iEventMonitor Job Audit Swapping

Some customers may be using the IBM Security Audit Journal to track job data and job changes on their system. You can check this by looking at the system values QAUDLVL and QAUDLVL2. If you find the value *JOBBAS or *JOBDTA, read on. If not, this information does not apply to your installation.

Some functions in iEventMonitor use the IBM i OS Watch feature (STRWCH) to work. When this is used on a system with *JOBBAS or *JOBDTA security auditing active, it can result in a lot of new audit records being added to the security journal. If your system is short on disk space, this can be a critical problem. The additional records added are code T, type JS entries. According to IBM documentation, these indicate profile swaps happening. While iEventMonitor is not doing any profile swapping, there is profile swapping going on within the IBM i OS.

To overcome this problem, Kisco Information Systems had developed a work-around process that will limit the amount of new T-JS records that are added to the security journal. This is done by removing the *JOBxxx audit specification at the system level (in the system values) and moving it to the individual user profiles (see CHGUSRAUD). When this is done, the iEventMonitor user profile IEMONITOR is excluded for *JOBxxx auditing and the number of T-JS records recorded in the journal is then reduced. All other *JOBxxx auditing will still happen.

To accomplish this swap process, Kisco has implemented a new command, IEMJOBSET. This command does not appear on any of the menus in the software. It is in the product library named IEMLIB. You must have iEventMonitor release level 5.13 or later to have this capability.

To move job audit tracking to the user profile level, run the following command while all iEventMonitor functions have been stopped:

IEMLIB/IEMJOBSET LOCN(*USR) JOBACTN(*JOBBAS)

This command will remove the *JOBBAS audit tracking from the system value QAUDLVL and add it to every user profile on your system at the user profile level. The IEMONITOR user profile will not be changed. The next time you stop and restart iEventMonitor functions, the amount of T-JS audit records will be significantly reduced. When you add new user profiles to your system, you can just re-run this command again to make sure that the newly established profiles have this setting configured correctly.

Note: If your system has the *JOBxxx specified using the QAUDLVL2 system value, you will need to make the system value change manually using the WRKSYSVAL command.

To cancel the above command and return *JOBxxx audit control back to the system level, run the following command:

IEMLIB/IEMJOBSET LOCN(*SYS) JOBACTN(*JOBBAS)

This process will remove the *JOBBAS audit tracking from the user profile level and return it to the QAUDLVL system value.

Note: If your system had the *JOBxxx specified using the QAUDLVL2 system value, you will need to make the system value change manually using the WRKSYSVAL command. Be sure that you check the QAUDLVL settings to make sure that it is only specified once.