Return to the Systems Tips
Is there any way to audit files that are deleted on the iSeries 400 (AS/400).
The programmers at my office asked if there is any way to audit files that are deleted on the iSeries 400 (AS/400). They came to work today and noticed one of their favorite objects had been deleted. In the future, they would like to know who did the dastardly deed. I am sure this can be accomplished, and you are just the guy to answer their question. --Humbly Yours, Murb
Dear Murb, Changes to objects, such as who created or deleted them and when, can be tracked by placing the appropriate value in system value QAUDLVL. To track who deleted objects, including files, enter the special value of *DELETE. From then on, whenever an object is deleted, an entry will be placed into the system audit journal, QSYS/QAUDJRN--well, not quite everything. Objects in QTEMP don't get logged.
From a command line, type DSPSECAUD and press Enter to run the Display Security Auditing command. Look at the values listed under Current QAUDLVL system value. Do you see the value *DELETE in the list? If so, you may be able to catch the culprit who deleted that file!
If *DELETE is not there, you need to add it. From a command line, type WRKSYSVAL QAUDLVL and press Enter. Choose option 2 to change the value, enter the special value of *DELETE in a blank spot, and press Enter.
To see the logged security violations, use the Display Journal (DSPJRN) command. For a deleted object, the journal code will be T (audit trail entry) and the entry type will be DO (object deleted.) You might also want to specify a beginning time and ending time to avoid having to scroll through pages of journal entries. Here's an example:
DSPJRN JRN(QAUDJRN) FROMTIME(060701 010000) +
JRNCDE((T)) ENTTYP(DO)
Within the Display Journal Entries panel, use option 5 to display an entry. Use the F10 key to
toggle between the Display Journal Entry and Display Journal Entry Details panels.
Looking for an entry when you don't know when the offense occurred can be like looking for a needle in a haystack. If that is the case, I have another trick. Specify *CURCHAIN for the receiver range, direct the output to file, and specify output format of *TYPE2. This will build an output file containing every delete event in the audit journal. You can use SQL or your favorite database utility to search field JOESD in the output file. If you are using SQL, the statement might look something like this:
SELECT * FROM qtemp/audout
WHERE joesd LIKE ('%FAVFILE%*FILE%')
[report a broken link by clicking here]