Description:
The new AUDIT component of CA SYSVIEW is automatically started at STC initialization, and will create Audit Event records for pre-defined system altering actions available in the product.
SYSVIEW 16.0 & 17.0 - Common Services 15.0 - z/OS supported releases -
Solution:
The CA SYSVIEW Audit Event component lets record events or actions occurring within CA SYSVIEW that change resources.
The Audit Event can be used to view and control the historical audit activities.
The AUDIT configuration information, which can be dynamically modified via the AUDITDEF command, is saved to the Persistent Data Store when the AUDIT task is terminated or can be done manually using the SAVE subcommand of the AUDITDEF command.
From the AUDITDEF command, the options for each Audit Event that occurs can be changed where any or all of the following can be done:
Write a record to SMF recording the event.
Write a record to the logstream recording the event.
Notify CA OPS/MVS of the event.
Issue a WTO message recording the event.
For example if a user issues the ADD subcommand of the APFLIST primary command to add a dataset to the APFLIST, and AUDIT is active for this action (by default it is), an entry should be seen on the AUDITLOG for that add.
Additional information contained in the log record is:
JobId The job ID from where the event record was created
ASID The ASID of the job from where the event record was created.
Terminal The terminal name from where the event record was created.
Interface The interface name from where the event record was created.
Profile The profile name of the user that created the event record.
SecGroup The security group of the user that created the event record.
UserName The user name that created the event record.
Type The record type.
Length The record length
Wishing to turn off auditing use the AUDITDEF command to set entries ACTIVE or INACTIVE as desired.
Wishing to to make all entries inactive, enter the following commands from the AUDITDEF display:
FILL ACTIVE INACTIVE 1-9999
SAVE