Specifying the alert ID and data source
The administrator creates an alert (copied or new) by selecting and specifying the details that are described here.
Procedure
Follow these steps to create an alert:
- To create an alert, go to the option SE.A.A and select the alert configuration you want to work with.
- In the Alert Category panel, select any category; for example System
alerts.
The category to which the new alert belongs is determined by its second digit, and not by which category you use to create it.
Figure 1. Setup Alert panel: Alert category overview Menu Options Info Commands Setup ------------------------------------------------------------------------------- zSecure Suite - Setup - Alert Row 1 to 15 of 15 Command ===> ________________________________________________ Scroll ===> CSR System alerts Select the alert you want to work with. The following line commands are available: A(Preview), C(opy), D(elete), E(dit), I(nsert), W(Who/Where),S(elect), U(nselect), B(rowse) ------------------------------------------------------------------------------ Alert Id Sel gECSWUA CA EM SMF data loss started 1601 No gECSWUA N SMF logging resumed after failure 1602 No gECSWUA N SVC definition changed 1603 No gECSWUA Y IBM Health Checker found low severity problem 1604 No gECSWUA N IBM Health Checker found medium severity proble 1605 No gECSWUA N IBM Health Checker found high severity problem 1606 No gECSWUA N SMF record flood detected 1607 No gECSWUA N SMF record flood starts dropping records 1608 No gECSWUA N IP attacks blocked by filter no longer logged 1609 No gECSWUA Y IP attacks blocked by default filter no longer 1610 No gECSWUA Y IP SMF 119 subtype no longer written 1611 No gECSWUA Y IP filtering and IPsec tunnel support deactivat 1612 No gECSWUA Y IP ports below 1024 no longer reserved 1613 No gECSWUA Y IP interface security class changed 1614 No gECSWUA Y IP filter rules changed 1615 No gECSWUA Y ******************************* Bottom of data ******************************** - You can create an alert by issuing the C(Copy)
or I(Insert) line command. The Copy command copies all fields except the Alert ID.
The following panel is displayed after issuing the I line command:
Figure 2. Setup Alert panel: Adding an Alert Menu Options Info Commands Setup ------------------------------------------------------------------------------- zSecure Suite - Setup - Alert Command ===> ________________________________________________ Scroll ===> CSR Description . . . . Member prefix . . . Alert id . . . . . . Severity . . . . . . (D, I, W, E or S) Data source . . . . SMF (SMF/WTO/other newlist type) Extended Monitoring N (Y/N) Parameters . . . . . Panel name . . . . . (Panel for additional customization) Allowable destination types E-mail Cellphone SNMP WTO QRadar Unix syslog ArcSight Action command Optional actions Change data source filter: SMF type Customize alert selection/white list Specify action command View/edit alert skeletonThe following fields are displayed:- Description
- A description of the alert.
- Member prefix
- A three-character prefix for the skeleton member. The generated name of
the skeleton member is: <Member prefix>S<Alert id>. The three-character prefix
must start with a letter or "@", "#", or "$", and not with a numeric digit.
Prefix
C2Pis reserved for IBM® Security zSecure use. - Alert id
- A numeric ID for the alert. IBM alert IDs use ranges 1000-1999 (RACF),
2000-2999 (ACF2), and 3000-3999 (TSS). The ranges 4000-4999 (RACF), 5000-5999 (ACF2), and 6000-6999
(TSS) are reserved for installation defined alerts. The second digit determines the Alert
category. The ID is used to generate the skeleton member name.
When WTO is selected as a destination type, the value is also used to populate the <Alert id> field in the message ID: C2P<Alert id><Severity>.
- Severity
- A severity for the alert. When WTO is selected as a Destination type, this value is used to
populate the <Severity> field in the message ID:
C2P<Alert id><Severity>
The following list shows the valid severities:
- D
- Debug. Action is not required.
- I
- Information. Action is not required.
- W
- Attention. Action might be required.
- E
- Error. Action is required.
- S
- Severe error. Action is required urgently.
For alerts with destination type QRadar Unix syslog, these severities are translated as shown in the following list:
- Severity
- Priority
- D
- 119
- I
- 117
- W
- 116
- E
- 115
- S
- 114
- Data source
- The CARLa newlist type that is used as input for the alert, for example, SMF or WTO.
- Extended Monitoring
- This field specifies whether the alert is an Extended Monitoring alert. Specify Y if it is an Extended Monitoring alert that compares the current and previous CKFREEZE snapshot data sets. Specify N if it is an Event-based alert. Ensure that the Data Source field specifies the correct value to match the Extended Monitoring setting. For event-based alerts, the Data Source field must have the value SMF or WTO. For Extended Monitoring alerts, the Data Source field can have the value of any supported CKFREEZE-based NEWLIST type. See Alert activation guidelines for more information about Extended Monitoring alerts.
- Parameters
- This field is intended to pass additional parameters to the generated
NEWLISTstatement. - Panel name
- If you want your new alert to be customizable, specify the name of the customizing panel in this field. The panel you specify must exist and be accessible, either as a standard zSecure panel if there is one that fits your requirements, or as a panel that you created yourself. This panel is shown as the next transaction during creation of the new alert. It can also be used for future configuration of this alert.
- Allowable destination types
- Select the Destination Types for which reports can be generated by this alert. The alert skeleton must have a section for each Destination Type selected.
- Change data source filter
- For SMF and WTO-based alerts, this shows the collection parameters that are currently defined
for the alert. For SMF, the types and optional subtypes are listed. For WTO, the message prefixes
are listed. Enter a / in the check box to modify the collection parameters.
Although the panel allows specifying message prefixes starting with C2P, most of the C2P messages cannot be used to trigger alerts. Only messages C2P0100, C2P0335, and the range C2P0900 to C2P0999 can be used to trigger alerts.
Note that the alert skeleton must select the SMF records and WTOs that are relevant for the alert. So even when collection parameters are set, the alert skeleton must still contain a
SELECT TYPE=numbersorSELECT MSGID=wtoid. - Customize alert selection/whitelist
- If a panel name is specified for additional customization, this check box displays the panel to prompt for selection or exclusion of users, groups, jobnames, or classes.
- Specify action command
- This line shows if the alert currently generates action commands by showing
active behind the prompt.
Select the check box to switch execution of action commands on or off when an alert condition triggers and to specify the command. See Alert definition - specify action.
- ISPF Skeleton
- Type a forward slash (/) in this field to edit the ISPF
skeleton for this alert. The skeleton contains the CARLa code to specify the Alert Condition, the
alert contents, and the alert layout.
When you add an alert using the Copy command, the skeleton of the source alert is copied; otherwise a model skeleton is used. If the skeleton exists, it is not changed.
For Extended Monitoring alerts, the
COMPAREOPTmust be added to the ISPF skeleton together with all the other sections.
For example, to define an alert to be triggered on the event that the APF list is updated by the SETPROG command:
Figure 3. Setup Alert panel: Defining an Alert Menu Options Info Commands Setup ------------------------------------------------------------------------------- zSecure Suite - Setup - Alert Command ===> Description . . . . APF List changed using SETPROG command Member prefix . . . ABJ Alert id . . . . . . 4000 Severity . . . . W (D, I, W, E or S) Data source . . . . WTO Extended Monitoring N (Y/N) Parameters . . . . . Panel name . . . . . (Panel for additional customization) Allowable destination types E-mail Cellphone SNMP WTO QRadar Unix syslog ArcSight Action command Optional actions Change data source filter: SMF type Customize alert selection/white list Specify action command View/edit alert skeleton -
When you press Enter, a panel prompts for the WTO message prefixes that are to be used to
trigger the alert. Here, you specify CSV410I:
Figure 4. Setup Alert panel: Specify CSV410I Menu Options Info Commands Setup ------------------------------------------------------------------------------- Data source filters Enter required field Data source filters for alert 4000: SMF records to be collected for this alert Type Sub Type Sub Type Sub Type Sub Type Sub WTO message ids and filters for this alert Prefix Prefix Prefix Prefix Prefix CSV410I ________ ________ ________ ________- Type
- If the data source is SMF: the SMF record type that must be collected for this alert. To collect ACF2 records, you can specify the pseudo-type ACF2. The zSecure Alert program looks up the correct record type from the ACF2 control blocks.
- Sub
- Specifies the SMF-record subtype that must be collected. The subtype is only used for SMF-record
types 30, 80, 92,
and ACF2 records. For all other SMF-record types, the subtype is ignored. The
subtype is interpreted as follows:
Rectype 30 The subtype is the standard SMF-record subtype.
Rectype 80 The subtype is the RACF event code. For a complete list of RACF event codes, see the RACF Auditor's guide.
Rectype 92 The subtype is the standard SMF-record subtype. Although SMF-Record type 92 currently only has defined subtypes 1 -17, the range accepted by zSecure Alert is 1 - 255.
Rectype ACF2 The subtype is the ACF2 record type. For a complete list of ACF2 subtypes, see the
SELECT/LIST Fields
chapter in the CARLa Command Reference; see the ACF2_SUBTYPE field in NEWLIST TYPE=SMF. - Prefix
- If the data source is WTO: specifies which message prefixes must be collected. Although the panel allows specifying message prefixes starting with C2P, most of the C2P messages cannot be used to trigger alerts. Only messages C2P0100, C2P0335, and the range C2P0900 to C2P0999 can be used to trigger alerts.
When you press Enter to save the data source filters, the check box on the alert specification panel changes as follows:
Change data source filter: WTO msg CSV410I