SMF DB2 statement

The SMF DB2 statement controls the DB2 monitoring feature of BMC AMI Defender. If properly configured, DB2 writes statistics, performance, accounting, and audit records as SMF Type 100, 101, and 102 records. You might monitor DB2 SMF records to maintain an audit trail where individuals accessed certain sensitive DB2 tables. If you code an SMF DB2 statement with the IFCID parameter, then all SMF Type 100, 101 and 102 records for the specified IFCIDs are forwarded to your BMC Defender Server or syslog console with a facility of logaudit (13). By using the STArt parameter, you can configure BMC AMI Defender to start the appropriate DB2 traces itself. BMC AMI Defender supports compressed DB2 SMF records: the support is automatic; there is no specific option that must be enabled in BMC AMI Defender.

SMF-DB2.png

severity.png

SMF-start-opts.png

For information about  filterSpecification , see FILTER-and-MATCH-parameters.

For information about ifcidDefaultServices , see IFCID default severitieslater in this topic.

If you code more than one SMF DB2 statement, then a subsequent SMF DB2 statement replaces any SMF DB2 statement(s) that came before.

Parameter

Description

SMF DB2

Must be specified as shown.

DESCription

The DESCription parameter is deprecated and is accepted only for compatibility purposes.

FACILITY(facilityName)

Specifies the RFC 3164 facility that is to be indicated as the origin of the syslog records corresponding to SMF DB2 records

If you omit this parameter, it defaults to LOGAUDIT. If you would like a different facility indicated, code one of the RFC 3164 facility names as listed in Syslog-facilities-and-severities.

FIELDs(fieldName…)

Specifies the names of the DB2 SMF record fields that are to be transmitted to the BMC Defender Server or other syslog console, and the order where they are to appear in the message

Specify one or more of the fields as described in FIELDS-parameter.

filterSpecification

For information about  filterSpecification , see FILTER-and-MATCH-parameters.

IFCIDs

Specifies one or more DB2 IFCID types to be formatted by BMC AMI Defender, and optionally, if the STArt parameter is coded, the IFCID traces that DB2 is to be configured to generate


You must modify the $$$IFDB2 member to use this parameter.

Specify the IFCID or IFCIDs in one or more of the formats.

Notes

  • If you do not specify at least one IFCID, then no DB2 data is formatted and forwarded by BMC AMI Defender.
  • If you specify an IFCID number and DB2 does not produce that trace data, then no data for that IFCID is formatted or forwarded.

Do not specify more than 156 IFCIDs (neither explicitly such as 1 2 3 … nor with a range such as 1:157) if you want BMC AMI Defender to start traces automatically (the START parameter).

INHibit

Specifies one or more DB2 IFCIDs whose writing to the SMF data sets is to be inhibited by BMC AMI Defender (for the specified subsystems only)


You must modify the $$$IFDB2 member to use this parameter.

For example, if you specified SSID(DB2A) INHIBIT(58) then BMC AMI Defender suppresses the writing of IFCID 58 records from DB2A to the SMF data sets.


Note

If you code INHIBIT, then the first time that BMC AMI Defender inhibits the writing of an SMF record DB2 logging the console message DSNW133I  -subsys DSNWVSMF – TRACE DATA LOST, SMF  NOT ACCESSIBLE RC=14.

This message might be ignored: no trace data has been lost, its writing has simply been inhibited as requested. Specify the IFCID or IFCIDs in one or more of the formats.

ifcid 

Specifies a single IFCID

Example

IFCID(3) specifies that IFCID 3 records are to be formatted or inhibited, and IFCID(3 239) specifies that IFCID 3 and 239 records are to be formatted or inhibited.

ifcid:ifcid

Specifies a range of IFCIDs

Example

IFCID(3:5) specifies that all IFCID 3, 4 and 5 records are to be formatted or inhibited.

-ifcid

-ifcid:ifcid

You can prefix either of the formats with a minus sign ( - ) to indicate negation. The specifications are processed left to right.

Example

140:145 -142 indicates IFCIDs 140, 141, 143, 144 and 145.

Negation can be especially useful with the INHIBIT parameter, where

Example

INHIBIT(1:599 -3 -239) would inhibit the writing of all IFCIDs except 3 and 239.

For all of the formats, ifcid must be in the range 1 to 599. If you omit IFCID, it defaults to the IFCIDs listed under IFCID Default Severities. If you do not want BMC AMI Defender to monitor a default IFCID or IFCIDs, you should code IFCID(ifcids SEV(SUPPRESS)) where ifcids is one or more of the IFCID specification formats documented.

SEVerity(severity)

Specifies the syslog severity for the specified IFCIDs. See Syslog-facilities-and-severities

You might also code DEFAULT or SUPPRESS. DEFAULT indicates that the severity is to default to the defined severity; SUPPRESS indicates that the specified event records are not to be forwarded to the syslog server at all. If you omit SEVerity, it defaults to the value of the SEVerity parameter described.

LOG

LOG(HEX)

Specifies that the selected SMF records are to be logged on CZAPRINT and optionally dumped in hexadecimal and character format

Compressed records are dumped both before and after decompression. This parameter is intended primarily for diagnostic purposes. Use care in specifying LOG(HEX) as it might generate a large volume of print records, especially if BMC AMI Defender is left running for several hours or more.

PROCess(‘process-tag’)

Specifies the tag that appears at the start of SMF DB2 syslog messages, following the priority, timestamp, and hostname, and preceding the formatted fields

Specify the exact process tag that you want to include in syslog messages including any spaces and punctuation. Process-tag might be any length from the null string (‘’) to 32 characters. If SMF DB2 PROCess is omitted, it defaults to DB2 followed by the leading delimiter from OPTIONS DELIM.

SEVerity(severity)

Specifies the default syslog severity

See Syslog-facilities-and-severities. You might also code SUPPRESS. SUPPRESS indicates that the default is that records are not to be formatted and forwarded to the syslog server at all. If you omit SEVerity, it defaults as described in IFCID Default Severities.

SSIDs(subsystemname …)

Specifies that only SMF records for the specified DB2 subsystem names are to be formatted and forwarded to the syslog console

You must modify the $$$IFDB2 member to use this parameter.

SSIDs also specify the DB2 subsystems where STArt, if specified, is to start the indicated IFCID traces. Specify the names of one to sixteen DB2 subsystem IDs separated by one or more blanks. Subsystem names are always one to four uppercase alphanumeric or national characters, but you might specify the names in upper or lower case: PROD, Prod, and pRoD are all equivalent. The order where you specify the names is not significant. If you omit SSIDs, then records from all DB2 subsystems (that satisfy any IFCID parameter) are formatted and forwarded. You must specify SSIDs if you also specify the STArt parameter. Specifying the names of DB2 subsystems that do not actually exist or are not actually started on the LPAR cause errors only if the STArt parameter is also coded.

If the START-command parameter SET=’SSID(ssid)’ is specified when starting BMC AMI Defender, then you can specify &SSID as a subsystem name and the value of ssid is substituted.

STArt

Specifies that BMC AMI Defender is to interface with DB2 to start the DB2 IFCID traces indicated in IFCIDs()

You must modify the $$$IFDB2 member to use this parameter.

The indicated traces is starting only for the DB2 subsystems in the SSIDs parameter. BMC AMI Defender starts the indicated traces for each specified DB2 subsystem whenever it becomes active. You can specify STArt without any subparameters; doing so is equivalent to coding

START( CLASS(32) CON() REC('-') )

 STArt requires one of the following privileges or authorities:

  • SECADM authority
  • SQLADM authority
  • SYSADM authority
  • SYSCTRL authority
  • SYSOPR authority
  • System DBADM authority
  • TRACE privilege

You must modify the BMC AMI Defender process to add the DB2 SDSNLOAD library to the STEPLIB concatenation. For more information, see Configuring-the-CZAGENT-procedure-for-Db2.

CLAss

Specifies the DB2 trace class to use. You should specify an Audit trace class that is not otherwise in use

For more information, see the IBM Manual DB2 10 for z/OS Command Reference . Specify 30, 31 or 32. If you omit CLAss, it defaults to 32.

CONstraint

Specifies one or more optional constraints or filters for the trace such as PLAN() or PKGLOC()

For more information, see Starting-the-Db2-traces. Specifying one or more constraints or filters might reduce the amount of trace data collected and hence, the overhead of the trace. You must enclose the operand in quotation marks if it includes spaces or special characters. You might code the CONstraint parameter multiple times: each operand is appended to those that came before with no embedded blank. So, for instance, you could specify

STA(CON(‘PLAN(MYPLAN1,MYPLAN2,’)           +
   CON(‘MYPLAN3,MYPLAN4) PKGLOC(LOCATN1)’)  +
   CON(‘ AUTHID(PROD1)’) )

and the effective START TRACE constraint block would be:

PLAN(MYPLAN1,MYPLAN2,MYPLAN3,MYPLAN4) PKGLOC(LOCATN1) AUTHID(PROD1)

If you omit CONstraint, it defaults to the null constraint block; that is, the constraint block is omitted from the START TRACE commands.

NOTReady

The NOTReady parameter is deprecated. It is checked for syntactic validity, but not otherwise processed.

RECognition

Specified the DB2 subsystem command recognition character

The command recognition character is the single character, typically a hyphen or minus sign that you specified when you configured DB2 . The command recognition character plus the DB2 subsystem name forms the command prefix when you enter a DB2 command from the z/OS system console. Specify a single non-alphanumeric character. If RECognition is omitted, it defaults to - (a minus sign or hyphen).

1. DB2 SMF trace record types are identified by IFCID number. IFCID stands for instrumentation facility component identifier, which is another way of saying trace record type. There are about 400 record types or IFCIDs, numbered between 1 and 511. Each IFCID type record has a specific layout and describes a specific event


IFCID default severities 

If you omit SEVerity, it defaults as follows:

  • IFCIDs 23, 62 and 197 default to INFOrmational.
  • IFCIDs 24, 25, 90, 91, 97, 141, 142, 145, 258 and 319 default to NOTICE.
  • IFCID 140 defaults to ERROR.
  • IFCID 361 defaults to WARNing.
  • All other IFCIDs default to SUPPRESS.

Example of the $$$IFDB2 member

Modify the $$$IFDB2 member for parameters indicated in the previous table.

Because the SMF DB2 command includes this member, do not add parameters or alter any continuation characters ( + ).

;**********************************************************************;
;**********************************************************************;
; $$$IFDB2: User agent parameter member for BMC AMI Defender ;
; This is a copy of CZAIFDB2 and made available for ;
; user modification. It will be included in CZAFIELD ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;

IFCID(3 23 24 25 62 90 91 97 140:145 197 239 258 319 361) +
+ ; Read manual on START, INHIBIT and SSIDs before uncommenting
/* START */ +
/* SSIDS() */ +
/* INHIBIT() */ +

Related topics

Parameter-file-statements

General-SMF-record-type-statement

IFCID-descriptions

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*