IBM Security Z Security

Hi Ronald

Instead of using the CONVERT function, you should be able to just define a new field at the location, with the correct output format, like so:

define type=SMF CLSS_TS(smftimestamp) as smf_field(28,8),
 where type=158

Then print the new field with:

sortlist clss_ts

The first parameter of SMF_FIELD indicates the offset from the beginning of the record, so position 29 would have offset 28 (just like in the SMF record layout docs).  See here.

I looked at CLSS log records some 10 years ago and they were not easy to process.  Each record, I remember, holds many logon events for different users.
So to put these into a QRadar (or other) output stream, you should write one NEWLIST block for each event section, each NEWLIST block using a different offset in the SMF_SECTION function.
This way, when an SMF record comes along, the CKQCES exit will generate as many output records as there are events in the record.

------------------------------
Rob van Hoboken
------------------------------

Thank you.

You are correct about Supersession.  The other problem that I have found is that they create the subtypes with an incorrect packed decimal date. They use 2024dddF instead of 01dddF.  This causes the date to be displayed as the year 3924.  I cannot see anyway to correct this using Carla...

Hi Ronald

Instead of using the CONVERT function, you should be able to just define a new field at the location, with the correct output format, like so:

define type=SMF CLSS_TS(smftimestamp) as smf_field(28,8),
 where type=158

Then print the new field with:

sortlist clss_ts

The first parameter of SMF_FIELD indicates the offset from the beginning of the record, so position 29 would have offset 28 (just like in the SMF record layout docs).  See here.

I looked at CLSS log records some 10 years ago and they were not easy to process.  Each record, I remember, holds many logon events for different users.
So to put these into a QRadar (or other) output stream, you should write one NEWLIST block for each event section, each NEWLIST block using a different offset in the SMF_SECTION function.
This way, when an SMF record comes along, the CKQCES exit will generate as many output records as there are events in the record.

------------------------------
Rob van Hoboken
------------------------------

One way around the wonky julian date value is to use the DATETIME value from the SMF header.  This is the time when the SMF record was written, not the time of each of the (sub-)events, but close.

Regarding the wonky date value, check if the CLSS documentation specifies the format, open a ticket against CLSS if it doesn't.  Julian date and SMF date are well defined formats within SMF records.

If the wonky format is defined.... ask zSecure support for a specialty input format, while also asking about the CKR0467 message (I am pretty sure that your code would have worked 4 years ago).

Thank you.

You are correct about Supersession.  The other problem that I have found is that they create the subtypes with an incorrect packed decimal date. They use 2024dddF instead of 01dddF.  This causes the date to be displayed as the year 3924.  I cannot see anyway to correct this using Carla...

Hi Ronald

Instead of using the CONVERT function, you should be able to just define a new field at the location, with the correct output format, like so:

define type=SMF CLSS_TS(smftimestamp) as smf_field(28,8),
 where type=158

Then print the new field with:

sortlist clss_ts

The first parameter of SMF_FIELD indicates the offset from the beginning of the record, so position 29 would have offset 28 (just like in the SMF record layout docs).  See here.

I looked at CLSS log records some 10 years ago and they were not easy to process.  Each record, I remember, holds many logon events for different users.
So to put these into a QRadar (or other) output stream, you should write one NEWLIST block for each event section, each NEWLIST block using a different offset in the SMF_SECTION function.
This way, when an SMF record comes along, the CKQCES exit will generate as many output records as there are events in the record.

------------------------------
Rob van Hoboken
------------------------------