ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CEMALERT excessively accessing USS /etc/hosts and /etc/resolv.conf files

book

Article ID: 227783

calendar_today

Updated On:

Products

Compliance Event Manager

Issue/Introduction

It appears that the Compliance Event Manager CEMALERT task constantly opens/closes /etc/hosts and /etc/resolv.conf. The CEMALERT policies are set to capture ACF2 commands and send them to a SIEM server via UDP. There is no actual problem with the process, the SIEM server is receiving the data. There appears to be an increase in SMF Type 92 records due to the constant opening and closing of the USS files.

Is this normal? Is there a way to prevent or reduce the number of accesses CEMALERT makes to these files?

 

Environment

Release : 6.0

Component : CA ACF2 for z/OS

Resolution

Every time a thread is started, the /etc/hosts and /etc/resolv.conf files get re-opened.

To address the issue Compliance Event Manager can be configured to keep these threads open. The following can be done.

In the CEMAELRT parms file, there are settings for MAXSERVER and PERMSERVER. Sites can change the PERMSERVER to equal the MAXSERVER, then those threads would always stay up.

The MAXSERVER and PERMSERVER parameters are defined in the CEMALERT task, for example as: CEMALERT PROC MEMBER=CEMAPRM

For example the sample CUSTOM.PARMLIB(CEMAPRM) member

EDIT       your.CEMEV6.CUSTOM.PARMLIB(CEMAPRM) - 01.00  Columns 00001 00072
000051 COMPONENT=ALERT                                                         
000052 POLICYSET=SampleAlert                                                   
000053 *                                                                       
000054 BUFFERSIZE=4096                                                         
000055 BUFFERCOUNT=16                                                          
000056 MAXSERVER=8                                                             
000057 PERMSERVER=4                                                            
****** **************************** Bottom of Data ****************************  

change to

EDIT       your.CEMEV6.CUSTOM.PARMLIB(CEMAPRM) - 01.00  Columns 00001 00072
000051 COMPONENT=ALERT                                                         
000052 POLICYSET=SampleAlert                                                   
000053 *                                                                       
000054 BUFFERSIZE=4096                                                         
000055 BUFFERCOUNT=16                                                          
000056 MAXSERVER=8                                                             
000057 PERMSERVER=8                                                            
****** **************************** Bottom of Data ****************************