Do You Know Where Your Audit Journal Receivers Live on Your System?

Do You Know Where Your Audit Journal Receivers Live on Your System?

QAUDJRN is the default IBM Security Audit Journal, located in QSYS. This is the journal name and library where user activity is logged. QAUDJRN should be configured on your system, this is how you can document your user activity. Remember, this is your evidence if you ever had a cyber-attack.  The main issue with the QAUDJRN is the management of the journal receivers, these can get quite large and take up disk space if not managed correctly. The default for the audit journal receivers is QSYS.  You really want to change this to give you more options to manage your receivers. When you audit journal receivers live in QSYS, your backup is only saving them when you are in a restricted state and running a full option 21 or option 22 save. This can add time to your backup and most cannot do a restricted state backup weekly or nightly. If you are not properly cleaning up your receivers, you will save the same old receivers and add time to your save. You may have an application that will manage these for you such as security or replication software which is helpful. You want to look at how those applications clean up receivers and how they coincide with your backup routine.

Below are some basic steps to move your audit receivers, remember we are only moving receivers, Journal object QAUDJRN will always live in library QSYS. Create a library where you would like to keep them and move the receivers to that library. You can then backup your receivers anytime.  Make sure the backup has a retention date for the length your business would like to keep. You can also create a backup just save the receivers so you can restore them if you need to investigate user activity.

1. Create a Library for receivers to be restored

2. Create a new journal receiver

3. Associate the new journal receiver with the change journal command

More from this month:

Leave a Comment

Your email address will not be published. Required fields are marked *