SMF DB2 statement

You can use the SMF DB2 statement to control the Db2 monitoring feature of BMC AMI Datastream. Db2 writes statistics, performance, accounting, and audit records as SMF Type 100, 101, and 102 records.

You can monitor Db2 SMF records to maintain an audit trail of individuals accessing certain sensitive Db2 tables.

If you use the SMF DB2 statement with the IFCID parameter, then all SMF Type 100, 101 and 102 records for the specified IFCIDs are forwarded to your BMC Defender Server or syslog console with a facility of Logaudit (13).

Syntax diagrams

The following diagrams describe the valid syntax for the SMF DB2 statement.

Syntax diagram for the SMF DB2 statement provides a visual representation of the command syntax and parameters.

Syntax diagram for Severity and startOptions provides a visual representation of the available severities and start options.

For information about filterSpecification , see FILTER-and-MATCH-parameters.

For information about ifcidDefaultServices , see IFCID default severitieslater in this topic.

The following table describes the SMF DB2 statement parameters:

Parameter

Description

DESCription

Deprecated and accepted only for compatibility purposes

DB2AUDITEnrich(subsystemName subsystemName...)

(SPE2310)

Enriches only SMF records for the specified Db2 subsystems with schema, table names, and database names for IFCID 143 and IFCID 144 records

Specify one or more Db2 subsystem names (SSIDs), separated by a blank space and in any order. Subsystem names are always one to four alphanumeric or national characters. You can specify the names in uppercase or lowercase. For example, PROD, Prod, and pRoD are all equivalent.

To enrich the schema and table name, you must bind the one or both of the CZAUTILS and CZADB2RR plans to each specified Db2 subsystem name. If the START or IFI parameter is specified, you must bind CZADB2RR. Otherwise, bind CZAUTILS. For more information, see Example of the CZABIND member.

To use this parameter, you must configure the following option, process, and authorization:

Uncomment the DB2AUDITEnrich parameter in the $$$IFDB2 member. For more information, see Example of the $$$IFDB2 member.
Modify the BMC AMI Datastream process to add the Db2 SDSNLOAD library to the STEPLIB concatenation. For more information, see Configuring-the-CZAGENT-procedure-for-Db2.
Verify that the appropriate SELECT authorization has been given so that the application can read the SYSIBM.SYSTABLES Db2 tables to assemble a list of audited Db2 tables.

Important

Any audited table CREATE, ALTER, DROP statements dynamically update the in storage DBID or OBID to table name mapping. This is done asynchronously to reduce overhead. Therefore, it is possible that an immediate subsequent audit read/write (IFCID 143 or 144) might not be enriched during this update.

FACILITY(facilityName)

Specifies the originating RFC 3164 facility of the syslog records that correspond to SMF type records

To use a different facility, enter one of the RFC 3164 facility names listed in Syslog-facilities-and-severities.

If you omit this parameter, the default LOGAUDIT is used.

FIELDs(fieldName…)

Specifies the names of the SMF type record fields that BMC AMI Datastream should forward to the BMC Defender Server or other syslog console

Fields appear in the message in the order in which you listed them.

Specify one or more of the fields as described in Supported-record-field-names.

filterSpecification

Filters the fields

For information about filtering fields, see FILTER-and-MATCH-parameters.

IFCIDs

Specifies one or more Db2 IFCID types to be formatted by BMC AMI Datastream, and if you use the STArt parameter, the IFCID traces that Db2 is configured to generate
You must modify the $$$IFDB2 member to use this parameter.

Important

If you do not specify at least one IFCID, then no DB2 data is formatted and forwarded by BMC AMI Datastream.
If you specify an IFCID number and DB2 does not produce that trace data, then no data for that IFCID is formatted or forwarded.

Do not specify more than 156 IFCIDs, neither explicitly, such as 1 2 3, or with a range such as 1:157, if you want BMC AMI Datastream to start traces automatically (using the STArt parameter).

Specify IFCIDs in one or more of the formats.

Parameter	Description
ifcid	Specifies a single IFCID Example IFCID(3) specifies that IFCID 3 records are to be formatted or inhibited IFCID(3 239) specifies that IFCID 3 and 239 records are to be formatted or inhibited.
ifcid:ifcid	Specifies a range of IFCIDs Example IFCID(3:5) specifies that all IFCID 3, 4 and 5 records are to be formatted or inhibited.
-ifcid -ifcid:ifcid	You can prefix either of the formats with a minus sign ( - ) to indicate negation. The specifications are processed left to right. Example 140:145 -142 indicates IFCIDs 140, 141, 143, 144 and 145. Negation can be especially useful with the INHIBIT parameter. Example INHIBIT(1:599 -3 -239) inhibits the writing of all IFCIDs except 3 and 239. For all of the formats, ifcid must be in the range 1 to 599. If you omit IFCID, it defaults to the IFCIDs listed under IFCID default severities. If you do not want BMC AMI Datastream to monitor a default IFCID or IFCIDs, enter IFCID(ifcids SEV(SUPPRESS)) where ifcids is one or more of the IFCID specification formats documented.
SEVerity(severity)	Specifies the syslog severity for the specified IFCIDs. See Syslog-facilities-and-severities You can also use one of the following severities: SUPPRESS indicates that the specified event records are not forwarded to the syslog server. DEFAULT indicates that the severity is to default to the defined severity. If you omit this parameter, it defaults to the value of the described SEVerity parameter.

IFI

Enables BMC AMI Datastream to use the instrumentation facility interface (IFI) to obtain instrumentation facility component identifier (IFCID) records

When Db2 generates the IFCID records, the BMC AMI Datastream agent reads the records directly without producing Db2 SMF records. You can use IFI without the INHIBIT parameter because no SMF records are produced.

To use the IFI parameter, you must ensure that the SSIDparameter includes a list of the required subsystems and that the STArt parameter is used to begin the records trace.

Important

The execution priority of BMC AMI Datastream must be equal to or greater than the execution priority of the connected Db2 subsystem when you use the IFI parameter. If not, BMC AMI Datastream might not keep up with the quantity of IFCID records produced by the Db2 subsystem. This might result in records being dropped because of a buffer shortage. When this occurs, message CZA1213E is issued.

INHibit

Inhibits writing one or more Db2 IFCIDs to the SMF data sets (for the specified subsystems only)

You must modify the $$$IFDB2 member to use this parameter.

Example

SSID(DB2A) INHIBIT(58)

This statement indicates that BMC AMI Datastream will suppress the writing of IFCID 58 records from DB2A to the SMF data sets.

Important

If you use INHIBIT, then the first time that BMC AMI Datastream inhibits the writing of an SMF record, DB2 logs the console message
DSNW133I -subsys DSNWVSMF – TRACE DATA LOST, SMF NOT ACCESSIBLE RC=14.

This message can be ignored. No trace data is lost, its writing has simply been inhibited as requested.

Specify the IFCIDs in one or more of the formats.

Parameter	Description
ifcid	Specifies a single IFCID Example IFCID(3) specifies that IFCID 3 records are to be formatted or inhibited IFCID(3 239) specifies that IFCID 3 and 239 records are to be formatted or inhibited.
ifcid:ifcid	Specifies a range of IFCIDs Example IFCID(3:5) specifies that all IFCID 3, 4 and 5 records are to be formatted or inhibited.

LOG | LOG(HEX)

Logs SMF records on CZAPRINT and dumps them in hexadecimal or character format

This parameter is intended primarily for diagnostic purposes.

Important

Specifying LOG(HEX) might generate a large volume of print records, especially if BMC AMI Datastream is left running for several hours.

Compressed records are dumped both before and after decompression.

PROCess(‘process-tag’)

Specifies the tag that appears at the start of SMF syslog messages

The tag follows the priority, time stamp, and host name, and precedes the formatted fields.

Enter the exact process tag that you want to include in syslog messages, including any spaces and punctuation. Process tags can be of any length from null string (‘’) to 32 characters.

If you omit this parameter, the default DB2is used, followed by the leading delimiter from OPTIONS DELIM. For more information, see OPTIONS-statement.

SEVerity(severity)

Specifies the default syslog severity. For more information, see Syslog-facilities-and-severities .

You can also enter SUPPRESS. SUPPRESS indicates that the records are not forwarded to the syslog server.

If you omit this parameter, it defaults to the value as described in IFCID default severities.

SSIDs(subsystemName …)

Specifies that only SMF records for the specified Db2 subsystem names are formatted and forwarded to the syslog console

You must modify the $$$IFDB2 member to use this parameter.

SSIDs also specify the Db2 subsystems where the STArt parameter, if specified, starts the indicated IFCID traces.

Specify the names of 1 to 16 Db2 subsystem IDs, separated by one or more blanks. Subsystem names are always 1 to 4 uppercase alphanumeric or national characters, but you can specify the names in upper or lower case. For example, PROD, Prod, and pRoD are all equivalent.

The order in which you specify the names is not significant. If you omit SSIDs, then records from all Db2 subsystems that satisfy any IFCID parameter are formatted and forwarded.

You must specify SSIDs if you use the STArt parameter. Specifying the names of Db2 subsystems that do not actually exist or are not actually started on the LPAR cause errors only if the STArt parameter is also used.

If the START-command parameter SET=’SSID(ssid)’ is specified when starting BMC AMI Datastream, then you can specify &SSID as a subsystem name and the value of ssid is substituted.

STArt

Specifies that BMC AMI Datastream is to interface with Db2 to start the DB2 IFCID traces indicated in IFCIDs()

You must modify the $$$IFDB2 member to use this parameter.

The indicated traces start only for the Db2 subsystems in the SSIDs parameter. BMC AMI Datastream starts the indicated traces for each specified Db2 subsystem whenever it becomes active. You can specify STArt without any subparameters and doing so is equivalent to using:

START( CLASS(32) CON() REC('-') )

STArt requires one of the following privileges or authorities:

SECADM authority
SQLADM authority
SYSADM authority
SYSCTRL authority
SYSOPR authority
System DBADM authority
TRACE privilege

You must modify the BMC AMI Datastream process to add the Db2 SDSNLOAD library to the STEPLIB concatenation. For more information, see Configuring-the-CZAGENT-procedure-for-Db2.

Use one or more of the STArt options:

Parameter	Description
CLAss	Specifies the Db2 trace class to use Specify 30, 31 or 32. We recommend that you specify an Audit trace class that is not otherwise in use. For more information, refer to the IBM Manual DB2 10 for z/OS Command Reference . If you omit this parameter, the default 32 is used.
CONstraint	Specifies one or more optional constraints or filters for the trace, such as PLAN() or PKGLOC(). For more information, see Starting-the-Db2-traces . Specifying one or more constraints or filters might reduce the amount of trace data collected and the overhead of the trace. You must enclose the operand in quotation marks if it includes spaces or special characters. You can use the CONstraint parameter multiple times and each operand is appended to those that came before with no embedded blank. For example: STA(CON(‘PLAN(MYPLAN1,MYPLAN2,’) + CON(‘MYPLAN3,MYPLAN4) PKGLOC(LOCATN1)’) + CON(‘ AUTHID(PROD1)’) ) As a result, the effective START TRACE constraint block would be: PLAN(MYPLAN1,MYPLAN2,MYPLAN3,MYPLAN4) PKGLOC(LOCATN1) AUTHID(PROD1) If you omit this parameter, the default of the null constraint block is used. The constraint block is omitted from the START TRACE commands.
NOTReady	Deprecated and checked for syntactic validity, but not otherwise processed.
RECognition	Specifies the Db2 subsystem command recognition character Specify a single non-alphanumeric character. The command recognition character is the single character, typically a hyphen or minus sign, which you specified when you configured Db2 . The command recognition character plus the Db2 subsystem name forms the command prefix when you enter a Db2 command from the z/OS system console. If you omit this parameter, the default - (a minus sign or hyphen) is used.

^{1. Db2 SMF trace record types are identified by IFCID number. IFCID stands for instrumentation facility component identifier, which is another way of saying trace record type. There are about 400 record types or IFCIDs, numbered between 1 and 511. Each IFCID type record has a specific layout and describes a specific event}

IFCID default severities

If you omit SEVerity, it defaults as follows:

IFCIDs 23, 62 and 197 default to INFOrmational.
IFCIDs 24, 25, 90, 91, 97, 141, 142, 145, 258 and 319 default to NOTICE.
IFCID 140 defaults to ERROR.
IFCID 361 defaults to WARNing.
All other IFCIDs default to SUPPRESS.

Example of the $$$IFDB2 member

Modify the $$$IFDB2 member for parameters indicated in the previous table.

Because the SMF DB2 command includes this member, do not add parameters or alter any continuation characters ( + ).

;**********************************************************************;
;**********************************************************************;
; $$$IFDB2: User agent parameter member for BMC AMI Datastream         ;
;           This is a copy of CZAIFDB2 and made available for          ;
;           user modification. It will be included in CZAFIELD        ;
; SIEMTYPE-independent                                                 ;
; Copyright (c) 2014-2024 BMC Software, Inc.                           ;
;**********************************************************************;
;**********************************************************************;

;**********************************************************************;
;**                                                                  **;
;** IFCID 361 reports successful access for ALL users, regardless    **;
;** off authority level required.                                    **;
;**                                                                  **;
;** If you want to audit all successful accesses, uncomment its      **;
;** IFCID list below. Otherwise, use the DB2 Audit Policy to limit **;
;** monitoring of successful SYSADM and DBADM access only.           **;
;**                                                                  **;
;**********************************************************************;

  IFCID(1 2 3 23 62 106 197 SEV(INFO)) +
  IFCID(24 25 90 91 97 141:145 258 319 SEV(NOTICE)) +
; IFCID(361 SEV(WARNING)) +
  IFCID(376 SEV(WARNING)) +
  IFCID(378 379 SEV(SUP)) +
  IFCID(140 SEV(ERROR))   +
+ ; Read manual on START, INHIBIT and SSIDs before uncommenting
/* START      */         +
/* IFI        */         + ; Use IFI interface instead of SMF
/* SSIDS()    */         +
/* DB2AUDITEnrich() */   +
/* INHIBIT() */         +

SMF DB2 statement

Syntax diagrams

IFCID default severities

Example of the $$$IFDB2 member

On this page