To enhance the performance of the TCIM z/OS actuator you can suppress certain types of SMF records from being processed by the actuator.
Resolving the problem
The Tivoli Compliance Insight Manager actuator for z/OS (and its successor, the Tivoli Security Information and Event Manager, or TSIEM) invokes an exit that can be used to exclude certain types of SMF records.
The library that contains the exit is specified in the C2ECUST variable of the C2R$PARM config member.
The data set that is identified by the C2ECUST parameter must exist, and it must contain members C2EI0ES, C2EI0UIS, C2EIXES, and C2EICES. By default, comment-only members (copied from the SCKRCARL library) are supplied.
To exclude an SMF record type from processing add the following line in member C2EIXES. In this example SMF record type 110 and 116 are excluded.
If you only want to exclude a subtype of an SMF record type use:
exclude type=80(5) or exclude type=(80(5),80(7))
An overview of all SMF record types processed by the actuator can be found in the CKREPORT file.
The CKREPORT file is in the actuator log directory in the props subdirectory of the ES collect.
|Security||Tivoli Security Information and Event Manager||z/OS||2.0||Enterprise|