A bank I used to work for deemed syslog to be a 'legal document' that needed exceptional care and feeding. My current shop does not take that view (of course, I've never asked), but every shop should consider the legal/audit side of the issue when determining how long to keep a day's worth of syslog.
. . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile [email protected] From: "Jousma, David" <[email protected]> To: [email protected] Date: 06/09/2011 04:40 AM Subject: Re: SYSLOG saving Sent by: IBM Mainframe Discussion List <[email protected]> I've worked many places over the years and have seen it all(SAR, $AVRS, etc). Honestly, keeping a daily syslog offload in a disk based GDG, that gets migrated to tape after 5 days still seems the most flexible. We save something like 45 days worth of syslog. It allows: - more than one person to view/search/process at once, where tape GDG does not(have this problem with "yesterday's SMF offload") - can use off-the-shelf utilities to scan it, can't do that with SAR or $AVRS, unless you extract first back to standard dataset - can search multiple days easily by concatenating the generations, if you aren't sure exactly when some "event" started We actually offload OPERLOG, which is all systems combined using IBM provided utility. SYSLOG is only kept one day, mostly so that SDSF users can still look at individual SYSLOG via SDSF for the day. _________________________________________________________________ Dave Jousma Assistant Vice President, Mainframe Services [email protected] 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Mark Zelden Sent: Wednesday, June 08, 2011 5:27 PM To: [email protected] Subject: Re: SYSLOG saving So more of these posts have made me think. There is no reason that some of those other shops I mentioned that had more "general" products (as opposed to some that specifically manage syslog or have components that do) couldn't have used those products to store syslog. And maybe more of those shops do today than they did over the past 20 years of history I was referring to. Some reasons they may not be doing so could be: 1) Old processes using external writers storing to a GDG worked fine and were never changed to use those output management products as they were added to the system. 2) KISS. Some of those products take special access, security etc. People already knew how to access the syslog GDGs. Easy to manage with GDG limits and / or HSM. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
