It appears that the Compliance Event Manager CEMALERT task constantly opens/closes /etc/hosts and /etc/resolv.conf. The CEMALERT policies are set to capture ACF2 commands and send them to a SIEM server via UDP. There is no actual problem with the process, the SIEM server is receiving the data. There appears to be an increase in SMF Type 92 records due to the constant opening and closing of the USS files.
Is this normal? Is there a way to prevent or reduce the number of accesses CEMALERT makes to these files?
Release : 6.0
Component : CA ACF2 for z/OS
Every time a thread is started, the /etc/hosts and /etc/resolv.conf files get re-opened.
To address the issue Compliance Event Manager can be configured to keep these threads open. The following can be done.
In the CEMAELRT parms file, there are settings for MAXSERVER and PERMSERVER. Sites can change the PERMSERVER to equal the MAXSERVER, then those threads would always stay up.
The MAXSERVER and PERMSERVER parameters are defined in the CEMALERT task, for example as: CEMALERT PROC MEMBER=CEMAPRM
For example the sample CUSTOM.PARMLIB(CEMAPRM) member
EDIT your.CEMEV6.CUSTOM.PARMLIB(CEMAPRM) - 01.00 Columns 00001 00072
000051 COMPONENT=ALERT
000052 POLICYSET=SampleAlert
000053 *
000054 BUFFERSIZE=4096
000055 BUFFERCOUNT=16
000056 MAXSERVER=8
000057 PERMSERVER=4
****** **************************** Bottom of Data ****************************
change to
EDIT your.CEMEV6.CUSTOM.PARMLIB(CEMAPRM) - 01.00 Columns 00001 00072
000051 COMPONENT=ALERT
000052 POLICYSET=SampleAlert
000053 *
000054 BUFFERSIZE=4096
000055 BUFFERCOUNT=16
000056 MAXSERVER=8
000057 PERMSERVER=8
****** **************************** Bottom of Data ****************************