Collecting system audit journal data is done by adding the system audit journal (QAUDJRN) to a Journal Monitor Group using the Configuration Tool. System audit journal records are sent to Hub as 'raw' unformatted records. Hub Server will process the raw records and create JSON formatted records for ingestion by the target.
Do these steps to configure audit journal configuration:
-
Launch the
Configuration Tool.
-
Select the Journal Monitors tab.
-
Choose an
existing journal monitor group if one has already been created, or create a new
group using the Create button. Choose a name for the monitor group.
-
Enter a Frequency
interval (in seconds) to select how often the journal is polled for new
entries. Use increments of 30 seconds.
-
On the Journal Monitor Group page, click Add Monitor to add the system audit journal.
-
In the configuration screen, enter QAUDJRN in the Journal Name field and QSYS in the Journal Library field.
-
Ensure Raw is checked.
-
Ensure the Field Description Config selection is left blank and is ignored when Raw is selected.
Figure 1. Add the System Audit Journal
-
To send all supported entry types:
-
Enter T for the Entry Code.
-
Do not add individual entry types.
-
To send only
selected journal entry types:
-
Leave the Entry Code empty.
-
Click the Add Type button to add an entry type.
-
To add additional entry types, continue to click the Add Type button.
Figure 2. Add Specific Journal Entry Types
-
Fill in the Assigned systems field to assign the completed Journal Monitor Group to one or more IBM i LPARs.
-
Click the Save button.
-
Click the Distribute button to send the monitor group to the Ironstream Agent for IBM i for the Assigned systems.
-
On the Systems tab, restart each System that is in the Assigned systems list of the newly created Journal Monitor Group.
Note: After creating or changing a journal monitor, you MUST restart each Source affected by the changes to ensure that Hub is using the new configuration details when processing journal entries.