Skip to Content
Information
Space banner This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Creating TCP/IP Archive Criteria

This section describes how to create a new archive recording request.

  1. From the Archive Recording - Monitor TCP/IP Requests screen, type A (Add) in the selection column of any recording request and press Enter. The TCP/IP - Archive Criteria screen is displayed.
    TCP/IP - Archive Criteria Screen

    ------------------------- TCP/IP - Archive Criteria -------------------------
    Command ===>                                                Scroll ===> PAGE


     Type OK to continue, PF1 for help, or CANCEL to exit.


     Name . . . . . . . .
     Description. . . . .


     Repository Registry Dataset. . . ARCH.TCPIP

    Restrict collection to certain times (optional):
                   HH : MM : SS                  MM / DD / YYYY
    Start Time . . 00 : 00 : 00   Start Date . . 00 / 00 / 0000
    End Time . . . 00 : 00 : 00   End Date . . . 00 / 00 / 0000


    Send message content to SIEM tool (Enter "/" to select)


    Collect data that match these filters (use * for wildcards):
    Line commands are: (S)elect, (R)epeat, (D)elete, or (I)nsert
           ------- Client -------  ------- Server -------
    S Ftr IP Address                     Port  IP Address                     Port
    * *** ****************************** ***** ****************************** *****
    _ 001 ______________________________ _____ ______________________________ _____
    ******************************* Bottom of data ********************************
  2. Enter a Name and optional Description for your new archive criteria. You can specify up to eight characters for the name. The name can be alphanumeric but must start with a letter.

  3. Enter the Repository Registry Dataset name. This dataset contains the index to this archive recording request. Specify a dataset name. The repository registry dataset name can be up to 35 characters in length. The repository set created by this archive recording request will be based on the repository registry dataset name (for example, a repository registry dataset of A.B.C would result in repository set segments being created from A.B.C.#0000001 to A.B.C.#9999999).
    This is a required field that stores information to make searching more efficient. All other datasets are built based on this dataset name.

    Warning

    Important

    If you delete your registry by mistake, you can run HSREGEN to recreate it.

  4. Fill in the start and end date and time that you want to activate and deactivate the request.
    • If you supply a start time, you must also supply a start date, and if you supply an end time, you must supply an end date.
    • To activate the request immediately, accept the default values of all zeros in both the Start Date and Start Time fields.
    • To activate and/or deactivate the request on a specific date, enter a two-digit month, two-digit day, and four-digit year.
    • To activate and/or deactivate the request at a specific time, enter a two-digit hour based on a 24-hour clock, a two-digit minute or press Tab to accept 00, and a two-digit second or press Tab to accept 00.
    • If you supply a start date, but accept all zeros for the start time, the request activates at midnight at the beginning of the start date.–To keep the request active until you STOP, FORCE, or CANCEL it, accept the default values of all zeros for both the End Date and End Time fields.
    • If you supply an end date, but accept all zeros for the end time, the request deactivates at midnight at the beginning of the end date. Therefore, to include records up to and including a specific day, enter the following day as the end date.
  5. Create filters to capture activity based on Client IP address, Client Port, Server IP Address, and/or Server Port. Session Monitor records activity that matches all of the criteria on any of the filters. Enter at least one filter:
    • IPV4: Client IP Address or Server IP Address: Consists of four numeric segments separated by periods. Each segment’s value can be 0-255. Leading zeros are not required in any segment. Specify a range of addresses by entering a wildcard (*) for any or all nodes of the address. For example, 172.22.*.* indicates that the activity on all addresses beginning with 172.22 is subject to capture, or 172.*.173.165 indicates that all addresses beginning with 172 and ending with 173.165 are subject to capture.
    • IPV6: Client IP Address or Server IP Address: An IPv6 IP address is 16 bytes long and, in textual form, consists of eight two-byte segments. Each two-byte segment is defined as a four-digit hexadecimal XXXX (0..9,A..F) value and segments are separated by colons. Specify a range of addresses by entering a wildcard (*) for any or all nodes of the address. Given that many of these segments could have a zero value, IPv6 defines a shorthand representation to prevent the repetitive entering of :0. Use double colon (::), to represent one or more consecutive zero segments. Thus, an Ipv6 address of FE80:0:0:0:0:0:0:A0A could be written as FE80::A0A.
    • Client Port or Server Port: A numeric field whose value can be 0-65535. Leading zeros are not required. Specify a port or enter an asterisk (*) wildcard to capture all ports associated with the specified IP addresses.
  6. Select Send messages to SIEM tool to send TCP/IP message data to your SIEM tool. Session Monitor must be configured to write data to your SIEM tool. See the section entitled Configure-SIEM-Data-Delivery in Customizing-after-installation for information on configuring SIEM support.

  7. Type OK on the command line. If the information is incomplete, a message will appear telling you what needs to be added. If the information is complete, the Archive Criteria - Delete or Terminate message screen is displayed.

    Warning

    Important

    The request is not added until the initial segment is allocated.

    Archive Criteria - Delete or Terminate Message Screen

    -----------------------------  3270 - Archive Criteria  ------------------------
    C +----------------------------------------------------------------+
      | -----------  Archive Criteria - Delete or Terminate ---------- |
      | Command ===>                                                   |
      |                                                                |
      | Session Monitor archive record requests create repository      |
      | segment datasets based on the registry dataset name. You must  |
      | specify what action to take if the archive recording request   |
      | encounters an existing dataset in the following range:         |
      |                                                                |
    R |   First. . USR3213.ARCH.VTAM.#0000001                          |
      |   Last . . USR3132.ARCH.VTAM.#9999999                          |
    S |                                                                |
    E | Existing dataset option: (Enter number to select)              |
      |   _  1. Delete existing datasets                               |
    C |      2. Terminate the archive request                          |
    L +----------------------------------------------------------------+
    - --- --------------- Client ------------- -------------- Server --------------
    S Ftr IP Address                     Port  IP Address                     Port
    * *** ****************************** ***** ****************************** *****
      001
    ******************************* Bottom of data ********************************

    TCP/IP archive recording requests create repository segment datasets based on the registry dataset name. You must specify what action to take if the archive recording request encounters an existing dataset in the specified range.

    Warning

    Important

    The purpose of the Archive Criteria - Delete or Terminate Message screen is to decide what to do when the next dataset segment in the repository set exists. This situation is not desirable because both options may have negative consequences. We strongly recommend that this situation be avoided. To help prevent this situation from occurring, have the security administrator ensure that only the global recording started task has ALTER authority to the repository set datasets after the archive record request has been initiated.

    The First and Last fields show the dataset name of the first and last repository dataset segment that can be used. These include the registry dataset name followed by “.#0000001” and “.#9999999”.

  8. Select 1 or 2 and press Enter to continue. Your choices include:

    • 1. Delete existing datasets: Deletes the existing datasets and creates new datasets that have the same names and are allocated with the same options as the initial repository dataset segment. Specify this option if the archive recording request must remain active.

    • 2. Terminate the archive request: Terminates the archive request. The archive recording request will not start if any existing datasets match the repository dataset specification. Also, if a dataset is created later that matches the repository dataset specification, the archive request will terminate when it needs to switch to that dataset.

      Warning

      Important

      You must make a choice. There is no default value, and your previous choices are not remembered from session to session.

    • Use END or CANCEL to cancel the add archive request and return to the TCP/IP - Archive Criteria screen.

    After selecting 1 or 2, the Global Recording - Allocate Dataset screen is displayed allowing you to define your repository file without exiting Session Monitor. The repository is a sequential dataset with variable blocked format. The record length of this dataset is four less than the specified block size. A block size of 9004 (default) is recommended.

  9. The Management Class, Storage Class, and Data Class are defined by the storage administrator at your site. Leave blank to accept the default class.
  10. Specify the type of Space Units to be used to store the data. Valid values are: TRKS (Tracks), CYLS (Cylinders), BLKS (Blocks), BYTES, KB (kilobytes), or MB (megabytes). Space units combined with the primary and secondary quantities define the amount of space allocated for the dataset.
  11. Specify the primary and secondary quantity of space units to allocate. After Global Recording fills the primary quantity, it allocates the secondary quantity.
  12. After you have filled in this screen, press Enter. The Archive Recording - Monitor TCP/IP Requests screen is displayed showing the new request in the list.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Session Monitor 17.02