Filter examples

Example 1: Filtering non-critical data sets out of the SMF 15 messages

If you use SMF 14 or 15 for file integrity monitoring, then a good portion of your SMF 14 and 15 events can be:

(1) various I/O on z/OS system temporary data sets local to a particular job.

(2) ISPF closing users’ profile data sets with names of the format userid.lpar.ISPF.ISPPROF.

(3) ISPF closing the temporary data sets it uses when submitting jobs and so forth, that are data sets with names of the format userid.lpar.SPFTEMPn.CNTL.

None of these data sets is relevant to file integrity. You could filter these events out of your SMF 15 messages by coding

These three FILTER parameters are included on the SMF 14 and SMF 15 statements in the default parameter files distributed with the product.

Example 2: Filtering non-critical events out of the SMF 42 messages

If you use SMF 42 for file integrity monitoring, then a good portion of your SMF 42 events can be due to ISPF updating various members of user profile data sets with names of the format userid.lpar.ISPF.ISPPROF and various I/O on z/OS temporary data sets with names like SYS15173.T132554.RA000. These events are not relevant to file integrity. You could filter these events out of your SMF 42 messages by coding

This MATCH parameter is included in the default parameter files distributed with the product.

Example 3: Filtering monitor events from Db2

A user runs a Db2 monitoring product that executes DB2 DISPLAY GROUP commands every five seconds. This activity generates IFCID 90 (command entry), IFCID 91 (command exit) and IFCID 361 (audit administrative access) events at a total rate of over 2000 per hour. The following FILTER statements filter out these routine events. The specified filters remove only very specific actions from certain trusted user ID’s while letting all other events through.