
Journaling is one of IBM i’s most incredible features. Since the Db2 for i database has always been integrated with the operating system, IBM i users can do some really amazing things with journaling. Let’s look at what IBM i journaling is, what benefits it offers, and the history of journaling.
The Benefits of IBM i Journaling
Journaling makes IBM i systems more resilient and increases backup and recovery speeds. Commitment control allows customers to roll back changes to multiple related files for a specific function (such as all the records entered for a particular order), removing corrupt or damaged records.
With IBM i security journaling (QAUDJRN), journaling is a key component in auditing and forensic analysis. Local users can use IBM i commands and customer-written software to extract and analyze journal entries. Security journaling allows organizations to export IBM i log and activity information to Security Information and Event Management (SIEM) systems for enterprise-wide security analysis.
Further reading: Integrating IBM i Data with SIEM Solutions
Remote journaling allows organizations to export journal entries to other IBM i systems where they can be used in a number of disaster recovery, high availability, and system restoration solutions offered by IBM and other vendors. IBM i journaling allows organizations to perform cloud disaster recovery, high availability, and business continuity today.
How IBM i Journaling Works
IBM i journaling provides a means where you can record the chronological activity of system objects. IBM offers two types of journals on the IBM i.
1. Database journals that track libraries, files, access paths, data areas, data queues, and Integrated File System activity. Database journals must be set up for any IBM i objects you want to track. There are no limits on the number of data objects you can track or the number of database journals you can set up.
2. The Security Audit Journal (QAUDJRN) that tracks security event information on your system. QAUDJRN is an IBM-supplied journal, but it must be set up before it starts tracking security events. QAUDJRN can generally be set up to track security events and other items that are not tracked by IBM i database journals.
IBM records system activity using two system objects: Journals and Journal Receivers. Journaled objects are associated with a particular journal. Journals receive journal entries detailing activity from their associated journal objects, and a single journal can monitor many different objects.
Journal entries contain detailed information about any changes made to the objects the journal monitors. Depending on how their associated journal is configured, the system will produce journal entries detailing what the object looked like after a change or alternatively, before and after journal entry snapshots of what the object looked like before and after it was changed.
After receipt, the journal stores its journal entries in an attached journal receiver. Journal receivers are created and attached to their parent journals, as needed, and they are swapped out for a new receiver when they reach their capacity. Each journal receiver is linked to the receivers that were created directly before and after it was created, and there can only be one active journal receiver receiving entries at a time. Old journal receivers can be managed and deleted from the system manually or automatically, according to its journal’s parameters.
Journals and journal receivers must be set up locally for their monitored objects (local journal management). You can also set up remote journal and journal receivers on remote systems (remote journal management) that are associated with local journals. Journal entries on the local system are then replicated to their associated remote journal receiver.
Further reading: IBM i Security Capabilities and Evaluation Tools
Reviewing IBM i Journal Entries
Inside IBM i, Journal entries can be reviewed in one of four ways.
1. By using the Display Journal command (DSPJRN).
2. By using the Copy Audit Journal Entries command (CPYAUDJRNE) to copy selected entries into an IBM i file and then use a custom-written program to analyze the entries.
3. Using SQL to extract audit journal entry data by using the DISPLAY_JOURNAL function.
4. By using the Security’s Audit Journal entry node in IBM Navigator for i (Figure 1).
Be warned that it is difficult to extract and analyze journal entries using these options. Several companies offer auditing products—including SEA’s iSecurity Audit—that can produce auditing reports from IBM journal entries.
For more information on setting up and configuring IBM i journaling, see the IBM i Knowledge Center entry on Journal Management.

What functions are available with IBM i journaling?
Here are the functions and features you can take advantage of with IBM i journaling.
- Creating and accessing an audit trail of QAUDJRN object activity. The audit trail allows you to perform forensic analysis for auditing security violations, program modifications, IBM i command access, and more (system auditing)
- Enabling backups to occur when objects are in use (Save While Active)
- Exporting QAUDJRN information to Security Information and Event Management (SIEM) systems for enterprise-wide auditing and forensic analysis (SIEM integration).
- Generating user-defined journal entries to record activity for items that are not journaled in the operating system (user-defined journaling)
- Providing quicker object restores when restoring objects from Save While Active media (Restoration)
- Recovering changes to data objects that have occurred since the object was last saved (Object restoration)
- Recovering objects while they are in use (Restore-While-Active)
- Reducing the IPL time to restart a system or vary on an independent disk, after an abnormal system end (System-managed-access-path-protection, SMAPP)
- Replicating journal entries to another system for use in system restores, high availability systems, and disaster recovery in wide area networks and in the cloud (remote journal management)
- Rolling back modifications to multiple-related files, using commitment control (Commitment Control)
- Tracking changes to data and non-data objects–Journaling takes before and after images of changes as they occur (database journaling and security journaling: QAUDJRN)
Find out more about IBM i Auditing and SIEM Integration
SEA offers advanced IBM i tools that provide native IBM i auditing and IBM i journal integration with Security Information and Event Management (SIEM) systems. Please Contact SEA if you’d like to learn more about these topics.