Excluding SMF records from processing by the TCIM z/OS actuator.

Technote (troubleshooting)


Problem(Abstract)

To enhance the performance of the TCIM z/OS actuator you can suppress certain types of SMF records from being processed by the actuator.

Resolving the problem

The Tivoli Compliance Insight Manager actuator for z/OS (and its successor, the Tivoli Security Information and Event Manager, or TSIEM) invokes an exit that can be used to exclude certain types of SMF records.

The library that contains the exit is specified in the C2ECUST variable of the C2R$PARM config member.

The data set that is identified by the C2ECUST parameter must exist, and it must contain members C2EI0ES, C2EI0UIS, C2EIXES, and C2EICES. By default, comment-only members (copied from the SCKRCARL library) are supplied.

To exclude an SMF record type from processing add the following line in member C2EIXES. In this example SMF record type 110 and 116 are excluded.

exclude type=(110,116)

If you only want to exclude a subtype of an SMF record type use:

exclude type=80(5) or exclude type=(80(5),80(7))

An overview of all SMF record types processed by the actuator can be found in the CKREPORT file.

The CKREPORT file is in the actuator log directory in the props subdirectory of the ES collect.
Example: /u/c2eaudit/actuatr1/log/18.1.118.props/2010-06-05.06:30:17.CKREPORT


Cross reference information
Segment Product Component Platform Version Edition
Security Tivoli Security Information and Event Manager z/OS 2.0 Enterprise

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Compliance Insight Manager

Software version:

8.5

Operating system(s):

z/OS

Software edition:

Enterprise

Reference #:

1437542

Modified date:

2014-03-03

Translate my page

Machine Translation

Content navigation