Collecting System Audit Journal (QAUDJRN) Data - ironstream_for_elastic - ironstream_for_kafka - ironstream_for_splunk - 7.4

Ironstream for Splunk®/Kafka®/Elastic® for IBM i Ironstream Integration Components Administration

Product type
Software
Portfolio
Integrate
Product family
Ironstream
Product
Ironstream > Ironstream for Elastic®
Ironstream > Ironstream for Kafka®
Ironstream > Ironstream for Splunk®
Version
7.4
Language
English
Product name
Ironstream Splunk®/Kafka®/Elastic®
Title
Ironstream for Splunk®/Kafka®/Elastic® for IBM i Ironstream Integration Components Administration
Copyright
2022
First publish date
2007
Last updated
2023-08-25
Published on
2023-08-28T08:26:48.055356

Collecting system audit journal data is done by adding the system audit journal (QAUDJRN) to a Journal Monitor Group using the Configuration Tool. System audit journal records are sent to the Ironstream Proxy Server as "raw" unformatted records. Ironstream Proxy Server will process the raw records and create JSON formatted records for ingestion by the destination.

Use these steps to configure audit journal configuration:

  1. Launch the Configuration Tool.

  2. Select the Journal Monitors tab.

  3. Choose an existing journal monitor group if one has already been created, or create a new group using the Create button. Choose a name for the monitor group.

  4. Enter a Frequency interval (in seconds) to select how often the journal is polled for new entries. Use increments of 30 seconds.

  5. On the Journal Monitor Group page, click Add Monitor to add the system audit journal.

  6. In the configuration screen, enter QAUDJRN in the Journal Name field and QSYS in the Journal Library field.

  7. Ensure Raw is checked.

  8. The Field Description Config selection should be left blank and is ignored when Raw is selected.

Figure 11: Add the System Audit Journal

  1. To send all supported entry types:

    • Enter T for the Entry Code.

    • Do not add individual entry types.

  2. To send only selected journal entry types:

    • Leave the Entry Code empty.

    • Click the Add Type button to add an entry type.

  3. To add additional entry types, continue clicking the Add Type button.

Figure 12: Add Specific Journal Entry Types

  1. Fill in the Assigned systems field to assign the completed Journal Monitor Group to one or more IBM i LPARs.

  2. Click the Save button.

  3. Click the Distribute button to send the monitor group to the Ironstream Agent for IBM i for the

Assigned systems.

  1. On the Systems tab restart each System that is in the Assigned systems list of the newly created Journal Monitor Group.

Note: After creating or changing a journal monitor, you MUST restart each System affected by the changes to ensure that the Proxy Server is using the new configuration details when processing journal entries.