Live Training from The 400 School

IBM i Security - QAUDJRN Entry Types

For your convenience, I have compiled a list of all of the journal entry types used in QAUDJRN auditing, along with a short description of each type. For example, the journal entry type AF indicates an Authority Failure (when a user tries to access a file without sufficient authority).

Included in this reference, you will find the journal code type T entries that make up the bulk of entries in QAUDJRN. While other journal code types are found in the journal, they are not typically related to security. For example, type J entries indicate journal and journal receiver operations, and type U entries are used for custom-generated entries or those of a third party software vendor.

This information is also available in the IBM i Security Reference 6.1, Appendix F. You can download the pdf file here.

QAUDJRN Journal Entry Types for Journal Code T

Entry type   Description 
AD  Auditing changes 
AF  Authority failure 
AP  Obtaining adopted authority 
AU  Attribute changes 
CA  Authority changes 
CD  Command string audit 
CO  Create object 
CP  User profile changed, created, or restored 
CQ  Change of *CRQD object 
CU  Cluster Operations 
CV  Connection verification 
CY  Cryptographic Configuration 
DI  Directory Server 
DO  Delete object 
DS  DST security password reset 
EV  System environment variables 
GR  Generic record 
GS  Socket description was given to another job 
IM  Intrusion monitor 
IP  Interprocess Communication 
IR  IP Rules Actions 
IS  Internet security management 
JD  Change to user parameter of a job description 
JS  Actions that affect jobs 
KF  Key ring file 
LD  Link, unlink, or look up directory entry 
ML  Office services mail actions 
NA  Network attribute changed 
ND  APPN directory search filter violation 
NE  APPN end point filter violation 
OM  Object move or rename 
OR  Object restore 
OW  Object ownership changed 
O1  (Optical Access) Single File or Directory 
O2  (Optical Access) Dual File or Directory 
O3  (Optical Access) Volume 
PA  Program changed to adopt authority 
PG  Change of an object’s primary group 
PO  Printed output 
PS  Profile swap 
PW  Invalid password 
RA  Authority change during restore 
RJ  Restoring job description with user profile specified 
RO  Change of object owner during restore 
RP  Restoring adopted authority program 
RQ  Restoring a *CRQD object 
RU  Restoring user profile authority 
RZ  Changing a primary group during restore 
SD  Changes to system distribution directory 
SE  Subsystem routing entry changed 
SF  Actions to spooled files 
SG  Asynchronous Signals 
SK  Secure sockets connections 
SM  Systems management changes 
SO  Server security user information actions 
ST  Use of service tools 
SV  System value changed 
VA  Changing an access control list 
VC  Starting or ending a connection 
VF  Closing server files 
VL  Account limit  exceeded 
VN  Logging on and off the network 
VO  Validation list actions 
VP  Network password error 
VR  Network resource access 
VS  Starting or ending a server session 
VU  Changing a network profile 
VV  Changing service status 
X0  Network Authentication 
X1  Identify Token 
XD  Directory server extension 
YC  DLO object accessed (change) 
YR  DLO object accessed (read) 
ZC  Object accessed (change) 
ZR  Object accessed (read)

About the Author

Dan Riehl is the Editor of the SecureMyi Security Newsletter and President and Security Specialist for the IT Security and Compliance Group, LLC.

Dan performs IBM i security assessments and provides customized security services. He also provides training in all aspects of IBM i security and other technical areas through the training company,The 400 School, Inc.