Preventing loss of auditing information

 

This topic describes which information to look for to prevent loss of auditing information.

Two system values control what the system does when error conditions may cause the loss of audit journal entries.

Audit Force Level: The QAUDFRCLVL system value determines how often the system writes audit journal entries from memory to auxiliary storage. The QAUDFRCLVL system value works like the force level for database files. You should follow similar guidelines in determining the correct force level for your installation.

If you allow the system to determine when to write entries to auxiliary storage, it balances the performance impact against the potential loss of information in a power outage. *SYS is the default and the recommended choice.

If you set the force level to a low number, you minimize the possibility of losing audit records, but you may notice a negative performance impact. If your installation requires that no audit records be lost in a power failure, set the QAUDFRCLVL to 1.

Audit End Action: The QAUDENDACN system value determines what the system does if it is unable to write an entry to the audit journal. The default value is *NOTIFY. The system does the following if it is unable to write audit journal entries and QAUDENDACN is *NOTIFY:

  1. The QAUDCTL system value is set to *NONE to prevent additional attempts to write entries.

  2. Message CPI2283 is sent to the QSYSOPR message queue and the QSYSMSG message queue (if it exists) every hour until auditing is successfully restarted.

  3. Normal processing continues.

  4. If an IPL is performed on the system, message CPI2284 is sent to the QSYSOPR and QSYSMSG message queues during the IPL.

In most cases, performing an IPL resolves the problem that caused auditing to fail. After you have restarted your system, set the QAUDCTL system value to the correct value. The system attempts to write an audit journal record whenever this system value is changed.

You can set the QAUDENDACN to power down your system if auditing fails (*PWRDWNSYS). Use this value only if your installation requires that auditing be active for the system to run. If the system is unable to write an audit journal entry and the QAUDENDACN system value is *PWRDWNSYS, the following happens:

  1. The system powers down immediately (the equivalent of issuing the PWRDWNSYS *IMMED command).

  2. SRC code B900 3D10 is displayed.

Next, do the following:

  1. Start an IPL from the system unit. Make sure that the device specified in the system console (QCONSOLE) system value is powered on.

  2. To complete the IPL, a user with *ALLOBJ and *AUDIT special authority must sign on at the console.

  3. The system starts in a restricted state with a message indicating that an auditing error caused the system to stop.

  4. The QAUDCTL system value is set to *NONE.

  5. To restore the system to normal, set the QAUDCTL system value to a value other than NONE.

    When you change the QAUDCTL system value, the system attempts to write an audit journal entry. If it is successful, the system returns to a normal state. If the system does not successfully return to a normal state, use the job log to determine why auditing has failed. Correct the problem and attempt to reset the QAUDCTL value again.

 

Parent topic:

Monitoring security