Yes, I mean the DS names referenced by the user during the TSO telnet transmisión. Currently the FTP messages are handled by recording SMF 119 subtype 70, included the DS name and member. The case of IND$FILE (protected in RACF by program class) the current scope for recording events in transmissions reaches only the RACF messages audit/alert in "insufficiente access auth" message and that is the only event where the resource name appears; but, local and remote IP are missing, also the DS name in the cases of "allowed" permissions on specifics resources.
I'm trying to search for the local/remote IP in other way for IND$FILE transmissions. I've heard about correlog tool, a couple of customers who had tested in a POC, didn´t liked the installation schema. Thanks.. > Date: Mon, 9 Nov 2015 14:37:46 -0800 > From: [email protected] > Subject: Re: SMF type 119 to catch TN3270 > To: [email protected] > > TN3270 is what Comm Server calls "Telnet SNA" and is recorded in subtypes 20 > and 21. > > There are no "files and DS names" involved -- at least not that Comm Server > deems worthy of including in SMF. > > Do you mean files and DS names referenced by the user during his TSO > session? Only normal RACF audit and violation events. > > Do you mean files and DS names for FTP? Recorded in subtypes 3 and 70. > > Do you mean for TSO IND$FILE transfers? Sorry, no IBM component records any > audit information for IND$FILE (other than RACF events as above). My > employer's audit product for IND$FILE, IND$defender, is mentioned briefly > here: > https://www.correlog.com/news-and-events/news2015-SIEM-Agent-IBM-z-OS.html > > Charles > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Carlos Cordero > Sent: Monday, November 09, 2015 1:05 PM > To: [email protected] > Subject: SMF type 119 to catch TN3270 > > Hi all, > > The SMF 119, subtype 20,21,22 and 23 catch events from telnet activitie; but > I didn't see wich of these subtypes and theri corresponding offsets can > provide me the information of the resource (file/DSN name) involved on the > sesión, is this aloowed trough these subtypes?. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
