Amy Upton

Do You Know Where Your Audit Journal Receivers Live on Your System?

Do You Know Where Your Audit Journal Receivers Live on Your System?

QAUDJRN is the default IBM Security Audit Journal, located in QSYS. This is the journal name and library where user activity is logged. QAUDJRN should be configured on your system, this is how you can document your user activity. Remember, this is your evidence if you ever had a cyber-attack.  The main issue with the QAUDJRN is the management of the journal receivers, these can get quite large and take up disk space if not managed correctly. The default for the audit journal receivers is QSYS.  You really want to change this to give you more options to manage your receivers. When you audit journal receivers live in QSYS, your backup is only saving them when you are in a restricted state and running a full option 21 or option 22 save. This can add time to your backup and most cannot do a restricted state backup weekly or nightly. If you are not properly cleaning up your receivers, you will save the same old receivers and add time to your save. You may have an application that will manage these for you such as security or replication software which is helpful. You want to look at how those applications clean up receivers and how they coincide with your backup routine.

Below are some basic steps to move your audit receivers, remember we are only moving receivers, Journal object QAUDJRN will always live in library QSYS. Create a library where you would like to keep them and move the receivers to that library. You can then backup your receivers anytime.  Make sure the backup has a retention date for the length your business would like to keep. You can also create a backup just save the receivers so you can restore them if you need to investigate user activity.

1. Create a Library for receivers to be restored

2. Create a new journal receiver

3. Associate the new journal receiver with the change journal command

More from this month:

IBM i Journaling Management

Journal management provides a means by which you can record the activity of objects on your system. When you use journal management, you create an object called a journal. The journal records the activities of the objects you specify in the form of journal entries.

The primary benefit of journal management is that it enables you to recover the changes to an object that have occurred since the object was last saved. This ability is especially useful if you have an unscheduled outage such as a power failure.

You can journal the objects that are listed below:

Libraries, Database physical files, Access paths, Data areas, Data queues, and Integrated file system objects (stream files, directories, and symbolic links).

Useful Journaling Commands

CRTJRN command creates a journal as a local journal with the specified attributes and attaches the specified journal receiver to the journal. Once a journal is created, object changes can be journaled to it or user entries can be sent to it.

WRKJRNA Command displays or prints the creation and operational attributes of a journal, including the name of the journal receiver currently attached to the journal. From the primary display, options or functions can be selected to display the names of all objects currently journaled to the journal, the names of all remote journals currently associated with this journal, and detailed information about a remote journal, the receiver directory, or detailed information about a journal receiver; or to delete receivers from the receiver directory.

CHGJRN command changes the journal receiver, the journal message queue, the manage receiver attribute, the delete receiver attribute, the receiver size options, the journal state, allowing minimized entry specific data, journal caching, the journal receiver’s threshold, the journal object limit, the journal recovery count, or the text associated with the specified journal. The command allows one journal receiver to be attached to the specified journal. This replaces the previously attached journal receiver. The newly-attached journal receiver begins receiving journal entries for the journal immediately.

CRTJRNRCV command creates a journal receiver. Once a journal receiver is attached to a journal (with the Create Journal (CRTJRN) or Change Journal (CHGJRN) command), journal entries can be placed in it.

More from this month:

Types of Mimix Switches and Best Practices

Currently there are three types of switches for Mimix. Planned Switch, Unplanned Switch, and Virtual Switch.

Virtual switch

This is a great way to test that your data is being replicated and your applications are functional. This requires no source downtime which allows you to complete this testing when you have your whole team available. The way this works is that once you virtually switch, Mimix keeps track of any changes made on the target during testing and will roll back all changes once you are completed and switch back. This is a great time to complete destructive testing since the data will be rolled back to before the switch. I recommend completing this type of switch three times a year.

Planned Switch

This is a full switch procedure that is controlled. You are able to switch Mimix when you know that the data groups are caught up and you have access to both source and target. This will give you the ability to not just test your data but also your network connections. This is important to complete yearly and will take a small downtime on source for the switch. This will replicate data from your testing to replicate back to your source, so you want to make sure any changes are ok to go back to the source.

Unplanned switch

This is a full switch procedure if your source system goes down and you have no access to it. This will switch the data groups to the target so you can prepare to replicate back once your source machine is back online. You do not want to have to run this type of switch and hope you do not have to execute.  This is why you have the protection of Mimix to be able to switch over in case of source outage.

So in closing, if possible you want to test your environment quarterly. Three virtual switches and a planned switch. This will make sure you can sleep at night knowing you are protected from an outage.

More from this month: