On 24/01/2013 2:38, sunil mirchandani wrote:
Hello Team,
Can any one help to find out who has deleted particular files/directories
under OMVS.
Do we have any command to check or any other way( Any utility/job which
takes SMF data as a input and generate some report to find the user who has
deleted).
OMVS file/directory deletes are recorded in SMF type 92 records. EasySMF
can report on the information in these records.
However, there are a couple of issues that mean some detective work may
be required:
- The type 92 records don't always include the file name, they may only
have the file serial (AKA inode?)
- The file serial can be reused after the file is deleted so is not
necessarily unique to that file.
You may need to look at other records (e.g. close) which do include the
filename to find the file serial, then look for delete records for that
file serial.
Using EasySMF:
1) Open the "Dataset Activity - z/OS Unix File Activity Report" for the
relevant time period. Enter the file name in the "Path" filter. The file
name may or may not include directory information, so it is best to use
wildcards e.g. *myfile*. If you find the delete record, you are done.
2) If the delete record is not found, look for other entries for that
file. If there are other entries, click on the "File Serial" cell and it
will filter the report by file serial and device number (filesystem).
Clear the "Path" filter so that records without a file name will be
shown, and if you changed the time range, set it back to the time you
are interested in. You should see any entry for the file deletion.
3) If there are no close etc. records that allow you to find the file
serial for the deleted file, you might have to look for the parent
directory, and apply some educated guesses to deletes with that parent
serial number. I think that if you delete a file from a directory you
are likely to also generate open/close records for the directory.
Also, if you are working by file serial, make sure the report is sorted
by time (click on the Time column header). That will show you the
sequence of events for the file serial. This will allow you to see if
the file serial was reused, when you would have to make sure that you
look at the correct file delete entry.
You can download a 30 day trial of EasySMF from:
http://www.smfreports.com
Regards
Andrew Rowley
--
[email protected]
Black Hill Software
+61 413 302 386
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
