Prior to the release of 5.4, IBM only supplied two commands to extract and format data from the system audit journal QAUDJRN: DSPJRN (Display Journal) and DSPAUDJRNE (Display Audit Journal Entries).

DSPJRN provides a lot of capability in subsetting the journal entry data and allows output to a display, printer, or to output file. However, the resulting output data requires some parsing to format the entry-specific data for each specific journal entry type. But DSPJRN is still a great tool if you have practice with the output file formats or just want to experiment.

On the other hand, the DSPAUDJRNE command is very limited and outdated--output is only available to a display or to a printer, and very little data is provided. For example, using the DSPAUDJRNE command to list CO (Create Object) entry types, the only data provided is the User Profile, Object Name and Library, object type, and a time stamp. If you want to know the job name or the program used to create the object, you're out of luck with the DSPAUDJRNE command.

As of 5.4, the DSPAUDJRNE command does not support all the new journal entry types, and IBM has no plans to enhance it any further, so it probably never will.

But in 5.4, IBM introduced a new command that effectly replaces the DSPAUDJRNE command: CPYAUDJRNE (Copy Audit Journal Entries) helps you extract data from the system audit journal QAUDJRN and place that data into an entry-specific output file. It would be nice if the new command had the same subsetting capability as DSPJRN, but it only allows you to select by journal entry type, User and Journal receivers, or from-datetime/to-datetime. Notably, the output file or files created by the CPYAUDJRNE command are entry-type specific, so you do not have to parse the output as you do with DSPJRN.

Here's an example of using CPYAUDJRNE to extract the CO and DO(Delete Object) entries for the specified time period.

CPYAUDJRNE   ENTTYP(CO DO) OUTFILE(MYAUDIT/A100808)
             JRNRCV(*CURCHAIN)
             FROMTIME('10/07/2008' '04:00:00')
             TOTIME('10/08/2008' '04:00:00')

This command will create two output files: A100808CO will contain the CO entries for the time period, and A100808DO will contain the DO entries.

You can then use SQL, Query, or your favorite data query tool to present the data the way you want it.

For example, to list the objects created during that time period, you could use the command:

RUNQRY QRYFILE((MYAUDIT/A100808CO))

You can review the CPYAUDJRNE command documentation here.

But First...

In order to report on the QAUDJRN CO and DO entries, you first need to collect the information or your reports will be blank.

To collect QAUDJRN entries, you need to have your audit system values set correctly and make sure that the the QAUDJRN journal exists in library QSYS.

If you have never set up QAUDJRN on your system, or don't know if you have, use the command DSPSECAUD (Display Security Auditing). If the resulting display says that the QAUDJRN journal does not exist, use the command CHGSECAUD (Change Security Auditing) to create the QAUDJRN journal and receiver and set the auditing system values to your specifications.

To collect Object Create actions, you need to include the value *CREATE in the QAUDLVL system value. To collect Object Delete actions, you must also include the value *DELETE.

In order to be auditing these actions at all, the QAUDCTL system value needs to contain the value *AUDLVL.

For more on setting up the system auditing facility and QAUDJRN, refer to my article Common Sense Security Auditing.