List of Contributions

RENE van TIL

Contact Details

My Content

1 to 20 of 36 total
Posted By RENE van TIL Thu April 11, 2024 01:02 PM
Found In Egroup: IBM Security Z Security
\ view thread
Hi matt, you only get the upgrade panel if Alert was shipped with a new version of the table it uses to store its data. But in 2.5 and 3.1 its the same level F. So no upgrade needed. Why no alerts are triggered i cant say but i would start with having a look in C2PDEBUG in the started task to see ...
Posted By RENE van TIL Wed January 17, 2024 06:06 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi lian, Alerts are CARLa queries, so you can select on just about any field available in the newlist you are using in that specific Alert. Alert 1402 uses the SMF newlist. You can use the primary command FIELDS SMF (just type it on the command line in zSecure) and you get a list of all fields available. ...
Posted By RENE van TIL Mon December 18, 2023 11:06 AM
Found In Egroup: IBM Security Z Security
\ view thread
Sorry i misread the license line. It only show an Audit ACF2 license. My first guess would be that the Alert FMID wasn't applied. The entry in the IFAPRDxx members isnt neccesary. It can be used to disable specific products but default all installed products should work. ------------------------------ ...
Posted By RENE van TIL Mon December 18, 2023 10:59 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi matt, No you dont need the IDs for the STC's to create an Alert configuration. Its an ISPF application. Only when you get to the verify step we use CKRCARLA to check the CARLa syntax. If you just want to try to create a configuration you could also use PDSE of your own (FB 80 and library), ...
Posted By RENE van TIL Fri November 17, 2023 05:38 PM
Found In Egroup: IBM Security Z Security
\ view thread
Hi joe Command Verifier is a product on its own, with its own Program Directory and has its own set of sample jobs which you you can find in youhlq.JC4R310.F3. You can just install it in the same target/dlib zones as zSecure. You can find the Program Directory here https://www.i ...
Posted By RENE van TIL Mon November 13, 2023 09:43 AM
Found In Egroup: IBM Security Z Security
\ view thread
hI Mohammed , I think the time in SMF records is always written in UTC. (and i think all products that produce some kind of log record like DB2 and IMS do that) I used output modifier SMFTIMESTAMPZONE instead of SMFTIME and it produces somethink like this for date and time ...
Posted By RENE van TIL Wed October 25, 2023 12:07 PM
Found In Egroup: IBM Security Z Security
\ view thread
If you expected to use "ISP.CONSUL.DATA.C2POLICE.C2PCUST" just use option 1. So the problem is that we try to imbed SENSRSRC but yours uses * to indicate a comment line. However CARLa uses /* comment */ like for instance REXX. The default one we ship in SCKACUST is also using * as comment. So looks ...
Posted By RENE van TIL Wed October 25, 2023 11:16 AM
Found In Egroup: IBM Security Z Security
\ view thread
So this is controled via SE.A.S does it point to the CKACUST here ? Menu Options Info Commands Setup ------------------------------------------------------------------------------- C2PP3ZAS zSecure Suite - Alert - Sensitive Command ===> Select library for sensitive resource members ...
Posted By RENE van TIL Wed October 25, 2023 10:34 AM
Found In Egroup: IBM Security Z Security
\ view thread
So it encounters something i dont expect to see in SENSRSRC (and the CARLa engine doesnt like it). Default it looks like this. VIEW CRMBRT1.C2POLICE.C2PCUST(SENSRSRC) - 01.00 Columns 00001 00080 Command ===> Scroll ===> CSR ****** ********************************* Top of Data ********* ...
Posted By RENE van TIL Wed October 25, 2023 09:05 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi mike, with trying to copy do you mean using the C(copy) line command in front of a set or copying an entire C2PCUST ? The SYSAVO member is i guess one created by you and used in a custom alert ? i will try and reproduce this cheers rene ------------------------------ ...
Posted By RENE van TIL Fri October 13, 2023 07:55 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi joe, looks we never thought of messages longer then 8. So you cannot specify "IOEZ00551E" in the UI. Besides this the started task doesnt accept "IOEZ00551E" as a filter. i think you can open a defect. cheers rene ------------------------------ RENE van TIL ----------- ...
Posted By RENE van TIL Thu October 05, 2023 09:05 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi joseph, As an alternative you could use predefined alerts 1217/1218. They are based on SMF record 90 subtype 37 instead of the CSV message for adding/deleting APF datasets. The userid is correctly displayed by these 2. cheers rene ------------------------------ ...
Posted By RENE van TIL Wed May 17, 2023 06:10 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi stephan so support for a RACF VSAM databases on a NONSMS managed volumes was introduced with OA62267 with PTF UJ08531 for z/OS 2.5. Is that applied to your system ? If it is i think you have to open a CASE with the RACF group. cheers rene ------------------------------ RENE van TIL ...
Posted By RENE van TIL Tue May 16, 2023 09:49 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi stephan it works for me with this job //CRMBRT1A JOB MSGLEVEL=(1,1),CLASS=A,MSGCLASS=A,REGION=256M, // NOTIFY=&SYSUID //DEFINE EXEC PGM=IDCAMS //SYSPRINT DD SYSOUT=* //SYSIN DD * DELETE CRMBRT1.RACFBACK.VSAM DEFINE CLUSTER (NAME('CRMBRT1.RACFBACK.VSAM') - LINEAR - NONSPANNED ...
Posted By RENE van TIL Mon March 27, 2023 10:15 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi joe Alerts 1804/1805/1806 do something similar so i took these as a sample )SETF C2PXNAME = &STR(JOBSTART) )SETF C2PXMSG = &STR('Job' jobname(0) 'is gestart') )SETF C2PXDES = &STR('Heb hem gestart') )CM Pass one query )SEL &C2PEPASS = Y )ENDSEL )CM Alert condition )SEL &C2PEPASS ...
Posted By RENE van TIL Wed February 15, 2023 12:38 PM
Found In Egroup: IBM Security Z Security
\ view thread
Hi steve you can use the EV.D menu option for that. For dataset input/output i think you need 14 and 15 SMF records. 42's can also provide some SMS related info. As an alternative you can also use the E line command in front of the profile in RA.D. That will do a selection on all records that used ...
Posted By RENE van TIL Wed December 14, 2022 02:14 PM
Found In Egroup: IBM Security Z Security
\ view thread
Hi kien, you can use a define to this (if i understand correctly what you are trying to achieve) n type=smf define crmfcnt count where type=110(1) s type=110(1) transaction=crmf summary type crmfcnt cheers rene ------------------------------ RENE van TIL ----------------- ...
Posted By RENE van TIL Wed December 14, 2022 08:00 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi kien, just change the select to s type 110(1) and it should work and you should get a report like this S M F R E C O R D L I S T I N G 14Dec22 00:39 to 14Dec22 13:43 CICS monitor activity Date/time event User Sys Description 13Dec22 23:36:51.85 CICS54 ZS45 CICS54 CICS transaction ...
Posted By RENE van TIL Wed November 23, 2022 08:27 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi mohammed, that shed some more light on the issue. So the 2nd SMF record is caused by issuing the same command but that now fails because of password history. And i could recreate this problem. No idea where that 2nd command is coming from :( As this looks like a real defect in the visual client, ...
Posted By RENE van TIL Tue November 22, 2022 06:14 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi mohammed, i tried to recreate this but for me it works. No duplicate records. My best guess is that your input does contain those records twice. using this CARLa query n type=smf s type=(80,81,83) user=.... display recno datetime recorddesc i expect to see the same record description ...