×

Good News Everybody!

The new search engine is LIVE!

Please report any problems to david (at) midrange.com.



  1.  Home
  2. MIDRANGE-L
  3. April 2022

Re: QAUDJRN

First off, it's good you started auditing, it makes forensic investigations
so much easier (and possible). Once you're in a "normal" security
environment you are going to want to set the size of the journal
receiver so you keep a specific unit of time in it, a day, or a week before
it changes. Most of my customers prefer it daily. We have a job that runs
near midnight each night to change the journal so a new receiver is
started, and in the text it states what day the receiver is for.

As to clean up, what we do is have a special save that only gets the audit
receivers and appends to the tape, so you'll get many days (or months) on a
tape. Since Evault is doing your back up it's not a real tape, so much the
better. Then we only keep two weeks of receivers on the system since we
can get to history quite easily.

For reference the source members Greg refers to are located in
QMGTOOLS/QMGDBSQL source file. In DLTJRNRCV1 my only concern is the delete
option is set to *IGNINQMSG. That means you might remove receivers that
are not backed up. There is code there to check the save date if it's not
blank, but I prefer a bit more of a safety net on that. Not my first
choice unless you really intend for that to happen.

The second program appears to be an exit program that should be put on the
delete journal receiver command and all it does is force 5 days to elapse
before it allows the removal. Nice example for an exit but really does not
do that much.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


On Thu, Apr 28, 2022 at 9:18 AM Greg Wilburn <
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

So I have just recently enabled journaling (a week ago), and I already
have 33 journal receivers. There's an authority issue with Web Query that
is the main culprit.

In any case, I wanted to automate the cleanup of these files before they
get out of hand. I've located some CL source in QMGTOOLS for DLTJRNRCV1
and DLJRNRCV2. I was going to give one of those a try.
Our current saves (Evault) has daily, weekly and monthly retentions...
pretty sure we would have those saved for some time.

Any advice would be appreciated...

Greg



This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.