IBM i system journaling exceptions

I have recently installed Anti-Virus scanning for the Netserver (IFS) portion on my IBM i.  I am running IBM i v7r2.  The Anti-Virus scans are making the number of journal receiver entries increase exponentially. Auditing events are configured as listed: attention events, authorization failure, object creation/deletion/restore, program adoption, security tasks, service tasks, system integrity violation, system management.  I'm not auditing objects in QTEMP, & object auditing isn't active.

The AV scanner is producing a lot of entries of the following types: CA (auth change), LD (directory link/unlink/lookup), CO (create object), AD (auditing attribute change), & DO (delete operation).

My question is: can I specify exceptions to auditing/journaling?  By job name, user profile, or any other parameter that would allow me to specify that I don't want the AV scanner activity being journaled.

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
No way that I'm aware of to set up auditing exceptions.  You can use CHGUSRAUD to specify ADDITIONAL audits for a given user, but not to exclude audits configured in the QAUDLVL and QAUDLVL2.  Allowing specific jobs or users to bypass auditing would create a pretty big hole in the whole purpose of auditing.

My only idea:  Remove the problem audits from QAUDLVL/QAUDLVL2 and apply them at the user level using CHGUSRAUD - not crazy about this one since it creates a user profile maintenance issue.

Is this the free AV from Raz-Lee? If so, you might want to raise the issue with them directly and see if they have any suggestions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bitxpertAuthor Commented:

     Thanks for the confirmation, I figured there would not be a way to create exceptions in the system security auditing because that would be self-defeating.  

The CHGUSRAUD command would be a good compromise, albeit more work, so I will keep that in mind.

You are correct, it is the free AV from Raz-Lee.  I will check with them and see if they have any good suggestions.
Gary PattersonVP Technology / Senior Consultant Commented:
Please post back if you learn anything interesting.  

One way to make the CHGUSRAUD approach less likely to end up with gaps due to unaudited or underaudited users would be to create a little process that runs each night, perhaps, that does a DSPUSRPRF *BASIC to an outfile, and then sweeps through the outfile verifying all audited profiles have the correct audit actions in column UPAUDL in the outfile, and issuing CHGUSRAUD to fix any profiles (new profiles for example) that aren't set up correctly.

If you wanted to get fancy, you could also create an "exclusions" file containing a list of profiles that didn't want the process to manage.

- Gary
bitxpertAuthor Commented:
I have heard back from Raz-Lee; they didn't have a direct solution but said they would look into it.  At this point, my Journal growth has slowed so I'm thinking most of the abnormal growth may have been due to the initial scans.  

     Gary, thanks for all the info on CHGUSRAUD, I will keep that in mind if this problem re-surfaces.
Gary PattersonVP Technology / Senior Consultant Commented:
Happy to help.  Glad to hear that the volume has decreased.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Mainframe OS

From novice to tech pro — start learning today.