Stopping the audit function

How to turn off the auditing function

You may want to use the audit function periodically rather than all the time. For example, you might want to use it when testing a new application. Or you might use it to perform a quarterly security audit. To stop the auditing function, do the following:

1. Use the WRKSYSVAL command to change the QAUDCTL system value to *NONE. This stops the system from logging any more security events.

2. Detach the current journal receiver using the CHGJRN command.

3. Save and delete the detached receiver, using the SAVOBJ and DLTJRNRCV commands.

4. You can delete the QAUDJRN journal once you change QAUDCTL to *NONE. If you plan to resume security auditing in the future, you may want to leave the QAUDJRN journal on the system.

However, if the QAUDJRN journal is set up with MNGRCV(*SYSTEM), the system detaches the receiver and attaches a new one whenever you perform an IPL, whether or not security auditing is active. You need to delete these journal receivers. Saving them before deleting them should not be necessary because they do not contain any audit entries.

Parent topic: