Partner TechTip: Overwhelmed by Audit Journal Data? It's Harvest Time!

Security - Other
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

PowerTech Compliance Monitor includes centralized compressed storage for audit journal events from multiple partitions.


According to PowerTech's "State of IBM i Security" study, approximately 20 percent of enterprises aren't performing any system, user, or object auditing. When you factor in those that are capturing only a few event types, those that don't do anything with the data once it is captured, and those that are using the event data for high availability purposes rather than security, you end up with a river of events flowing through the cracks, completely unnoticed.

Why Don't People Audit?

So why is it that administrators aren't rushing to take advantage of an operating system with the built-in capability of collecting event information? Auditing is the topic of many PowerTech Webinars, as well as a popular subject for presentations at COMMON and regional user groups. I have observed three main reasons people don't audit:


  • Lack of Awareness and Understanding of the Auditing Functions—Ignorance might be bliss in some aspects of life, but in security auditing, it's never a good thing. You can't expect to see anything unless you turn on the function—akin to turning on a flashlight in a dark hallway. Fortunately, the operating system contains a simple command that performs all the heavy lifting (CHGSECAUD), and PowerTech can provide the background knowledge to help you configure it to collect data efficiently.
  • Poor Forensics Capability—Without a good forensics solution, the audit data is just a mass of raw data without any business benefit. While IBM i contains a basic extract command, you still need to write queries or programs to make much sense out of it. I would suggest that collecting but not reviewing event data is better than not collecting any data at all—at least the data is there if you need to review it—but it is unquestionably better to have an efficient way to search, filter, and extract entries from the generated audit data.
  • Insufficient Storage Space for Overwhelming Volumes of Journal Data—Although disk management is not directly related to the auditing function, anyone who has turned on auditing can testify to what I'm talking about. Large systems have the capability of generating gigabytes of data every day. Not only does this make a forensics solution an absolute must, it also requires careful consideration of the DASD units that house the audited data. Sure, you can (and should) be selective about how and what is audited and you should save the audit data frequently for disaster recovery, but making recent events accessible quickly for reporting, while consuming far less disk space, is usually more desirable and a much better option.

Compliance Monitor Has an Answer

PowerTech, the market leader in security solutions for IBM i, can teach you how to configure the operating system's auditing controls efficiently. You then can use Compliance Monitor, a professional auditing solution, to address the challenges posed by reasons number two and three.


One of the advanced features in Compliance Monitor is the ability to harvest audit journal data. You can choose the data you want from one or more endpoint partitions based on the audit journal type code and then transfer and store the information on a central partition. A built-in scheduler in the GUI reporting console (see Figure 1) allows you to transfer the data on a regular schedule on the days and times that are most convenient for your business.



Figure 1: Compliance Monitor lets you specify the schedule and the event types to harvest and store. (Click image to enlarge.)


The harvested data is stored on the central partition in compressed form. Because of the nature of audit journal data, you often can achieve upward of 90 percent compression. For example, 1 GB of audit data now takes less than 100 MB of disk space! Imagine keeping a full 30 days of audit history online in the same amount of disk space previously consumed by just three days worth of data. When you need the data for forensic reporting, Compliance Monitor automatically handles the decompression for you; you don't have to worry about locating and manually restoring journal receivers from tape or transferring immense files over FTP.


Compliance Monitor can help you search, filter, and extract entries from your audited data. Click here to learn more about Compliance Monitor or request a free Webinar demo.

as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,