ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvpreventlossauditinfo.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Prevent loss of auditing information" />
<meta name="abstract" content="This article describes which information to look for to prevent loss of auditing information." />
<meta name="description" content="This article describes which information to look for to prevent loss of auditing information." />
<meta name="DC.Relation" scheme="URI" content="rzamvmonitorsec.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="preventlossauditinfo" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Prevent loss of auditing information</title>
</head>
<body id="preventlossauditinfo"><a name="preventlossauditinfo"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Prevent loss of auditing information</h1>
<div><p>This article describes which information to look for to prevent
loss of auditing information.</p>
<p>Two system values control what the system does when error conditions may
cause the loss of audit journal entries. </p>
<p><strong>Audit Force Level:</strong> The QAUDFRCLVL system value determines how often
the system writes audit journal entries from memory to auxiliary storage.
The QAUDFRCLVL system value works like the force level for database files.
You should follow similar guidelines in determining the correct force level
for your installation. </p>
<p>If you allow the system to determine when to write entries to auxiliary
storage, it balances the performance impact against the potential loss of
information in a power outage. *SYS is the default and the recommended choice. </p>
<p>If you set the force level to a low number, you minimize the possibility
of losing audit records, but you may notice a negative performance impact.
If your installation requires that no audit records be lost in a power failure,
you must set the QAUDFRCLVL to <kbd class="userinput">1</kbd>. </p>
<div class="p"><strong>Audit End Action:</strong> The QAUDENDACN system value determines what the
system does if it is unable to write an entry to the audit journal. The default
value is *NOTIFY. The system does the following if it is unable to write audit
journal entries and QAUDENDACN is *NOTIFY: <ol><li>The QAUDCTL system value is set to *NONE to prevent additional attempts
to write entries.</li>
<li>Message CPI2283 is sent to the QSYSOPR message queue and the QSYSMSG message
queue (if it exists) every hour until auditing is successfully restarted.</li>
<li>Normal processing continues.</li>
<li>If an IPL is performed on the system, message CPI2284 is sent to the QSYSOPR
and QSYSMSG message queues during the IPL.</li>
</ol>
 </div>
<div class="note"><span class="notetitle">Note:</span> In most cases, performing an IPL resolves the problem that
caused auditing to fail. After you have restarted your system, set the QAUDCTL
system value to the correct value. The system attempts to write an audit journal
record whenever this system value is changed.</div>
<div class="p">You can set the QAUDENDACN to power down your system if auditing fails
(*PWRDWNSYS). Use this value only if your installation requires that auditing
be active for the system to run. If the system is unable to write an audit
journal entry and the QAUDENDACN system value is *PWRDWNSYS, the following
happens: <ol><li>The system powers down immediately (the equivalent of issuing the PWRDWNSYS
*IMMED command).</li>
<li>SRC code <samp class="codeph">B900 3D10</samp> is displayed.</li>
</ol>
 </div>
<div class="p">Next, you must do the following: <ol><li>Start an IPL from the system unit. Make sure that the device specified
in the system console (QCONSOLE) system value is powered on.</li>
<li>To complete the IPL, a user with *ALLOBJ and *AUDIT special authority
must sign on at the console.</li>
<li>The system starts in a restricted state with a message indicating that
an auditing error caused the system to stop.</li>
<li>The QAUDCTL system value is set to *NONE.</li>
<li>To restore the system to normal, set the QAUDCTL system value to a value
other than <kbd class="userinput">NONE</kbd>. <p>When you change the QAUDCTL system
value, the system attempts to write an audit journal entry. If it is successful,
the system returns to a normal state. If the system does not successfully
return to a normal state, use the job log to determine why auditing has failed.
Correct the problem and attempt to reset the QAUDCTL value again.</p>
</li>
</ol>
 </div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvmonitorsec.htm" title="This set of topics discuss various techniques for monitoring and auditing security on your system.">Monitor security</a></div>
</div>
</div>
</body>
</html>