Troubleshooting

This topic provides information and workarounds for problems that you might encounter. If you cannot resolves a problem yourself, contact BMC Support.

Problem	Resolution
BMC AMI Defender fails to start.	The problem is probably caused by a JCL error in the cataloged procedure. Check the syslog console or server log and SDSF for the error.
BMC AMI Defender fails with abend U4093 and reason code 90.	Check the CZAPRINT data set for errors. In the Messages Library, look for messages with identifiers that end in E, S or C (for example, CZA0207S). Also see Customizing-the-z-OS-communications-server-TCP-IP-and-OMVS.
BMC AMI Defender fails with message CZA0045C	Check the CZAPRINT data set for errors. In the Messages Library, look for messages with numbers that end in E, S or C (for example, CZA0207S) .
BMC AMI Defender fails with message CZA0276C and reason code 4.	Check the CZAPRINT data set for errors. In the Messages Library, look for messages with numbers that end in E, S or C (for example, CZA0207S).
BMC AMI Defender runs but IBM Security Information and Event Management (SIEM) receives no messages.	Check message CZA0274I in CZAPRINT to ensure that BMC AMI Defender for Db2 is using the intended parameter file. If not, try to resolve any configuration issues.
BMC AMI Defender runs but SIEM receives message CZA0028E in CZAPRINT.	One of the following issues exists: SIEM is not running. SIEM is not configured to receive TCP/IP messages on the specified or default port. SIEM is unreachable due to firewall or similar issues.
BMC AMI Defender runs, SIEM receives no messages, and the SERVER statement in the parameter file specifies TRANSport(Udp) or has no TRANSPort parameter.	The problem is probably caused by an incorrect IP address or port, or a firewall is blocking connectivity. If the IP address is incorrect or unreachable, no error appears on the LPAR.
BMC AMI Defender runs, SIEM receives no messages, the SERVER statement specifies TRANSport(TCP, SSL or TLS), and there are no CZA0028E messages in CZAPRINT	Syslog messages are probably reaching some destination. Ensure that: You have specified the correct address for the SIEM console. SIEM is not filtering or otherwise not displaying received messages. If you are using BMC Defender SyslogDefender, that the messages are being correctly forwarded.
SIEM receives some messages, but other expected messages are missing.	Stop BMC AMI Defender and look at the CZAPRINT listing. If message CZA0217W appears mentioning IEFU83 driven, IEFU84 driven or IEFU85_driven? If so, it probably indicates that the specified exit is not enabled in SYS1.PARMLIB. Refer to EXIT parameters under Checking the Configuration of SMF. Consider the effect of SELECT statements. See Customizing-required-events-with-SELECT.
SIEM receives some messages, but other expected messages are missing. One of the following messages appears in CZAPRINT: CZA0277W CZA0278W CZA0286W CZA0287W	The specified SMF record types are not being produced. For more information, see TYPE parameters.
SIEM receives some messages, but other expected messages are missing. In CZAPRINT, message CZA0217W appears referring to IEFU83-, IEFU84-, or IEFU85-driven.	The specified exit is probably not enabled in SYS1.PARMLIB. For more information, see EXIT parameters. Also consider the effect of SELECT statements. For more information, see Customizing-required-events-with-SELECT.
BMC AMI Defender is sending too much data to the SIEM	See SELECT-and-DESELECT-statements and the EVENTs, IFCID or SUBTypes parameter of the various SMF statements in Parameter-file-statements. To determine the events, IFCIDs, or subtypes are contributing to the problem, see the documentation for CZA0323I and related messages in CorreLog zDefender for z/OS Messages and Codes. See Filtering-in-and-filtering-out-events.
You receive unexpected timestamps (for example, GMT instead of the local time)	See Time-settings.

Troubleshooting

On this page