Hi how can I capture this msg as wto I want to capture only the CZ1* and not others like C2P or other: =COLS> ----+----5----+----6----+----7----+----8 160458 U05335 00000090 $HASP395 CZ1SBM2 ENDED i wrote it like this but i capture them all: )IM C2PSGNEW define waitstate as substr(record,67,14), where msgid=('CZ1 ' 'ENDED') select likelist=WTOrec msgid=($HASP395,'CZ1 ' 'ENDED') select likelist=WTOrec waitstate=D0D-00 Sorry if I always bother you but i thank you in advance and i wish you a good weekend Maurizio
Original Message:
Sent: 9/13/2024 4:09:00 AM
From: Rob van Hoboken
Subject: RE: [*Newsletter*] Global Security Forum : ZALERT
Hi Maurizio
As I wrote yesterday, you can create a custom alert (installation specific alert) by copying alert 1101: use the C line command in the alert selection list. This is an SMF based alert where you can process SMF record type 30, subtype 5, to trigger on job end. By selecting only jobs with a job-id T* you select TSO logoff.
Also, it would be convenient if you subscribe to the IBM Z SECURITY group, where more zSecure discussions take place.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Fri September 13, 2024 03:33 AM
From: maurizio bonelli
Subject: [*Newsletter*] Global Security Forum : ZALERT
Hi Rob van Hoboken sorry to bother you, but thank you for the advice you give me, I ask you kindly from which alert can I create an Alert for a USR LOGOFF?? Sorry again and have a good weekend
Original Message:
Sent: 9/12/2024 3:56:00 AM
From: Rob van Hoboken
Subject: RE: [*Newsletter*] Global Security Forum : ZALERT
Hi Maurizio.
There is a forum for Z Security that is more appropriate for zSecure Alert and other z/OS topics, go to IBM Security for Z.
About your alerts for TSO (?) sessions, you could check the field JOBID to see if this starts with T, like so:
Make a copy of alert 1101, edit the skeleton, change the select command into:
select likelist=recent type=30(5) jobid=T*
Of course you also fix the alert message text. Save the skeleton.
Check the SMF record type in the alert specification panel: it should be
Change data source filter: SMF type 30(5)
------------------------------
Rob van Hoboken
Original Message:
Sent: Wed September 11, 2024 04:07 AM
From: maurizio bonelli
Subject: [*Newsletter*] Global Security Forum : ZALERT
Date and time 11Sep2024 08:58:18.38 WTO message $HASP395 LOGTODS2 ENDED - RC=0000 System ID TST2 Hi how can I create an alert for logoff users excluding job logoffs as shown in the figure: Thanks for your time and courtesy