smf 119(21) start/end time field timezone problem

View Only

Expand all | Collapse all

smf 119(21) start/end time field timezone problem

1. smf 119(21) start/end time field timezone problem

Like

Mohammed Ibrahem

Posted Sun November 12, 2023 04:54 PM

Hi All

i am working on report from smf 119(21) to get IP,Host,LU and start date/time end date/time of connection

as per smf 119(21) layout

80(X'50')	SMF119TN_NTiTime	4	Binary	Time of session initiation
84(X'54')	SMF119TN_NTiDate	4	Packed	Date of session initiation
88(X'58')	SMF119TN_NTtTime	4	Binary	Time of session termination
92(X'5C')	SMF119TN_NTtDate	4	Packed	Date of session termination

i used the below code

newlist type=SMF PL=0
def type=SMF S_Time(smftime) as smf_section(36,80,4)
def type=SMF E_Time(smftime) as smf_section(36,88,4)
def type=SMF S_Date(DATE) as smf_section(36,84,4)
def type=SMF E_Date(DATE) as smf_section(36,92,4)
s type=119(21) ,
sortlist TERMINAL SRCIP HOSTNAME(25) S_Date S_Time E_Date E_Time

it works fine but the problem is time come in wrong timezone it shows GMT only and we are GMT+3

any advise about pre defined start/end date and time or how i can fix this

Thanks

------------------------------
Mohammed Ibrahem
------------------------------

2. RE: smf 119(21) start/end time field timezone problem

Like

RENE van TIL

Posted Mon November 13, 2023 09:43 AM
Edited by RENE van TIL Mon November 13, 2023 09:44 AM

hI Mohammed ,

I think the time in SMF records is always written in UTC. (and i think all products that produce some kind of log record like DB2 and IMS do that)

I used output modifier SMFTIMESTAMPZONE instead of SMFTIME and it produces somethink like this for date and time

2023-11-13,14:18:15.7,+1:0 (my system is at UTC+1)

better (or more complete) i think but an output modifier that actually will convert it to local time would be a lot nicer. If you want to you can open an RFE for this

cheers

rene

------------------------------
RENE van TIL
------------------------------

Original Message

3. RE: smf 119(21) start/end time field timezone problem

Like

Jeroen Tiggelman

Posted Tue November 14, 2023 04:30 AM
Edited by Jeroen Tiggelman Tue November 14, 2023 04:32 AM

Hi René,

Some date and time fields in SMF are in local time according to the documentation. That includes the main event timestamp in the SMF standard header that is in all records.

The documentation for these particular fields does not specify, but indeed it appears that they use UTC.

While you can show the timezone in the way you indicate, the result you produce in that is an unambiguously wrong format in my opinion, showing the local time zone as if the time shown is the local time, while it is not.

I am not sure how we would react to an Idea for a conversion modifier. If it were naive, it might allow you to shoot yourself into the foot. So I suppose the expectation would be for zSecure to have a knowledge base which SMF fields are in local time and which in UTC. A simpler request might be to provide two CARLa fields for this specific use case.

I agree that there is currently no easy way in CARLa to achieve the requested result.

Although the method is generally invalid, it might be possible to use the event timestamp (which is in local time) as an approximation of the end time, but I can think of no circumvention for the start time.

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Delft
------------------------------

Original Message

Original Message:
Sent: Mon November 13, 2023 09:42 AM
From: RENE van TIL
Subject: smf 119(21) start/end time field timezone problem

hI Mohammed ,

I think the time in SMF records is always written in UTC. (and i think all products that produce some kind of log record like DB2 and IMS do that)

I used output modifier SMFTIMESTAMPZONE instead of SMFTIME and it produces somethink like this for date and time

2023-11-13,14:18:15.7,+1:0 (my system is at UTC+1)

better (or more complete) i think but an output modifier that actually will convert it to local time would be a lot nicer. If you want to you can open an RFE for this

cheers

rene

------------------------------
RENE van TIL

Original Message:
Sent: Sun November 12, 2023 04:54 PM
From: Mohammed Ibrahem
Subject: smf 119(21) start/end time field timezone problem

Hi All

i am working on report from smf 119(21) to get IP,Host,LU and start date/time end date/time of connection

as per smf 119(21) layout

80(X'50')	SMF119TN_NTiTime	4	Binary	Time of session initiation
84(X'54')	SMF119TN_NTiDate	4	Packed	Date of session initiation
88(X'58')	SMF119TN_NTtTime	4	Binary	Time of session termination
92(X'5C')	SMF119TN_NTtDate	4	Packed	Date of session termination

i used the below code

newlist type=SMF PL=0
def type=SMF S_Time(smftime) as smf_section(36,80,4)
def type=SMF E_Time(smftime) as smf_section(36,88,4)
def type=SMF S_Date(DATE) as smf_section(36,84,4)
def type=SMF E_Date(DATE) as smf_section(36,92,4)
s type=119(21) ,
sortlist TERMINAL SRCIP HOSTNAME(25) S_Date S_Time E_Date E_Time

it works fine but the problem is time come in wrong timezone it shows GMT only and we are GMT+3

any advise about pre defined start/end date and time or how i can fix this

Thanks

------------------------------
Mohammed Ibrahem
------------------------------

4. RE: smf 119(21) start/end time field timezone problem

Like

Jeroen Tiggelman

Posted Tue November 14, 2023 09:34 AM
Edited by Jeroen Tiggelman Tue November 14, 2023 09:57 AM

Hi Mohammed,

I note that you are separately picking up the date and time fields.

You could alternatively pick up the combination as a timestamp.

For example

def type=SMF E_Stamp(smftimestamp 17) as smf_section(36,88,8)

The standard event timestamp would analogously be

def type=SMF Stamp(smftimestamp 17) as smf_field(6,8)

The built-in DATETIME field, on the other hand, is a DATETIME. (That is, the first four bytes contain the date, and the second four bytes the time.)
Note that this can be relevant for sorting (you want to first sort on date, and then on time.)

It is possible to convert between those formats using DEFINE.... CONVERT. See https://www.ibm.com/docs/en/szs/3.1.0?topic=define-field-value-manipulation

And here is a bit of CARLa I played around with FWIW:

n type=system;  sortlist timezone                                   
n type=smf pl=0 outlim=1                                            
def type=SMF   Stamp(smftimestamp 17) as smf_field(6,8)             
def type=SMF S_Stamp(smftimestamp 17) as smf_section(36,80,8)       
def type=SMF E_Stamp(smftimestamp 17) as smf_section(36,88,8)       
 s  type=119(21)                                                    
 sortlist TERMINAL SRCIP E_Stamp E_Stamp(smftimestampzone 25),      
   S_Stamp S_Stamp(smftimestampzone 25) /, ' '(24) E_Stamp(hex 16) /,
   stamp(hex 16 p 'eventstamp hex') /,                              
   datetime(hex 16 p 'datetime hex/default') datetime /,            
   datetime(p 'datetime datetimezone' datetimezone 30) /,           
   datetime(p 'datetime cef_dtz' cef_dtz 30) /,                     
   datetime(p 'datetime xsd_datetime' xsd_datetime 30) /,           
   record(dump)

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Delft
------------------------------

Original Message

5. RE: smf 119(21) start/end time field timezone problem

Like

Mohammed Ibrahem

Posted Wed November 15, 2023 02:32 AM

Thank you all for your help and support

------------------------------
Mohammed Ibrahem
------------------------------

Original Message

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

IBM Security Z Security