IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Sending zAlerts to a Dataset

    Posted Fri May 30, 2025 08:41 AM

    Truist Data Risk Classification: [-Internal-]


    Hello,

     

    We need to send some of our zAlerts to a dataset.  I checked the zAlert reference manual but could not find anything.  Can someone let me know how to configure a zAlert to go to a dataset?

     

    Thanks in advanced,

     

     

     

    Willie Crosby

    Asst. Vice President

    Cybersecurity Senior Engineer

    303 Peachtree Center Ave. NE 4th Floor | Atlanta, GA. 30303

    Mail Code GA-ATL-0201

    Office: 404.575.2963

    willie.crosby@truist.com

     

    BB&T and SunTrust are now Truist

     



    The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.


  • 2.  RE: Sending zAlerts to a Dataset

    Posted Sun June 01, 2025 10:54 AM
    Edited by Rob van Hoboken Sun June 01, 2025 11:17 AM

    Hi Willie

    Your requirements are something of a conflict.  If you want to save your alerts to a z/OS data set, you need DISP=MOD on the data set, otherwise they would be overwritten at the end of the (hourly) reporting cycle.  DISP=MOD means, no other address space can read the data set.  The only time you could retrieve the alert messages, if any, would be when C2POLICE cycles, at the end of the environment interval.  In fact, you could read from the data set in the environment processing stage (the Stage 1 phase), copy the alerts from the DISP=MOD data set to some other place.

    Alternatively, you could write to a GDG generation with DISP=(NEW,CATLG) and ensure there is a CARLa ALLOC command that allocates a work file to a new generation (+1) of the same GDG.  The old generation can be processed once C2POLICE starts writing to the new one.

    In both cases, you would have to allocate the output data set to a DD name, say ALERTDS, and in the alert skeleton hand-build the NEWLIST command with a DD=ALERTDS, instead of the standard alert destinations.

    You could also consider writing to a z/OS UNIX file, instead of the z/OS data sets.  The fun thing about z/OS UNIX is that you can append to the file, while others can read the same file.  Long ago (in a different galaxy...) I got C2POLICE to write into UNIX files, and used a Rexx to send the alerts from the file to a Splunk server.  They needs TCP based syslog and all zSecure could offer was UDP, so.... got there using UNIX and Rexx.  See here for the documentation and here for the alert skeleton, including the mechanism to execute an ALLOC at the beginning of each environment cycle.

    Finally, if you only need to save the alerts in a data set on z/OS, there are 2 more options:

    • use the Write to data set option in the alert definition, this writes the alert text to a SYSOUT data set.
    • start SYSLOGD on z/OS UNIX, configure it to accept connections via the network.  Add 127.0.0.1 as UDP Syslog destination for the alerts.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: Sending zAlerts to a Dataset

    Posted 30 days ago

    Another option is to route the zAlert output to a SYSOUT class that is collected by an external writer, such as IBM Tivoli Output Manager. This provides access to many people and the ability to store historical data about alerts. You can also use SPIN parameters to get the output collected more timely.
    Regards
    Lennie Dymoke-Bradshaw



    ------------------------------
    Lennie Dymoke-Bradshaw
    Director
    Reverse Sweep Consulting Limited
    07504304158
    ------------------------------

    Original Message


  • 4.  RE: Sending zAlerts to a Dataset

    Posted 24 days ago

    Hello, 

    I was reading thru the 'zSecure Alert User Reference Manual' (https://www.ibm.com/docs/en/szs/3.1.0?topic=alert-pdf) and saw this section right after I read your post:

    "During the implementation phase, consider writing specific alerts to a file instead of sending them. This
    practice decreases the number of alert messages that are being generated and reduces the chance that
    the recipient might decide to ignore all of the messages. For more information about writing alerts to a
    file, see "Alert configuration: manage alert configurations (SE.A.A)" on page 9."

    Have not tried it but thought I'd post this real quick if it helps.  The zSecure team will post here too I'm sure.  :-)



    ------------------------------
    Lynn Gilson
    ------------------------------

    Original Message


  • 5.  RE: Sending zAlerts to a Dataset

    Posted 24 days ago

    The "Alerts to data set" options in the alert destination panel will direct alert messages to the SYSOUT data set allocated to the C2POLICE address space.  This is the option Lennie mentioned last week.

    Note that zSecure uses extensive buffering, so when you watch these SYSOUT data sets using SDSF, you will notice a delay of possibly minutes before the message for an alerted action appears, so exercise your patience...



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


Related Content