Intervals

The preprocessing subtask (also known as stage-1) obtains current information about the system environment and user attributes. This task is carried out hourly by default. If you require current information, you must process the security database and the CKFREEZE file more frequently. Processing the security database is relatively quick, but obtaining a new I/O configuration image is a costly process. zSecure Collect is typically scheduled to run once a day at a particular time to refresh the full CKFREEZE file. However, it is also possible to have zSecure Alert dispatch this task by using the operator command MODIFY C2POLICE,COLLECT. At the preprocessing interval, zSecure Alert can also create a small CKFREEZE snapshot of a subset of the system environment. This small CKFREEZE snapshot is taken and processed only if extended monitoring is active. The small CKFREEZE is not intended for any other process.

As part of SMF processing, the CKRCARLA program retains certain SMF data to complete other SMF records that lack this data. An example of such SMF data is the user ID for SMF record type 15. By default, the refresh of the environment information involves stopping and starting the CKRCARLA subtask. As a result, the retained information is lost, and must be re-established. This often results in the fields being reported as missing. It is possible to retain the information for a longer period through specification of the REFRESHMODE(INTERNAL) option (see RefreshMode). The necessary SMF information will be retained until the C2POLICE started task is restarted or stopped.

Some averaging alerts with thresholds might use a time window larger than the reporting interval. For these alerts, SMF records are kept in history buffers for five times the reporting interval, for example. This long-term analysis interval can be adjusted as well, depending on your reporting needs.