure, field name, collunm heading, whatever information, and use them to form a variable screen display (may be subfile). 3) I am still wondering how TAA doee its message formatting. I think they may not use the way in point-2 but by a better way. My personal feeling is that point-2 solution has to include some conversion programs to synchronize QSYS QASYxxJE and retrieved template data. 4) The other thing is that it does not solve the problem for getting a nice wording like message ID did. It will be a difficult work in program logic to concatenate varaible value and static sentence for all the event types. I notice that event subtype is very important in event entry, end-users need the full set description of subtype 'A', 'B', 'C', 'D', etc even though they are under the same event type. 5) I am not be able to utilise TAA programs because it is no longer under IBM support. You may understand that getting extra budget is always a headache issue in real world. It is intersting that we can witness how product onwer change affecting our develoment life. 6) Why IBM withdraws message ID support for audit event entries? I thought it is a light-weighted economical solution. We can only see TAA website says that AS400 no longer provides message ID to event type. So far, I could not find information supporting such saying in official IBM source. Jack

What is the link between audit events & message IDs

Steve, Thanks for your great example too. How did you do that? I mean how to concatenate varaible values and static words to a nice looking sentence for each event types/subtypes from retrieved database? I am sure that you have a generic way to deal with different format event entries. Jack

What is the link between audit events & message IDs

Jack - I have a CL that does a DSPJRN to an OUTFILE and calls a program to read the OUTFILE and string the appropriate information into a 'sentence'. Didn't take long to do . . . Steve

What is the link between audit events & message IDs

Thanks Steve. I understand what you said. It is a doable solution so far we can think about. I have another idea is that, since IBM no longer supports new event entry message ID. We may add in those new messages into our own message file. Therfore the original way still can carry on. Ken how do you think about that? I need the lookup table to identify old and new audit enents. Could you help post it? I have another reply appended after your proevious note. Feel free to look at it. Thanks Steve and Ken agaign. Jack

What is the link between audit events & message IDs

Attached is the RPG source for QUSRTOOL program TAASECMR; the list of message IDs is at the bottom. The program reads from the DSPJRN *TYPE2 outfile and calls TAA tool TAASECMC2 to combine the message text and the journal contents. I thought of getting you the source for all the various programs that are used for DSPAUDLOG, but the TAA tools often use other TAA tools to do things. There could be many TAA programs involved, and it might end up being a lot of work. So if you want the full source, maybe someone has a site with a savefile of the V3R1 tool source that you could download. It probably wouldn't be too difficult to set that up, but see my warnings below. We are on V4R4 but retained the V3R1 tools by renaming the library before upgrading to V3R2. That kept them from being uninstalled. The tools seem to still work well, but there's certainly no guarantee of that. They are unsupported, not necessarily Y2K compatible, and IBM may change the APIs they use (though IBM does seem to try hard to keep them compatible with previous releases). Good luck, Ken

What is the link between audit events & message IDs

Thanks Ken, I saw your response and received lookup program by mail as well. Thanks for your important input. Currently, I am going to run my proram in this way, 1) Keep the original MSGID method. 2) Consolidate V3R1 lookup table to see what is the difference between V3R1 and V3R2 onwards. 3) Create undefinend message IDs for newly created event types. 4) Keep the new messeges in a message file in my own library. I believe there are few benefits by doing this, 1) Remain original logic unchanged. 2) Only change lookup table and self-defined messgae file if there is any event changes in the future. 3) Do not need put concatenating logic in program itself. Can seprate the role of message designing and programming. Disavantage is that to design a nice format message according to event type is not a very easy job, because we need to consider putting varaible in to the message. Jack