Thanks again Chuck, I went back and looked and saw that what I was
looking at was AF. I'm don't remember exactly what I was reading, but I
thought I was where I needed to be. I think I have a better handle on
it now.


Michael Smith

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of CRPence
Sent: Monday, March 24, 2008 2:29 PM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: Researching Audit journal subtype

It may help to start at "Table 152. Standard Heading Fields for Audit

Journal Entries" in the Security Reference, and page down to "Entry
Types" which are in "Table 153". When the entry type is found, search
the PDF for the type in the manner consistent with the headings in the
following table(s). For example, when searching the tables after
knowing it is a PW entry which is of interest, that is best accomplished

by searching the PDF for "PW (" to get directly to the "Table 194"
describing the layout of the additional data in the PW entry; that is
because the headings are "Table ###. %% (description) Journal Entries".

The /audit/ journal entries use the /Code/ of T; the T designates the

class of logging is /Auditing/ related. Contrast that with the J Code
which indicates the class of logging is /Journaling/ related; activity
specifically involving Journal or Journal Receiver. There are a number
of different journal /Type/ values for any T Code.

The information on page 515 was information for T-AF where the AF is
for the QAUDLVL *AUTFAIL auditing option. When a *AUTFAIL condition is
logged, it *may* be a T-AF entry designating an audited condition
associated with an /authority failure/ of some variety. However, the
T-PW are an _additional_ class of conditions activated by the *AUTFAIL.
These /authority failure/ conditions have their own distinct Type, and

that is PW, to denote the authority failure is related specifically to
Password handling; the "Table 153" suggests "Invalid password" as its
general meaning.

Note: The "Table 126. Security Auditing Journal Entries" shows where
the PW is associated with the *AUTFAIL, the Model outfile, and a short
description of the subtype\detail for 'R'.

Regards, Chuck

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].