100-second glimpse of zERT: http://ibm.biz/zerttotherescue
Learn about zERT aggregation on IBM Knowledge Center: zERT aggregation
As we discussed in a previous article, zERT discovery gives z/OS network administrators a way to effectively monitor z/OS network security status. However, workloads that consist of large numbers of frequent short-lived connections could generate huge volumes of zERT subtype 11 records. Although some measures are already taken in zERT discovery to reduce the number of records, these measures may be insufficient in environments that manage thousands of connections per hour or minute.
zERT aggregation summarizes the repetitive use of security sessions over time. Security sessions are summarized from the server’s perspective (based on server IP address, server port, and client IP address), regardless of whether z/OS is the client or the server. For Enterprise Extender traffic, they are always summarized from the local z/OS peer’s perspective. Summaries are written at the end of each SMF interval through new SMF 119 zERT summary (subtype 12) records which contain:
With aggregation, the data recorded across a large number of SMF 119 subtype 11 records can be greatly condensed into a small set of SMF 119 subtype 12 records.
All parameters can be dynamically enabled or disabled and are exposed in the z/OSMF-based Configuration Assistant for Communications Server under the TCP/IP profile perspective.
The general layout of the subtype 12 record is illustrated in the graphic at the top of this blog entry.
For a detailed description of the zERT Summary (SMF 119 subtype 12) record, see z/OS Communications Server: IP Programmer’s Guide in IBM Knowledge Center.
You have options!
With zERT discovery and aggregation in place, you now have the option of collecting the lower-volume zERT Summary records on an ongoing basis to maintain a constant watch on your z/OS network protection posture. Then, when you when you need to do more in-depth investigation of specific traffic patterns, you can enable the recording of the per-connection zERT Connection Detail records.