Analyze socket connection auditing records
There are several different methods available to analyze the journal entries that are logged for socket connection auditing.
The security audit journal (QAUDJRN in library QSYS) is the primary source of auditing information on your system. When a socket connection event is audited, the system writes a socket connection journal entry (type SK) in the current journal receiver for QAUDJRN. Each journal entry has a detailed entry type that indicates what kind of socket connection event was audited. For more information about using QAUDJRN and journal entries, see Using the security audit journal. For more information about the format of the journal entries, see SK (Sockets Connections) journal entries.
You can use a query or program to analyze socket connection audit
journal entries. One method is to copy selected entries to output
files by using the Copy Audit Journal Entries (CPYAUDJRNE
)
or Display Journal (DSPJRN
) CL commands. The output
files that contain the audit entry information can then be analyzed
by a query or program. For more information, see Viewing audit journal
entries and Analyzing audit journal entries with query or a program in
the IBM Knowledge Center.
Another method to retrieve socket connection audit journal entries
is using a program that calls the Retrieve Journal Entries (QjoRetrieveJournalEntries
)
API. The API provides access to journal entry information similar
to what is provided by the DSPJRN
CL command. Journal
entries can be retrieved based on a number of different keys, including
journal entry types, job name, user profile, and a specific range
of times. For more information about retrieving and parsing journal
entries with the QjoRetrieveJournalEntries
API, see Retrieve Journal
Entries (QjoRetrieveJournalEntries) API.