The Display Audit Log (DSPAUDLOG) command is used to display or print entries from the security auditing journal, QAUDJRN. The security auditing function must be set up before you can use this command. (See "Silent Vigil: Logging Security Violations," MC, October 1992 and "Powerful Audit Functions Enhance V2R3 Security," MC, February 1994.) The security auditing journal is used to log security events:
o Programs that use restricted instructions or access objects using unsupported interfaces.
o Events associated with saves and restores.
o Authorization failures.
o Object deletions.
o User profiles that submit jobs containing a user profile name to which the submitting user doesn't have *USE authority.
o User profiles signing on to workstations that reference job descriptions that specify a user profile.
The command has six parameters. The first (OPTION) specifies the location of the audit journal entries that you want to display. The default is *CURRENT, which tells the command to display or print the entries from the current journal receiver attached to the journal QAUDJRN. You can also specify a file name. Use this option if you have converted journal entries to a physical file. This is a good way to review historical auditing information.
The second and third parameters are Start Date (STRDATE) and End Date (ENDDATE), respectively, which let you subset the entries you see by a specific date. The defaults of *TODAY for STRDATE and *LAST for ENDDATE show all the entries in the log so far for the current date.
The fourth parameter is Entry Type (ENTTYP). Every entry in the auditing journal has an entry type documented in the OS/400 Security Reference (SC41- 3302; CD-ROM QBKALC00). With this parameter, you can specify that you want to see all journal entry types, or list up to 10 specific entry types you want displayed or printed.
The fifth parameter is Output Type (OUTTYP). This controls the level of detail you see when the auditing entries are shown. The two allowed values are *BASIC (the default), which displays the first level text, and *SECLVL, which displays the first and second level text.
The last parameter is Output (OUTPUT). This allows you to display or print the auditing journal entries.
Specify the location of the audit journal entries to be displayed or printed.
*CURRENT: Entries from the current journal receiver associated with journal QAUDJRN are used. The Display Journal (DSPJRN) command is used by the command processing program to retrieve entries from the current journal receiver.
file-name: Specify the qualified name of the database file that contains previously converted journal entries from a QAUDJRN journal receiver. The database file must be created with the DSPJRN command.
The possible library name values are:
*LIBL: The library list is used to locate the database file.
*CURLIB: The file is located in the current library.
library-name: Specify the name of a library.
Specify the starting date of the journal entries to display.
*TODAY: Journal entries starting with the current date are converted for this command.
*FIRST: Journal entries are converted starting with the first journal entry in the current journal receiver.
start-date: Specify the starting date to use in the job date format.
Specify the ending date of the journal entries to display.
*LAST: Journal entries are converted through the last entry in the current journal receiver.
end-date: Specify the ending date to use in job date format. If an ending date is specified, it must be the same or later than the start date.
Specify the entry type of journal entries to display.
*ALL: All journal entry types in the journal are displayed.
entry-type: Specify a list of up to ten journal entry types to display. A list of valid system generated journal entry types is found in the OS/400 Security Reference manual.
Specify the level of message text detail to display.
*BASIC: First level text is displayed.
*SECLVL: First and second level text is displayed.
Specify the output option for the command. This is used to indicate whether entries should be displayed or printed.
*: When the command is run in an interactive job, the journal entries are displayed. When run in batch, the journal entries are printed.
*PRINT: The journal entries are printed.
This command displays all the security auditing entries in the current journal receiver.
INFO: DSPAUDLOG (QATTINFO) CDO: TAASECM (QATTCMD) CPP: TAASECMC (QATTCL) CLP: TAASECMC2 (QATTCL) RPG: TAASECMR (QATTRPG)
Jim Hoopes is a senior technical editor for Midrange Computing.
These tools are documented in Midrange Computing's QUSRTOOL Command Reference. The manual contains explanations and syntax diagrams for more than 300 useful tools.