My version of a log scanner...
ITschak
/* MugiRexx For IronSphere V1.0 */
QIFLOGS:
Signal QIFLOGS.Config:
QIFLOGS.Doc:
/* ------------------------------------------------------------ */
/* QIFLOGS */
/* */
/* */
/* Function : Scan log file(s) for error and warnings. */
/* */
/* The program will scan syslog from SDSF and */
/* creates an array of consolidated msg lines. */
/* messages listed in MsgAlert will be printed */
/* */
/* Library : SQIFSAXR */
/* Input : None. */
/* */
/* Howto : Review config section below. */
/* */
/* 1. Update LogStartCond with a julian date */
/* */
/* 2. Add/Remove msg codes from MsgAlert to get */
/* alerted on messages in the log */
/* */
/* License : Free for Non-commercial use */
/* */
/* copyright SecuriTeam Software Ltd., 1999-2025, Israel */
/* ------------------------------------------------------------ */
/*%Include QIFCPYRT*/
QIFLOGS.Config:
MsgAlert = 'IEA311I ISG313I IAR048I IXL011I IXC520I' ,
'IXC255I ICH408I '
LogStartCond = '2025.118'
/* ============================================================ */
QIFLOGS.Main:
MsgList = '$HASP100' /* Identify jobnum */
lIndx = 0 /* Syslog Line */
sIndx = 0 /* Syslog Line marged */
tIndx = 0 /* task name index */
Call CollectLog
Call LogAlert
Return
/* ============================================================ */
CollectLog:
MakeEnv = ISFCALLS('ON') /* invoke SDSF interfa*/
ISFLOGSTARTDATE = LogStarCond
Address SDSF "ISFLOG READ"
Say 'QIF0200I (QIFLOGS) Log file size is' IsfLine.0 'lines.'
Do iIndx = 1 to IsfLine.0
RecType = substr(IsfLine.iIndx,1,1)
Select
When (WordPos(RecTYpe,'N W M O X') > 0) Then Do
/* --------------------------------------------------- */
/* N - Single-line messag */
/* W - Single-line message with a repl */
/* M - First line of a multiline message */
/* O - Log command input */
/* X - Entry from a source other than hardcopy or log */
/* command */
/* --------------------------------------------------- */
sIndx = sIndx +1
Log.sIndx = IsfLine.iIndx
If (RecType = 'M') Then Do
NumWords = Words(IsfLine.iIndx)
Log.sIndx = SubWord(IsfLine.iIndx,1,NumWords -1)
End
Call WhichTask
Call WhichCmd
End
When (WordPos(RecTYpe,'S L D E') > 0) Then Do
/* --------------------------------------------------- */
/* S - Continuation of previous line */
/* L - Label line of a multiline message */
/* D - Data line of a multiline messagee */
/* E - Data/end line of a multiline message */
/* --------------------------------------------------- */
Log.sIndx = Log.sIndx Substr(IsfLine.iIndx,57)
End
Otherwise Do
/* --------------------------------------------------- */
/* ? - Unknown message source */
/* --------------------------------------------------- */
Say 'QIF0200W (QIFLOGS) UNKNOWN MESSAGE TYPE:' RecType
End
End
End
Return
/* ============================================================ */
Do Indx = 1 to sIndx
xMsg = Substr(Log.Indx,57)
Parse Var xMsg xMsg xTask .
If (WordPos(xMsg,MsgAlert) > 0) Then Do
jNum = Substr(Log.sIndx,38,8)
jNum = Strip(jNum)
Say '--Message='xMsg'--JOB NUM='jNum'--TASK NAME='||,
Num2Task.JNum'--'
Say Log.Indx
Say '---------------------------'
Say
End
End
Return
/* ============================================================ */
WhichTask:
xMsg = Substr(IsfLine.iIndx,57)
Parse Var xMsg xMsg xTask .
If (WordPos(xMsg,MsgList) > 0) Then Do
jNum = Substr(IsfLine.iIndx,38,8)
tIndx = tIndx +1
Task2Num.tIndx = xTask
Task2Num.xTask = jNum
Num2Task.tIndx = jNum
Num2Task.JNum = xTask
End
Return
/* ============================================================ */
WhichCmd:
/* Place holder to capture commands */
Return
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **| *
*|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|*
On Wed, Jul 23, 2025 at 2:16 PM <[email protected]> wrote:
> Please send me a copy or post a download link.
>
> Thank you.
> David
>
> -----Original Message-----
> From: IBM Mainframe Discussion List <[email protected]> On Behalf
> Of Itschak Mugzach
> Sent: Wednesday, July 23, 2025 3:36 AM
> To: [email protected]
> Subject: Re: SYSLOG or OPERLOG scanning tools
>
> maybe these are single line messages which overflowed to the next line.
>
> *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
> Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
> and IBM I **| *
>
> *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|*
> *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|*
>
>
>
>
>
> On Wed, Jul 23, 2025 at 10:32 AM Colin Paice <
> [email protected]> wrote:
>
> > But I think there were some messages which did not specify the
> > last-message-flag of a MLWTO. (This was 20 + years ago so maybe I am
> > wrong)
> > Colin
> >
> > On Wed, 23 Jul 2025 at 08:14, Itschak Mugzach <
> > [email protected]> wrote:
> >
> > > syslog does have an indication of which line type it is at column 2
> > >
> > > Table 1. Record Type Codes
> > >
> > > Record type
> > > Description
> > > N Single-line message
> > > W Single-line message with a reply
> > > M First line of a multiline message
> > > O Log command input
> > > X Entry from a source other than hardcopy or log command S
> > > Continuation of previous line L Label line of a multiline message D
> > > Data line of a multiline message E Data/end line of a multiline
> > > message
> > >
> > >
> > > *| **Itschak Mugzach | Director | SecuriTeam Software **|**
> > > IronSphere
> > > Platform* *|* *Information Security Continuous Monitoring for Z/OS,
> > zLinux
> > > and IBM I **| *
> > >
> > > *|* *Email**: [email protected] **|* *Mob**: +972 522
> > > 986404
> > **|*
> > > *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|*
> > >
> > >
> > >
> > >
> > >
> > > On Wed, Jul 23, 2025 at 10:10 AM Colin Paice <
> > > [email protected]> wrote:
> > >
> > > > I used to have some rexx which processed syslog/joblogs. One of
> > > > the
> > key
> > > > bits was to work from the bottom towards the top. I think I did
> > > > this because you do not know how many parts of multi line WTOS there
> are.
> > > > I used to count the unique message instances and flag important
> > messages
> > > > "Although this is an ...I message... you need to look at it!
> > > >
> > > > On Tue, 22 Jul 2025 at 17:42, Michael Oujesky
> > > > <[email protected]>
> > > > wrote:
> > > >
> > > > > Food for thought:
> > > > >
> > > > > I have mods to SAMPLIB(IEAMDBLG) that expands the record length
> > > > > to
> > > > > 255 and those basically eliminate continuation messages.
> > > > >
> > > > > I also have some SAS code to search the expanded record length
> > > > > log for multiple messages. It also handles MLWTO messages that
> > > > > have records from other SYSPLEX images interspersed within the
> MLWTO text.
> > > > >
> > > > > Michael
> > > > >
> > > > > At 06:50 AM 7/22/2025, Lennie Bradshaw wrote:
> > > > > >Does anyone have any advice on tools to scan SYSLOG and/or
> > > > > >OPERLOG for multiple messages?
> > > > > >I am looking for something that understands continuation
> > > > > >messages, and the structure of multiline messages.
> > > > > >
> > > > > >Lennie
> > > > > >
> > > > >
> > >---------------------------------------------------------------------
> > >-
> > > > > >For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > > >send email to [email protected] with the message: INFO
> > > IBM-MAIN
> > > > >
> > > > >
> > ----------------------------------------------------------------------
> > > > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > > send email to [email protected] with the message: INFO
> > IBM-MAIN
> > > > >
> > > >
> > > > ------------------------------------------------------------------
> > > > ---- For IBM-MAIN subscribe / signoff / archive access
> > > > instructions, send email to [email protected] with the
> > > > message: INFO IBM-MAIN
> > > >
> > >
> > > --------------------------------------------------------------------
> > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to [email protected] with the message: INFO
> > > IBM-MAIN
> > >
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to [email protected] with the message: INFO IBM-MAIN
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to [email protected] with the message: INFO IBM-MAIN
>
>
> --
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
