The CA and OW entries would not be generated with the configuration you show
When were those entries created? Places a 5 by them, then press F15 to get
more detail. It had to have been before you turned auditing off. Actually
from what you show below, auditing is still on just is a very limited way.
Consider auditing just for authority failures. Then if you're seeing a lot
of AF entries, do some research and fix the authority issues. If the number
of entries is so high, turn auditing on for just 15 minutes.
While this would not be the recommended setting, it would allow you to
identify and fix a serious issue while keeping disk usage under control.
Try these settings.
CHGSECAUD QAUDCTL(*AUDLVL *NOQTEMP)
CHGSYSVAL SYSVAL(QAUDLVL) VALUE(*AUTFAIL)
CHGSYSVAL SYSVAL(QAUDLVL2) VALUE(*NONE)
Use the following query to identify the job that is causing the AF entries.
VIOLATION_TYPE, VIOLATION_TYPE_DETAIL, USER_NAME, JOB_NAME,
JOB_USER, JOB_NUMBER, PROGRAM_LIBRARY, PROGRAM_NAME,
REMOTE_ADDRESS, OBJECT_LIBRARY, OBJECT_NAME, OBJECT_TYPE, PATH_NAME
STARTING_TIMESTAMP => CURRENT TIMESTAMP - 1 DAY))
WHERE PATH_NAME IS NOT NULL
I've seen many times where the Journal receivers created by auditing started
chewing up disk space. When that happened, there was always a job that was
in a loop, and it was frequently due to an authority issue. The problem
would have gone unnoticed if it were not for auditing.
It's also a good idea to have some system monitoring process in place to
check for available disk space and/or the number of journal receivers used
There are of course other things to consider when auditing. Saving and
deleting the Audit Receivers, what Library to save the receivers in, a
couple other System Values.
The information available by auditing is amazing, especially if you need it.
Turning auditing off is not the best solution.
date: Wed, 4 May 2022 14:46:56 +0000
from: Greg Wilburn <gwilburn@xxxxxxxxxxxxxxxxxxxxxxx>
subject: RE: QAUDJRN
As you can see... there's a bit more than just ZR & ZC entries.
Not looking for a solution here... just odd, since it shouldn't be doing
this based on what I've read.
System value . . . . . : QAUDLVL
Description . . . . . : Security auditing level
System value . . . . . : QAUDCTL
Description . . . . . : Auditing control
Journal . . . . . . : QAUDJRN Library . . . . . . : QSYS
Largest sequence number on this screen . . . . . . : 00000000000000002436
Type options, press Enter.
5=Display entire entry
Opt Sequence Code Type Object Library Job Time
2425 T CA IT01A 17:45:17
2426 T CA IT01A 17:45:17
2427 T OW IT01A 17:45:21
2428 T CA IT01A 17:45:21
2429 T CA IT01A 17:45:21
2430 T CA IT01A 17:45:21
2431 T OW IT01A 17:45:25
2432 T CA IT01A 17:45:25
2433 T CA IT01A 17:45:25
2434 T CA IT01A 17:45:25
2435 T ZC EDISR5 19:00:05
2436 T ZC EDISR5 19:00:05
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Marc
Sent: Tuesday, May 3, 2022 4:20 PM
Subject: Re: QAUDJRN
Le 03/05/2022 ? 21:17, Greg Wilburn a ?crit?:
So I'm ready to turn this thing off... Actually, I already have.
I changed QAUDCTL to *NONE, but because my QAUDJRN was setup with
MNGRCV(*SYSTEM) it creates a new receiver each morning when we IPL.
That's the normal behavior of journal management. You should only see
entries related to journal and receivers management, such as new receiver
created and attached, previous receiver detached, journal and receivers
backed up... This cannot use a lot of disk space. If you specify
DLTRCV(*YES) for AUDJRN journal, you will have only one receiver in the
chain, even if it is not really a recommended setup for QAUDJRN journal. If
you do no longer want to use audit (well, this is not really recommended
nowadays) and do not want to manage the journal, you can delete it then
delete the receivers.
BUT, according to IBM there shouldn?t be anything in the receiver file.
There are definitely ZC entries.
Unless I am wrong, ZC/ZR entries come with QAUDCTL system value set with
*OBJAUD. So that is quite strange if they are still here when QAUDCTL is set
to *NONE. Are you sure that those ZC entries are *after* QAUDCTL was set to
I'm so frustrated right now... why would IBM give you something that has
the potential to EAT DISK SPACE at an alarming rate, yet not provide any
"cleanup" tools that aren't supplied "AS-IS". Yet we are supposed to turn
Audit journal needs to be properly managed. Normally, you may want to backup
then delete the receivers and keep the backup long enough to comply with
security rules which require the ability to analyse them in case of security
failure. If you do not want to create tools for that, I suggest you to look
at some commercial software. Security becomes more and more a key topic
FWIW, the DB2 Web Query folks came back and said to turn off auditing on
the directory (and subtree) that is generating 99.7% of the AF entries.
As far as I know, you cannot do that. There is no directory or file or
object attribute which prevents Authority Failures entries in audit journal.
As soon as QAUDLVL(2) system value includes *AUTFAIL, the system will log
*all* authority failures. This will always be a matter for security
administrator to solve them with setting up appropriate authority. My 2
Is this really worth all the effort?
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
Help support midrange.com by shopping at amazon.com with our affiliate link:
As an Amazon Associate we earn from qualifying purchases.