Configuring exits for SMF and system monitoring
SMF exits
You can use SMF exits to customize the SMF records that you capture. To enable BMC AMI Datastream to receive the required record types from SMF, ensure that the following configurations are applied:
- SMF invokes the EXITS parameters.
- SMF collects and write the appropriate record types according to the TYPE parameters.
- TN3270 writes the appropriate records according to the TN3270 parameter.
SMF configuration is controlled by the SMFPRMxx member of SYS1.PARMLIB.
BMC AMI Datastream diagnoses most mismatches between the BMC AMI Datastream configuration and the SMF configuration and issues the following messages:
CZA0286W SUBSYS(TSO,EXITS(IEFU85)) not specified in SYS1.PARMLIB(SMFPRMxx). Some events will be missing from syslog
CZA0287W SUBSYS(OMVS,EXITS or [NO]TYPE coded in SYS1.PARMLIB(SMFPRMxx) but OPTIONS SUBSYS(SYSOMVS) not specified in CZAPARMS. Some events will be missing from syslog[DK1]
In the SMFPRMxx member, you can perform the following tasks:
- Specify parameters for z/OS as a whole using the SYS(EXITS/NOEXITS and SYS(TYPE/NOTYPE statements.
- Override these parameters for individual subsystems using SUBSYS(xxx,EXITS/NOEXITS and SUBSYS(xxx,TYPE/NOTYPE statements.
The following table describes the EXITS and TYPES parameters:
Event type to be forwarded | SUBSYS statement | Record type |
|---|---|---|
| Any, but corresponding to the type of work. | 30 |
DFSMS PDS(E) changes | Any | 42 |
Security events | Any | 80 (RACF and TSS), 230, or other as specified in ACF2 |
Db2 events | Any | 100, 101, and 102 |
CICS events | STC | 110 |
TCP/IP and FTP events | Any, but typically OMVS, TSO, or STC | 119 |
- Appropriately edit your SMFPRMxx member in SYS1.PARMLIB.
- Issue the console command SET SMF=xx (or /SET SMF=xx from SDSF). The xx variable represents the last two characters of the appropriate SMFPRMxx member name.
If the SMFPRMxx member contains any SUBSYS statements, see SUBSYS option.
EXITS parameters
You must enable the following exits for all events that you want to monitor:
- IEFU83
- IEFU84
- IEFU85
- IEFU86
You can enable these exits for z/OS as a whole or for individual subsystems.
Issue the console command D SMF,O (or /D SMF,O from SDSF). Check the D SMF,O output to ensure that at least one of the following statements is true:
- SYS(EXITS and SYS(NOEXITS are both not specified.
- (Recommended) SYS(EXITS(IEFU83, IEFU84, IEFU85,IEFU86)) are specified, and there are no SUBSYS(xxx,EXITS or NOEXITS statements for any of the subsystems that you want to monitor.
- SUBSYS(xxx,EXITS(IEFU83,IEFU84,IEFU85,IEFU86)) are specified for all of the subsystems that you want to monitor.
TYPE parameters
You must enable the writing of the appropriate SMF record types for the events that you want to monitor. You can enable them for exits for z/OS as a whole or for individual subsystems.
- Issue the console command D SMF,O (or /D SMF,O from SDSF).
- Check the D SMF,O output. Make sure that one statement for SYS( and one statement for SUBSYS( are true:
- For SYS(:
- SYS(TYPE and SYS(NOTYPE are both omitted.
- (Recommended) SYS(TYPE is specified and the specification includes all the record types that you want to monitor.
- SYS(NOTYPE is specified and the specification does not include any of the record types that you want to monitor.
- For SUBSYS(:
- (Recommended) Neither SUBSYS(xxx,TYPE nor NOTYPE statements for any of the subsystems that you want to monitor is specified.
- SUBSYS(xxx,TYPE is specified for each of the subsystem and record type combinations that you want to monitor and SUBSYS(xxx,NOTYPE is not coded specifying any of the subsystem and record type combinations that you want to monitor.
- For SYS(:
TCP/IP parameter
The //PROFILE DD statement references the TCP/IP profile data set in the cataloged procedure used to start TCP/IP.
To configure the TCP/IP profile data set for type 119 records, ensure that it contains the following (or a similar) SMFCONFIG statement:
For most record types, the default value is NO.
If the TCP/IP profile data set does not contain such a statement:
- Insert this statement in your TCP/IP profile data set.
- Save the data set.
- Stop and restart TCP/IP.
To receive FTP server events, such as server login failures, the FTP server profile must be configured for type 119 records.
To configure the FTP server profile for type 119 records, ensure that the following statement appears in the data set referenced by the SYSFTPD DD statement in your FTP server cataloged procedure (commonly referred to as FTP.DATA):
TN3270 parameter
The //PROFILE DD statement references the TN3270 profile data set in the cataloged procedure used to start TN3270. Type 119 records are essential to enable you to correlate security violations by TSO users back to the TCP/IP address from that they connected.
To write type 119 records for the start and end of TN3270 sessions, ensure that the TN3270 profile data set contains the following statements:
SMFTERM TYPE119
If the TN3270 profile data set does not contain these statements:
- Insert these statements in your TN3270 profile data set.
- Save the data set.
- Stop and restart TN3270.
Additional subsystem parameters to write SMF records
To write the appropriate SMF records, you must configure the following subsystems:
- ACF2
- CICS
- Db2
- MQ
- RACF
- Top Secret
For Db2 only, you can configure BMC AMI Datastream to have Db2 start the required traces (SMF record types) automatically. For more information, see the discussion of the STArt parameter in the SMF-DB2-statement topic and in the IBM Knowledge Center.
Language environment options
BMC AMI Datastream and its associated programs run with z/OS Language Environment (LE). The BMC AMI Datastream programs operate correctly with the IBM-supplied default LE options.
The supplied JCL for BMC AMI Datastream and CZASEND includes CEEOPTS DD statements to facilitate overriding LE options. For more information about LE, see the IBM Knowledge Center.
Authorizing the runtime load library
The data sets must be Authorized Program Facility (APF) authorized. For more information, see Installing-the-BMC-AMI-Datastream-product-files.
System monitoring exits
You can use the exits described in this section to support the system PROCLIB and PARMLIB monitoring feature and the System Integrity Violation (SIV) scanner, and to intercept most RACF commands.
EXITS parameters
You must enable the following exits in z/OS for all events that you want to monitor:
- IFG_OPEN_START
- IFG_CLOSE_START
- IGG_STOW_START
- CSVDYNEX
- IRREVX01
System PROCLIB and PARMLIB monitoring exits
The following exits are used with SRCCOMP events and are called when a PDS member is opened for file processing, closed for file processing, and saved:
- IFG_OPEN_START
- IFG_CLOSE_START
- IGG_STOW_START
IEFU8x exit monitoring exit
The CSVDYNEX exit monitors the IEFU8x exits and detects whether one has been replaced or removed. When used together with OPTIONS-statement parameters, KEEPEXITFirst or VERIFYExit, BMC AMI Datastream reloads the IEFU8x exit with the proper exit module.
RACF Command Intercept exit
You can use the IRREVX01 exit to intercept and capture most RACF commands. For information about which RACF commands it intercepts, see the IBM documentation.