AUTOALERT statement

Z/OS ONLY

The AUTOALERT statement enables you to automatically run a custom REXX exec whenever BMC AMI Datastream agent receives a specified action code. The AUTOALERT statement is in the $$$AUTO member.

Important

You can modify the $$$AUTO member in the amihlq.PARM data set.

$$$AUTO is included in CZAPARMS if the AUTOMATE switch setting in $$$CONFG is on.

Related topics

Command-and-syntax-reference

Parameter-file-statements

AUTOMATE-statement

Automatic-response-process-overview

Using AUTOALERT

You can define from 1 through 255 AUTOALERT statements.

Syntax diagram for the AUTOALERT statement provides a visual representation of the command syntax and parameters.

Sample from $$$AUTO

AUTOALERT +
  ACTIONCODE(ARR001) +
  EXECNAME(AMICUSER) +
  WTOONLY +                   ; Only issue WTO
  DESCRIPTION('Cancel TSO Userid')   

Statement parameters

AUTOALERT uses the following parameters:

Parameter

Description

ACTIONCODE(CCActionCode)

Unique identifier for the alert

The action code defined in BMC AMI Command Center for Security.

If two AUTOALERT statements have the same action code, the later AUTOALERT statement overwrites the earlier AUTOALERT statement.

EXECNAME(REXXExec)

Name of the REXX exec

Specify the REXX exec that you want BMC AMI Datastream to run after receiving the action code.

WTOONLY

Command to issue a write-to-operator (WTO) message

Use WTOONLY to override the execution of the REXX exec specified in EXECNAME and instead to issue a WTO (Message CZA1100A) on the local system.

Important

  • WTOONLY is on by default. If you want to run REXX execs you must either delete the parameter from the AUTOALERT statement or add a semicolon (;) in front of it to comment it out.
  • While WTOONLY overrides EXECNAME, the parameter must still contain a value. If you choose to use WTOONLY, do not modify or delete the EXECNAME default value provided in the AUTOALERT statement.

DESCRIPTION(‘actionCodeDesc’)

1- to 40-character string

You must enclose the string in single quotation marks (). It can be any meaningful description of the action code.

Modifying AUTOALERT

To change the EXECNAME and DESCRIPTION of a previously defined AUTOALERT statement, simply define a new statement for the same action code, update the values for EXECNAME and DESCRIPTION, and refresh the agent parameters.

To disable an active alert, change the EXECNAME to AMIDUMMY and refresh the agent parameters; no action is taken by the alert.

To disable an AUTOALERT statement, add a semicolon (;) before AUTOALERT and each of its parameters to comment them out.

Reserved action codes

The following action codes are reserved by BMC. Although you can edit the descriptions and parameter lists, the changes might not be saved with future updates.

Every smfid parameter represents the target SMFID.

Action code

Description

Parameters

ARR000

WTO message for Auto Ops products

  • smfid
  • message

ARR001

Cancel TSO user ID

  • smfid
  • userid

ARR002

Revoke user ID

(SPE2404) Submits a batch job by using the Internal Reader DD, CZAIJCL, in the CZAGENT started task, to issue the ALTUSER REVOKE command to revoke the user ID. For more information about the CZAGENT started task, see Sample-CZAGENT-JCL-for-running-BMC-AMI-Datastream-as-a-started-task.

  • smfid
  • userid

ARR003

Set UAUDIT to monitor everything that a user does

  • smfid
  • userid

ARR004

Disconnect IP address

  • smfid
  • ipaddress

ARR005

Shut down IP port number

  • smfid
  • port

ARR006

Stop STC

  • smfid
  • stcname

ARR007

Start trace of Security Session Monitor (3270) user

Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified user ID.

This action code runs REXX exec AMISMUSR.

  • smfid
  • userid—User ID to start the trace

ARR008

Start trace of Security Session Monitor (3270) application ID

Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified application ID.

This action code runs REXX exec AMISMAPP.

  • smfid
  • applid—Application ID to start the trace

ARR009

Start trace of Security Session Monitor (TCP)

Create a TCP/IP Security Session Monitor archive request and start monitoring activity for the specified IP address and port number.

This action code runs REXX exec AMISMTCP.

  • smfid
  • ipaddress—Client IP address to start the trace

ARR010

Start trace of Security Session Monitor (MQ)

Create an MQ Security Session Monitor archive request and start monitoring activity for the specified queue manager.

This action code runs REXX exec AMISMMQ.

  • smfid
  • qmgr
  • object-name

ARR012

Start dynamic trace of Security Session Monitor (3270) user

Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified user ID for the indicated duration.

After the trace starts, user activity information is sent to the BMC Defender Server every minute.

This action code runs REXX exec AMISMUSR.

  • smfid
  • userid—User ID to start the trace
  • duration


ARR013

(SPE2404)

Scan a newly mounted file system for any APF-authorized programs

Submits a batch job by using the Internal Reader DD, CZAIJCL, in the CZAGENT started task to scan the file system. For more information about the CZAGENT started task, see Sample-CZAGENT-JCL-for-running-BMC-AMI-Datastream-as-a-started-task.

File systems mounted with the NOSETUID option are not scanned.

  • smfid
  • pathname—Path of the mounted file system
  • userid—User who issued the mount

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*