IBM Security Z Security

Expand all | Collapse all

CARLa: Reading SMF Via Offsets

  • 1.  CARLa: Reading SMF Via Offsets

    Posted Thu July 02, 2020 03:47 PM
    Edited by Adam Klinger Thu July 02, 2020 03:49 PM
    I'm working with some custom SMF records and attempting to use CARLa to parse through it. I'm able to get most of the way there but having some trouble with using functions to handle the Triplets.

    These fields are roughly defined like such:

    Field               Length     Type              Detail
    Input              12            Triplet           Input Count (4 bytes) Input Length (4 bytes) Input Offset (4 byes)
    Output           12             Triplet            Output Count (4 bytes) Output Length (4 bytes) Output Offset (4 byes) 
    Messages     12              Triplet            Message Count (4 bytes) Message Length (4 bytes) Message Offset (4 bytes)

    For all of the above, the "offset" is the offset in this record to a 4 byte length field followed by the text, with "Input" starting at 141 in the record.

    Is there a rough example that can be provided to handle reading and formatting these records? I've tried many variants using "smf_section" but it seems I am likely misinterpreting the manual. 

    Also it would be helpful to know if effectively 2.4.0 is required to handle this in a straight-forward manner, as I do see a new "SMF_SECTION12_INDEX" function in that version. 

    Thanks for any guidance.

    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: CARLa: Reading SMF Via Offsets

    Posted Fri July 03, 2020 05:39 AM
    Edited by Rob van Hoboken Fri July 03, 2020 05:39 AM
    Hi Adam
    SMF_SECTION12_INDEX  was designed to process "12 byte" triplets, as found in SMF types 120 and 123. 
    The older SMF_SECTION field is meant for triplets where the count and length values are 2 byte in length.
    Both fields expect to find a 12 (or 8) byte triplet containing the offset to the first section,  length of each section and number of sections, in this order.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: CARLa: Reading SMF Via Offsets

    Posted Thu July 09, 2020 09:29 AM
    Thanks for the clarity.

    Trying this some more I believe I can use 2-pass CARLa to parse correctly based on the offsets being different for each record, but am having some trouble I believe based on the order of the records. Is there any way I can ensure each pass is processing them the same way? Here's effectively what I have so far:

    newlist type=smf nopage nodup dd=ckr2pass
    select type=smf#
    define  type=smf $inpcnt("InpCnt",num,6)       as substr(record,113,4)
    define  type=smf $inplen("InpLen",num,6)       as substr(record,117,4)
    define  type=smf $inpoff("InpOff",num,6)       as substr(record,121,4)
    
    sortlist,
     / `newlist type=smf nopage nodup dd=ckrcmd           `,
     / `select  type=smf# `,
     / `define type=SMF $ic("InputCmd",char) , `,
     / ` as substr(substr(record,30,1000),`,
       | $inpoff(0) | `,` | $inplen(0) | `)` ,
     / `sortlist datetime         $ic`​



    ------------------------------
    Adam Klinger
    ------------------------------



  • 4.  RE: CARLa: Reading SMF Via Offsets

    Posted Thu July 09, 2020 09:41 AM
    Edited by Jeroen Tiggelman Thu July 09, 2020 09:46 AM
    Hi Adam,

    If you are processing one SMF file, then you can ensure the order of the records is the same in the next pass by starting the SORTLIST statement with the sort argument RECNO(ND).

    If you have multiple files, you may need to prefix with SMFDD(ND) and check if the sort order of the files is the one you want in that way.

    Regards,

    Jeroen

    P.S. For those few record types that support sub-records, you might also want SUBRECNO(ND) behind RECNO(ND). "This field is supported in CICS monitoring performance records (CICS_MONITOR_CLASS = 3) and in SMF type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records. "

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------