Discussion:
How to find what performed an OMVS unmount?
Add Reply
Peter Ten Eyck
2017-12-20 00:08:53 UTC
Reply
Permalink
Raw Message
I have an OMVS dataset that was mounted via a batch job on a z/OS 2.2 LPAR:

//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF MSGID WTPMSG
MOUNT FILESYSTEM('CICSTS53.CICS.ESA1.HFS.FF') +
MODE(RDWR) TYPE(ZFS) NOAUTOMOVE +
MOUNTPOINT('/usr/lpp/cicsts53')

This job was run after the CICS region was already up and is used for CICS TS 5.3 web services. The web services were dynamically installed from this successfully mounted dataset and worked fine.

Sometime over night the dataset (file) became un-mounted. How can I determine what un-mounted the file? I do not see anything in the syslog or the CICS log. Can I use SMF to determine this, what record type would be used?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Lizette Koehler
2017-12-20 00:16:00 UTC
Reply
Permalink
Raw Message
Perhaps this will help

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.bpxb200/smfdel.htm

SMF record type 92 provides reports of activities related to the z/OS® UNIX file system.

The File System I/O counts displayed in the ISHELL mount table is available if type 92 subtype 5 (unmount) is active at the time the file system was mounted. To avoid the overhead associated with recording type 92 subtype 10, 11, and 14 (open, close, delete or rename), adjust the parameters in SMPFPRMxx using the TYPE or NOTYPE operands to exclude the subtype 10, 11, and 14 records.

Lizette
-----Original Message-----
Behalf Of Peter Ten Eyck
Sent: Tuesday, December 19, 2017 5:10 PM
Subject: How to find what performed an OMVS unmount?
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF MSGID WTPMSG
MOUNT FILESYSTEM('CICSTS53.CICS.ESA1.HFS.FF') +
MODE(RDWR) TYPE(ZFS) NOAUTOMOVE +
MOUNTPOINT('/usr/lpp/cicsts53')
This job was run after the CICS region was already up and is used for CICS TS
5.3 web services. The web services were dynamically installed from this
successfully mounted dataset and worked fine.
Sometime over night the dataset (file) became un-mounted. How can I determine
what un-mounted the file? I do not see anything in the syslog or the CICS
log. Can I use SMF to determine this, what record type would be used?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Ten Eyck
2017-12-20 18:21:59 UTC
Reply
Permalink
Raw Message
Thanks. I am researching what software I have available to work with those records. I am wondering if I can use MXG to go against those type 92 records and find what performed the un-mount.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Barry Merrill
2017-12-20 18:28:28 UTC
Reply
Permalink
Raw Message
Yes, MXG supports the all subtypes of the SMF type 92 records;
you'll may want the current MXG Version as IBM made recent changes
in those records, but primarily for z/OS 2.3.

Barry


Merrilly yours,

Herbert W. Barry Merrill, PhD
President-Programmer
Merrill Consultants
MXG Software
10717 Cromwell Drive technical questions: ***@mxg.com
Dallas, TX 75229
http://www.mxg.com admin questions: ***@mxg.com
tel: 214 351 1966
fax: 214 350 3694





-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Peter Ten Eyck
Sent: Wednesday, December 20, 2017 12:23 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: How to find what performed an OMVS unmount?

Thanks. I am researching what software I have available to work with those records. I am wondering if I can use MXG to go against those type 92 records and find what performed the un-mount.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Steve Beaver
2017-12-20 19:06:56 UTC
Reply
Permalink
Raw Message
Barry - Are you still going to technical disclosure at IBM in NY?

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Barry Merrill
Sent: Wednesday, December 20, 2017 12:30 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: How to find what performed an OMVS unmount?

Yes, MXG supports the all subtypes of the SMF type 92 records; you'll may want the current MXG Version as IBM made recent changes in those records, but primarily for z/OS 2.3.

Barry


Merrilly yours,

Herbert W. Barry Merrill, PhD
President-Programmer
Merrill Consultants
MXG Software
10717 Cromwell Drive technical questions: ***@mxg.com
Dallas, TX 75229
http://www.mxg.com admin questions: ***@mxg.com
tel: 214 351 1966
fax: 214 350 3694





-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Peter Ten Eyck
Sent: Wednesday, December 20, 2017 12:23 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: How to find what performed an OMVS unmount?

Thanks. I am researching what software I have available to work with those records. I am wondering if I can use MXG to go against those type 92 records and find what performed the un-mount.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Robert S. Hansel , RSH
2017-12-22 11:14:26 UTC
Reply
Permalink
Raw Message
Peter, (Resending with a proper Subject)

If this is a RACF protected system and depending on what audit settings were in effect, you might see an SMF 80 record for the unmount. The event code is 55. If you have SMF unload records available, look for event UMNTFSYS.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-----Original Message-----
Date: Tue, 19 Dec 2017 18:10:10 -0600
From: Peter Ten Eyck <***@AMERICANNATIONAL.COM>
Subject: How to find what performed an OMVS unmount?

I have an OMVS dataset that was mounted via a batch job on a z/OS 2.2 LPAR:

//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF MSGID WTPMSG
MOUNT FILESYSTEM('CICSTS53.CICS.ESA1.HFS.FF') +
MODE(RDWR) TYPE(ZFS) NOAUTOMOVE +
MOUNTPOINT('/usr/lpp/cicsts53')

This job was run after the CICS region was already up and is used for CICS TS 5.3 web services. The web services were dynamically installed from this successfully mounted dataset and worked fine.

Sometime over night the dataset (file) became un-mounted. How can I determine what un-mounted the file? I do not see anything in the syslog or the CICS log. Can I use SMF to determine this, what record type would be used?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Ten Eyck
2017-12-22 15:52:34 UTC
Reply
Permalink
Raw Message
Yes, I tried using the zSecure product going against the SMF data for the time period, looking for activity against the mount point or the USS dataset name and did not find any RACF type records for the event.

That is what makes me think if there is an answer to be found, it may be in the type 92 records. The only tool I think I have to do this in MXG. I am not very proficient with that tool; it’s going to take me awhile to figure out how to generate a report of all the mount and un-mounts in USS for a specific period of time.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Leonardo Vaz
2017-12-22 16:34:41 UTC
Reply
Permalink
Raw Message
You can use rexx to read the 92-5 records, here is what I would do:

//CREATREX EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSUT2 DD DSN=&&PDS(REXX),UNIT=SYSALLDA,SPACE=(TRK,(1,1,1)),
// DISP=(NEW,PASS,DELETE),DCB=(LRECL=80,BLKSIZE=3120,RECFM=FB,DSORG=PO)
//SYSUT1 DD DATA,DLM=##
/* rexx */
DO i = 1 to 2000000
ADDRESS TSO "EXECIO 1 DISKR INDD (STEM record."
if rc <> 0 then leave
record.1 = '123'record.1 /* move right by three bytes to correct offset */
type = c2d(substr(record.1,5,1))
if type <> 92 then iterate
subtype = c2d(substr(record.1,22,2))
if subtype <> 5 then iterate
time = c2d(substr(record.1,6,4))
date = c2x(substr(record.1,10,4))
date = substr(date,3,5)
hour = right(time % 360000,2,'0')
time = time // 360000
minute = right(time % 6000,2,'0')
time = time // 6000
second = right(time % 100,2,'0')
time = hour':'minute':'second
out.1 = time date record.1
ADDRESS TSO "EXECIO 1 DISKW OUTDD (STEM OUT. FINIS"
END
exit
##
//EXECREXX EXEC PGM=IKJEFT01,PARM='REXX',REGION=0M
//SYSTSIN DD DUMMY
//SYSTSPRT DD SYSOUT=*
//SYSEXEC DD DSN=&&PDS,DISP=(OLD,DELETE,DELETE)
//INDD DD DISP=SHR,DSN=smf_dataset
//OUTDD DD SYSOUT=*,RECFM=VB,LRECL=32760

Regards,
Leo
Post by Peter Ten Eyck
Yes, I tried using the zSecure product going against the SMF data for the time period, looking for activity against the mount point or the USS dataset name and did not find any RACF type records for the event.
That is what makes me think if there is an answer to be found, it may be in the type 92 records. The only tool I think I have to do this in MXG. I am not very proficient with that tool; it’s going to take me awhile to figure out how to generate a report of all the mount and un-mounts in USS for a specific period of time.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
Clark Morris
2017-12-22 18:52:09 UTC
Reply
Permalink
Raw Message
[Default] On 22 Dec 2017 07:52:34 -0800, in bit.listserv.ibm-main
Post by Peter Ten Eyck
Yes, I tried using the zSecure product going against the SMF data for the time period, looking for activity against the mount point or the USS dataset name and did not find any RACF type records for the event.
Would the unmount show up in SYSLOG or OPERLOG?

Clark Morris
Post by Peter Ten Eyck
That is what makes me think if there is an answer to be found, it may be in the type 92 records. The only tool I think I have to do this in MXG. I am not very proficient with that tool; it’s going to take me awhile to figure out how to generate a report of all the mount and un-mounts in USS for a specific period of time.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Andrew Rowley
2017-12-23 06:36:29 UTC
Reply
Permalink
Raw Message
Post by Peter Ten Eyck
That is what makes me think if there is an answer to be found, it may be in the type 92 records. The only tool I think I have to do this in MXG. I am not very proficient with that tool; it’s going to take me awhile to figure out how to generate a report of all the mount and un-mounts in USS for a specific period of time.
You are welcome to download a 30 day trial of EasySMF. The z/OS Unix
Filesystem Activity report probably has what you are looking for.

https://www.blackhillsoftware.com/easysmf/

Andrew Rowley
--
Andrew Rowley
Black Hill Software
***@blackhillsoftware.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Barry Merrill
2017-12-23 16:46:48 UTC
Reply
Permalink
Raw Message
The site's MXG job found the SMF 92 records were not enabled, and there were
no RACF UNMOUNT 55 records found.

Barry


Merrilly yours,

Herbert W. Barry Merrill, PhD
President-Programmer
Merrill Consultants
MXG Software
10717 Cromwell Drive technical questions: ***@mxg.com
Dallas, TX 75229
http://www.mxg.com admin questions: ***@mxg.com
tel: 214 351 1966
fax: 214 350 3694



-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Andrew Rowley
Sent: Saturday, December 23, 2017 12:38 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: How to find what performed an OMVS unmount?
Post by Peter Ten Eyck
That is what makes me think if there is an answer to be found, it may be in the type 92 records. The only tool I think I have to do this in MXG. I am not very proficient with that tool; it’s going to take me awhile to figure out how to generate a report of all the mount and un-mounts in USS for a specific period of time.
You are welcome to download a 30 day trial of EasySMF. The z/OS Unix Filesystem Activity report probably has what you are looking for.

https://www.blackhillsoftware.com/easysmf/

Andrew Rowley

--
Andrew Rowley
Black Hill Software
***@blackhillsoftware.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2017-12-22 19:02:09 UTC
Reply
Permalink
Raw Message
Somewhere I got the impression that a mounted file system could get unmounted by OMVS if it went long enough without being 'used'. If that happened, I don't know that any associated record would be cut. If I'm wrong, then never mind.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Clark Morris
Sent: Friday, December 22, 2017 10:53 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: How to find what performed an OMVS unmount?
Post by Peter Ten Eyck
Yes, I tried using the zSecure product going against the SMF data for the time period, looking for activity against the mount point or the USS dataset name and did not find any RACF type records for the event.
Would the unmount show up in SYSLOG or OPERLOG?

Clark Morris
Post by Peter Ten Eyck
That is what makes me think if there is an answer to be found, it may be in the type 92 records. The only tool I think I have to do this in MXG. I am not very proficient with that tool; it’s going to take me awhile to figure out how to generate a report of all the mount and un-mounts in USS for a specific period of time.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Hunkeler
2017-12-23 18:29:13 UTC
Reply
Permalink
Raw Message
Post by Jesse 1 Robinson
Somewhere I got the impression that a mounted file system could get unmounted by OMVS if it went long enough without being 'used'. If that happened, I don't know that any associated record would be cut. If I'm wrong, then never mind.
When the a directory is managed by automount, then file systems will be auto-mounted at first access. The automount policy offers an auto-unmount option.


Explicitly mounted file systems are not automagically unmounted ever.


--
Peter Hunkeler



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2017-12-23 19:07:44 UTC
Reply
Permalink
Raw Message
My reply to Jamie's note went directly to her for some reason...

So I’m sort of right but probably not germane here. We have this in /etc/auto.master :

/u /share/etc/auto.map.u
/home1 /share/etc/auto.map.home1

No mention here of UNMOUNT or DURATION. From experience I'm guessing that we get unmounted after some default duration.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Peter Hunkeler
Sent: Saturday, December 23, 2017 10:30 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):AW: Re: How to find what performed an OMVS unmount?
Post by Jesse 1 Robinson
Somewhere I got the impression that a mounted file system could get unmounted by OMVS if it went long enough without being 'used'. If that happened, I don't know that any associated record would be cut. If I'm wrong, then never mind.
When the a directory is managed by automount, then file systems will be auto-mounted at first access. The automount policy offers an auto-unmount option.


Explicitly mounted file systems are not automagically unmounted ever.


--
Peter Hunkeler


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
AlanWatthey , GMAIL
2017-12-25 06:27:11 UTC
Reply
Permalink
Raw Message
Jesse,

/etc/auto.master only contains pointers to other files.

Your parameters should all be in the two files you mention (in /share/etc). Of course there are defaults for certain parameters there.

Regards,
Alan Watthey

-----Original Message-----
From: Jesse 1 Robinson [mailto:***@SCE.COM]
Sent: 23 December 2017 10:09 pm
Subject: Re: How to find what performed an OMVS unmount?

My reply to Jamie's note went directly to her for some reason...

So I’m sort of right but probably not germane here. We have this in /etc/auto.master :

/u /share/etc/auto.map.u
/home1 /share/etc/auto.map.home1

No mention here of UNMOUNT or DURATION. From experience I'm guessing that we get unmounted after some default duration.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Peter Hunkeler
Sent: Saturday, December 23, 2017 10:30 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):AW: Re: How to find what performed an OMVS unmount?
Post by Jesse 1 Robinson
Somewhere I got the impression that a mounted file system could get unmounted by OMVS if it went long enough without being 'used'. If that happened, I don't know that any associated record would be cut. If I'm wrong, then never mind.
When the a directory is managed by automount, then file systems will be auto-mounted at first access. The automount policy offers an auto-unmount option.


Explicitly mounted file systems are not automagically unmounted ever.


--
Peter Hunkeler


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Ten Eyck
2017-12-27 19:02:25 UTC
Reply
Permalink
Raw Message
Thanks for the suggestion on this topic. I have discovered that the LPAR that this un-mount occurred on does not cut type 92 (USS) records so I will be unable to use them to figure what un-mounted my file.

Setting: SYS(NOTYPE(16:19,62:69,92)

With the help of MXG staff, I was able to run a MXG report looking for type 80 (RACF) sub type 55 records, I did not find any. To me this means that either there were no un-mounts during the time period of the input or no sub type 55 records are cut. Is the above setting what controls the sub type records cut? Type 80 is not excluded so it’s being cut, is the default all 80 sub types?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Andrew Rowley
2017-12-27 22:27:15 UTC
Reply
Permalink
Raw Message
Post by Peter Ten Eyck
Thanks for the suggestion on this topic. I have discovered that the LPAR that this un-mount occurred on does not cut type 92 (USS) records so I will be unable to use them to figure what un-mounted my file.
I also see type 42 records for the ZFS data component. If knowing when
the un-mount occured is helpful, the type 42 close statistics record
might tell you.
(EasySMF Dataset Activity report).

You can use Java to scan all SMF records for a string and print some
basic info:

import java.io.IOException;
import com.blackhillsoftware.smf.SmfRecordReader;

public class SmfSearch
{
    public static void main(String[] args) throws IOException
{
        try (SmfRecordReader reader = SmfRecordReader.fromDD("INPUT"))
{
reader.stream()
                // exclude types some we obviously don't want
                .filter(record -> record.recordType() != 100)
                .filter(record -> record.recordType() != 101)
                .filter(record -> record.recordType() != 102)
                .filter(record -> record.recordType() != 110)
                .filter(record ->
record.toString().contains("CICSTS53.CICS.ESA1.HFS.FF"))
.limit(1000)
                .forEach(record ->
                    System.out.format("%-24s %s %3d %3s%n",
record.smfDateTime(),
record.system(),
record.recordType(),
                        record.hasSubtypes() ?
                            Integer.toString(record.subType()) :
""));
}
System.out.println("Done");
}
}

On my system I saw only type 92 and 42 records for a ZFS.

Andrew Rowley
--
Andrew Rowley
***@blackhillsoftware.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Robert S. Hansel , RSH
2017-12-28 12:10:27 UTC
Reply
Permalink
Raw Message
Peter,

The type 80 record doesn't have subtypes. 55 is an event code, and event code is a field in the 80 record. I do not know if MXG is aware of and can select records based on type 80 event codes. If your RACF team converts SMF 80 records to text format using RACF's SMF unload utility, you can try searching the unload file for UMNTFSYS events - the text equivalent of event code 55.

Various RACF auditing options determine whether such an event would be logged, and such options may not have been in effect when the event occurred, hence no record.

Since the NOTYPE ranges do not exclude 80 records, you are correct that they are being collected. Also look for SUBSYS settings that might be excluding them for certain subsystems.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-----Original Message-----
Date: Wed, 27 Dec 2017 13:03:41 -0600
From: Peter Ten Eyck <***@AMERICANNATIONAL.COM>
Subject: Re: How to find what performed an OMVS unmount?

Thanks for the suggestion on this topic. I have discovered that the LPAR that this un-mount occurred on does not cut type 92 (USS) records so I will be unable to use them to figure what un-mounted my file.

Setting: SYS(NOTYPE(16:19,62:69,92)

With the help of MXG staff, I was able to run a MXG report looking for type 80 (RACF) sub type 55 records, I did not find any. To me this means that either there were no un-mounts during the time period of the input or no sub type 55 records are cut. Is the above setting what controls the sub type records cut? Type 80 is not excluded so it’s being cut, is the default all 80 sub types?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Barry Merrill
2017-12-28 17:54:38 UTC
Reply
Permalink
Raw Message
MXG creates a SUBTYPE for the many SMF records that contain a logical subtype
that is not contained in the standard SMF Header, including fields like the
SMF 80 RACF EVENT Code and the SMF 100-102 DB2 IFCID value.

Barry


Merrilly yours,

Herbert W. Barry Merrill, PhD
President-Programmer
Merrill Consultants
MXG Software
10717 Cromwell Drive technical questions: ***@mxg.com
Dallas, TX 75229
http://www.mxg.com admin questions: ***@mxg.com
tel: 214 351 1966
fax: 214 350 3694



-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Robert S. Hansel (RSH)
Sent: Thursday, December 28, 2017 6:12 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: How to find what performed an OMVS unmount?

Peter,

The type 80 record doesn't have subtypes. 55 is an event code, and event code is a field in the 80 record. I do not know if MXG is aware of and can select records based on type 80 event codes. If your RACF team converts SMF 80 records to text format using RACF's SMF unload utility, you can try searching the unload file for UMNTFSYS events - the text equivalent of event code 55.

Various RACF auditing options determine whether such an event would be logged, and such options may not have been in effect when the event occurred, hence no record.

Since the NOTYPE ranges do not exclude 80 records, you are correct that they are being collected. Also look for SUBSYS settings that might be excluding them for certain subsystems.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-----Original Message-----
Date: Wed, 27 Dec 2017 13:03:41 -0600
From: Peter Ten Eyck <***@AMERICANNATIONAL.COM>
Subject: Re: How to find what performed an OMVS unmount?

Thanks for the suggestion on this topic. I have discovered that the LPAR that this un-mount occurred on does not cut type 92 (USS) records so I will be unable to use them to figure what un-mounted my file.

Setting: SYS(NOTYPE(16:19,62:69,92)

With the help of MXG staff, I was able to run a MXG report looking for type 80 (RACF) sub type 55 records, I did not find any. To me this means that either there were no un-mounts during the time period of the input or no sub type 55 records are cut. Is the above setting what controls the sub type records cut? Type 80 is not excluded so it’s being cut, is the default all 80 sub types?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Ten Eyck
2017-12-28 15:28:43 UTC
Reply
Permalink
Raw Message
Thanks, that is an interesting SMF product using Java. We do not currently have that product, we have MXG. I went to you website and browsed a bit, the product looks powerful. Because we are licensed for MXG, I am really in a situation where I need to utilize it to the fullest to maximize our investment. Thanks for the information and recommendation.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Ten Eyck
2017-12-28 15:35:59 UTC
Reply
Permalink
Raw Message
Thanks for setting me straight on the difference between sub type and event code in the context of RACF. I will look into if there is a RACF unload for that time period and perhaps check with MXG about the handling of event codes as opposed to sub types.

You mentioned RACF auditing options that would control which RACF event codes are cut? Where is that controlled?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
K***@WSDOT.WA.GOV
2017-12-28 17:54:57 UTC
Reply
Permalink
Raw Message
--------------------------------
Thank You for your E-mail

--------------------------------

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Robert S. Hansel , RSH
2017-12-29 13:24:20 UTC
Reply
Permalink
Raw Message
Peter,

There are multiple RACF audit options that might come into play as discussed in our presentation on this topic. See (beware the line wrap):

http://www.rshconsulting.com/RSHpres/RSH_Consulting__RACF_Monitoring_&_Reporting__August_2017.pdf

Event Code 55 (UMNTFSYS) comes under Unix audit class FSOBJ.

Use caution in auditing Unix events because of the potential high volume of SMF records.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-----Original Message-----
Date: Thu, 28 Dec 2017 09:37:17 -0600
From: Peter Ten Eyck <***@AMERICANNATIONAL.COM>
Subject: Re: How to find what performed an OMVS unmount?

Thanks for setting me straight on the difference between sub type and event code in the context of RACF. I will look into if there is a RACF unload for that time period and perhaps check with MXG about the handling of event codes as opposed to sub types.

You mentioned RACF auditing options that would control which RACF event codes are cut? Where is that controlled?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...