User session details on the zSessions tab
In BMC AMI Command Center for Security, from the zSessions tab, an administrator or security analyst can see the activity of any z/OS user from the time they log on to a session to the time they end a session.
Examining active user sessions
The zSessions tab presents the following session information, sorted with the most recent activity at the top.
Column | Description |
|---|---|
Z-Terminal ID | Session ID that is automatically generated by the mainframe for the session Click to see choices under the session ID:
(SPE2101) If the session duration exceeds the expected session time, a flag is displayed next to the Z-Terminal ID. Hover over the flag to see the time that was exceeded. To set the time, see Expected zSession Interval later in this topic. |
Remote IP and Remote Port | IP address and port number of the remote device Click Remote IP or Remort Port to see all the associated messages, if available. |
User ID | ID of the session user Click User ID to open the Messages > Search > User Information tab, where you can see user information and perform some edits, such as flagging a user. |
User Name | Full user name for whom the session belongs |
Privileges | User authorization group Hover over the value to see the ACEEFLG1 value. For example, hover over the Known Privileged privilege so see the ACEEFLG1 value, such as {Defined, AUDITOR, OPERATIONS, SPECIAL}. |
Services | Protocol used to connect to the mainframe systems network architecture (SNA) |
Connect and Disconnect | Date and time the session started and ended |
LPAR IP | IP address for the target LPAR Click LPAR IP to open the zSessions > Device Information tab, where you can see and edit device information, such as flagging a device. |
Inactive Time | Time since the last message was received from a session that has not yet been terminated If the session exceeds the expected inactive time, a flag is displayed next to the time in this column. Hover over the flag to see the time that was exceeded. To set the time, see Expected zSession Inactive Time later in this topic. |
Session Duration | Time from the first message received for the session to the current time (for an open session), or time from the first message received for the session to the last message received (for a closed session) |
Today Count | All active records associated with the user and inactive records that are not yet dropped Inactive records are dropped according to the value of Advanced > Drop Inactive Items After. |
User History | Total count of user ID messages received since the startup of BMC AMI Command Center for Security |
You can filter information through a bank of filters at the top of the tab.
(SPE2101) Click the Download Full zSessions Data as CSV link at the bottom of the page to generate and download a CSV file with a snapshot of all the active zSessions data.
Adjusting history-control options
Click the Advanced button to see and edit the following history-control options:
Option | Description |
|---|---|
Drop Inactive Items After | Number of days before dropping inactive items Select an option from 1 to 500 days. The default value is 30 days. |
Make Item Text Labels Uppercase | Item text labels are changed to all uppercase letters The default value is False. |
Track Unique IP Addresses | Whether unique IP addresses are tracked The default value is False. |
Max Tracked Items | Maximum number of tracked items Set a value from 1,000 to 500,000. The default value is 10,000. |
Maximum Session Init Match Delay | For a specific terminal ID, the number of seconds between a user opening the 3270 terminal emulator and logging into the system Set a value from 0 to 300 seconds. If you set a value of zero, or if a user logs in after the set time, user sessions are not matched with the initial Telnet SNA init session. The default value is 60 seconds. |
Refresh Rate (seconds) | Frequency in seconds that the values on the tab are refreshed If you enter 999,999, the page never refreshes automatically. Click the tab to manually refresh the page. The default value is 60 seconds. |
Expected zSession Interval (hours) | Number of hours expected for a session, after which the session is flagged If a session is not terminated within the defined period, the Z-Terminal ID value is flagged so that you can investigate any issues with the user or the session. The default value is 24 hours. |
Expected zSession Inactive Time (hours) | Number of hours expected for a session to be inactive, after which the session is flagged If a session is inactive longer than the defined period, the Inactive Time value is flagged so that you can investigate any issues with the user or the session. The default value is 24 hours. |
Drop Oldest Items When Max Items Reached | Whether to drop the oldest items when the Max Tracked Items limit is breached If set to False and the limit is breached, then 50% of the oldest items are automatically dropped to make room for new items. If set to True and the limit is breached, then old items are dropped as new items are collected. The default value is True. |
Delete Items By List | Specified item data catalogs to delete Click Edit and select one of the following options:
New items are added when messages are received from the item. All item catalog information is deleted, but existing logged data, available through the Search and Query windows are not affected. |
Examining historical user sessions
On the zSessions > History sessions table, you can see only records of sessions that received termination records.
Some records might also be displayed on the Active tab, which shows inactive records according to the value of Advanced > Drop Inactive Items After.
Where to go from here
Based on the information on the zSessions tab, you might want to set up correlation threads and correlation alerts, or other triggers and alerts to monitor user or device activity.
Related topics