Currently on zVM 6.4 RSU 1901+ with VMSECURE 3.2 RSU-1801+.
We've recently changed our AUDIT LOG to be RECFM V as part of the recent VMSECURE RULES Enhancement PTF.
This now lets us see IPV6 addresses in the terminal address portion of the reports which is great news.
I've noticed though in the reports, the address displayed for a specific user / session will start out as IPV6 but switch over to IPV4 at some point.
The address is the same - no real issue with that. I'm just curious as to why. Since these reports go to management and audit, I'm sure someone is going to ask me this question in the future and I'd like to be able to give them an answer on the spot.
Release : 3.2
Component : CA VM:Secure for z/VM
z/VM 6.4 and z/VM 7.1
Apply VM:Secure PTF SO10299 which changes VMXSRA/VMXSRB to output IPV4 formatted addresses when it discovers
IPV4 addresses formatted for IPV6.
The terminal address in the VMXSRB/VMXSRA audit reports can be different for audited events that are CP command or function related and those that are related to directory management functions for the same user ID during the same duration of being logged on. This only occurs for customers using a variable length audit file which supports IPV6 addresses.
Audit reports can also be misleading or confusing without closer inspection.
To resolve, apply VM:Secure PTF SO10299.