Original Message:
Sent: Thu December 19, 2024 09:58 AM
From: Tom Zeehandelaar
Subject: Issue regarding z-Alert coding to generate all SMF events for a specific system ID
Hi Raju,
Yes, I can confirm that for the purpose of generating a daily report with the RACF commands that a certain user executed that coding a batch job that reports the commands is definitely the best solution for this requirement. zSecure Alert is a (near) real-time alerting tool that is not designed to be used for daily reporting purposes.
Just code a regular batch job with the appropriate CARLa script that produces the daily RACF commands overview for your requestor needs and handover that job to your job scheduling product to run it on a daily basis.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Thu December 19, 2024 09:37 AM
From: kanakaraju seeramsetti
Subject: Issue regarding z-Alert coding to generate all SMF events for a specific system ID
Thanks Rene and Rob for responding.
I did tried using likelist=recent and could see no results popped up. I'm thinking likelist=recent and ALLOC ( for yesterday's data) members are mutually exclusive, so that might be the reason no results came up.
Does datetime=today-1 will work here ? just want to check.
As advised by Rob, we shouldn't be using the z-Secure alert for reporting, however I'm having a requirement to send a report on daily basis and I don't want to use batch jobs. So, thought of using zAlert to facilitate that.
I would also assume we still need to code the batch job to run on daily basis if we use email parameters in a normal CARLA program. Please correct me if this is not right.
Thanks again for your help.
Raju
------------------------------
kanakaraju seeramsetti
Original Message:
Sent: Wed December 18, 2024 11:24 AM
From: Rob van Hoboken
Subject: Issue regarding z-Alert coding to generate all SMF events for a specific system ID
Hi Raju
Like Rene indicated, Alert is designed to collect SMF records for a a number of minutes and then generate alerts for the records that were generated in the last reporting interval. Alert is not specifically designed to allow input from another SMF input data set, in other words, you are not supposed to add an ALLOC command in the zSecure Alert skeleton. Alert is also not intended to report on "yesterday" or even "all events from today."
If you are only using zSecure Alert (as opposed to zSecure Audit) because you want to distribute the report as an email, there are ways to specify the email parameters in a normal CARLa program. See for example this answer from Tom.
------------------------------
Rob van Hoboken
Original Message:
Sent: Wed December 18, 2024 06:56 AM
From: kanakaraju seeramsetti
Subject: Issue regarding z-Alert coding to generate all SMF events for a specific system ID
Hi there,
I've coded below Carla program in zAlert for generating a report on all the commands issued by an ID as below.
n type=smf nopage
alloc dsn='DATASET.LIBRARY.DAILY(0)' type=smf
SELECT RACFCMD=(ADDUSER,ALTUSER,DELUSER) USER=GENERICID system=X*OS
sortlist,
USERID(ND) DATETIME(ND) SYSTEM(ND) SMFDD(ND) RECNO(ND),
DATETIME SYSTEM JOBNAME,
RACFCMD(WORDWRAP,HOR)
It does gives me all the commands issued by that ID yesterday if run just Carla code but when I use the same code in z-Alert, sometimes the alert email does not generate the data for yesterday instead it gives me data for (-1).
And sometimes it does generate email with yesterday data which is correct.
I'm struggling to find the root cause for this.
Any help from anyone would be much appreciated.
------------------------------
Raju
------------------------------