IBM Support

zSecure - SMF contention using 'live' SMF data

Troubleshooting


Problem

SMF reporting using the 'live' SMF dataset as input causes contention with SMF dump job

Resolving The Problem

It is a known side effect and normal when a zSecure Audit user is running an SMF report from the live SMF data sets simultaneously with the SMF dump job that this job has to wait until the CARLa "live SMF report" finishes. However, zSecure Audit only holds the live SMF data sets during an actual EV.* or CARLa newlist type=SMF run and not continuously.

After the EV.** function or customized CARLa newlist type=SMF query ends the SMF dump job should be able to continue to run successfully. The SMF dump job should not abend or fail because of this. If all is well it is only delayed for limited amount of time!

If an SMF dump job occurs every 10 minutes this probably indicates that (for whatever reason) you have relatively small sized SYS1.MAN* data sets that quickly fill and need to switch to the next available data sets (and the full data set needs to be dumped) quite frequently.

So the more often SMF dump jobs run, the greater the chance that a zSecure Audit user is actively running an SMF report at exactly the same time. This issue can be eased by increasing the size of the live SMF data sets (if this is possible) to significantly reduce the number of daily required SMF dump jobs.
Another solution of course would be to remove the READ access of the involved employees to the live SMF data sets, that way they are obligated to only use dumped SMF information. But typically for Helpdesk employees this approach may not be desirable.

Eventually when a successful SMF dump job does not happen in time, the SMF events could be lost after all available SMF data sets fill and the SMF buffer space is exhausted. But it seems very unlikely that a CARLa job reporting on "live SMF data set" would take longer than 10 minutes, unless their user batch jobs have a very low priority.

It should be noted that SMF logstreams can take the place of active SMF data sets, thereby reducing contention.

[{"Product":{"code":"SSPN95","label":"IBM Security zSecure Audit"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"Version Independent","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSRQGZ","label":"IBM Security zSecure Audit for ACF2"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"zAudit ACF2","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SUNSET","label":"PRODUCT REMOVED"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"zAudit Top Secret","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSRQ8D","label":"IBM Security zSecure Audit for RACF"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"zAudit RACF","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
16 June 2018

UID

swg21267695