IBM Security Z Security

 View Only
  • 1.  acf2 using zalert

    Posted Mon May 10, 2021 10:25 AM
    We are trying to see if anyone has created a custom alert to peel acf99913 messages from the syslog and send them to splunk?  Any assistance or advice would be greatly appreciated.  Thanks

    Kevin

    ------------------------------
    Kevin Smith
    ------------------------------


  • 2.  RE: acf2 using zalert

    IBM Champion
    Posted Tue May 11, 2021 02:06 AM
    Edited by Rob van Hoboken Tue May 11, 2021 02:07 AM
    zSecure Alert ships one sample alert for ACF9CCCD that you could use as a template. 
    • Copy alert 1301,
    • Remove the environment section (&C2PEPASS = Y)
    • Change the ACF2 specific SELECT statement into
        select msgid=ACF99913
    • Use the E line command to go to the alert options, change the data source filter to select message id ACF99913
    However, alert 1301 does not print the ACF99913 message, instead it picks up the ACFSTCID and JOB fields from the message.
    To print the whole ACF99913 message to Splunk, you will be better off copying an application alert, like 1804.

    You could also use SMF reporting to process ACF2 access violations.  Alert 2201 would be an adequate starting point.
    Find the ACF2 specific SELECT command and change this into

    select acf2_subtype=D acf2_descriptor=VIO likelist=recent

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: acf2 using zalert

    Posted Wed May 12, 2021 02:07 PM
    Thanks a ton we were trying to use that as a template just pretty lost.  Sure appreciate the assist

    ------------------------------
    Kevin Smith
    ------------------------------