Description:
The new AUDIT component of CA SYSVIEW r12.0 is automatically started at STC initialization, and will create Audit Event records for pre-defined system altering actions available in the product.
Solution:
The CA SYSVIEW Audit Event component lets you record events or actions occurring within CA SYSVIEW that change resources. You can then use the Audit Event displays to view and control the historical audit activities.
The AUDIT configuration information, which can be dynamically modified via the AUDITDEF command, is saved to the Persistent Data Store when the AUDIT task is terminated or can be done manually using the SAVE subcommand of the AUDITDEF command.
From the AUDITDEF command, you can change the options for each Audit Event that occurs where you can do any or all of the following:
Write a record to SMF recording the event.
Write a record to the logstream recording the event.
Notify CA OPS/MVS of the event.
Issue a WTO message recording the event.
For example if a user issues the ADD subcommand of the APFLIST primary command to add a dataset to the APFLIST, and AUDIT is active for this action (by default it is) you would see an entry on the AUDITLOG for that add.
Additional information contained in the log record is:
JobId The job ID from where the event record was created
ASID The ASID of the job from where the event record was created.
Terminal The terminal name from where the event record was created.
Interface The interface name from where the event record was created.
Profile The profile name of the user that created the event record.
SecGroup The security group of the user that created the event record.
UserName The user name that created the event record.
Type The record type.
Length The record length
If you wish to turn off auditing use the AUDITDEF command to set entries ACTIVE or INACTIVE as desired.
If you wish to make all entries inactive, enter the following commands from the AUDITDEF display:
FILL ACTIVE INACTIVE 1-9999
SAVE