After I configured the product to send events to Splunk using the SIEM action, I noticed that the Journal data set fills up quickly. What can I do to resolve this issue?

book

Article ID: 14527

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction



After I configured the product to send events to Splunk using the SIEM action, I noticed that the Journal data set fills up quickly. What can I do to resolve this issue?

Environment

Release:
Component: ACF2MS

Resolution

With SIEM actions, the volume of successful and failed actions that are logged in the Journal data set might be high depending on your site's environment. By default(with TR95499 or RO95499), the product logs only the failed actions to reduce the number of actions that are logged in the Journal data set. If your site is not using the default option, your Journal data set can fill up quickly.

Do the following steps as needed:

  • If your site is not using the default option of logging only the failed actions in the Journal data set, we recommend restoring the Journal log option to the default.

    Important! Before you restore the default value, verify with your security administrator that this setting is acceptable for your site.

    To review and configure this setting, edit the CEM_JOURNAL variable in the data set member that is pointed to by the CEEVARS DD (CEMECEEV, by default):

    - To log failed actions only, enter a value of 1. (Default)
    - To log successful actions only, enter a value of 2.
    - To log successful and failed actions, enter a value of 3.

  • Allocate more space to the Journal data set to accommodate the volume of actions that are being logged. For more information about estimating the storage needs for the Journal data set, see Best Practices.