FILTER command
The filter criteria are used to limit the amount of data collected in the in-memory buffers for further processing. By using the FILTER command, it is possible to eliminate unused events early in the process, thus increasing the overall efficiency. If there are no SMF and WTO filter criteria specified, all SMF records and WTO messages are collected for further processing. To avoid this situation, the zSecure Alert User Interface will generate dummy filters, that do not match any event. The FILTER command has the following syntax:
The following section describes the possible keywords and parameters.
- ADDSMF
- Specifies the additional filter criterion to be used for SMF-records.
You can repeat the FILTER command to specify as many filter criteria
as you need. The criterion you specify is added to the already active
criteria. The SMF-record type to be selected is specified by the rectype and subtype parameters.
The available suboptions are:
- Allsubtype
- Specifies that all SMF-record subtypes are included in the record filter (default). This specification can also be interpreted as the absence of any filtering on subtype. Subtypes are used for only SMF-record types 30, 80, 92, and ACF2. For all other SMF-record types, the subtype specification is ignored.
- Rectype
- Specifies the SMF-record type that must be selected or that must no longer be selected. The rectype parameter must have a numeric value 0 - 2047, or the value ACF2 to specify records generated by ACF2.
- Subtype
- Specifies the SMF-record
subtype that must be selected. The subtype is
only used for SMF-record types 30, 80, 92, and
ACF2. For all other SMF-record types, the subtype is ignored. The
value of subtype must be numeric or a single
alphabetic character. The subtype is interpreted as follows:
- Rectype 30
- The subtype is the standard SMF-record subtype. Although currently SMF-Record type 30 only has defined subtypes 1 to 5, the range accepted by zSecure Alert is 1 - 8.
- Rectype 80
- The subtype is the RACF® event code. For a complete list of RACF event codes, see RACF Auditor's guide. The range of values accepted by zSecure Alert is 1 - 255.
- Rectype 92
- The subtype is the standard SMF-record subtype. Although SMF-Record type 92 currently has defined only subtypes 1 - 17, the range accepted by zSecure Alert is 1 - 255.
- Rectype ACF2
- The subtype is the ACF2 record type. For a complete list of ACF2 subtypes, see zSecure CARLa SELECT/LIST Fields; see the ACF2_SUBTYPE field in NEWLIST TYPE=SMF.
- Nosubtype
- Specifies that the SMF-record subtype, as described previously for the Subtype keyword, must not be used as a selection criterion. Use of this keyword resets all subtypes previously specified for the indicated rectype.
- DELSMF
- Specifies that you no longer want the specified SMF-record type to be selected. The SMF-record type is identified by the rectype parameter only. It is not possible to deactivate SMF-record selection per subtype.
- ADDWTO
- Specifies the filter criteria used for the WTO-messages. You can specify up to 24 different filter criteria. Although you can specify message prefixes starting with C2P, most of the C2P messages are not captured. Only messages C2P0100, C2P0335, and the range C2P0900 to C2P0999 can be captured and used to trigger alerts.
- DELWTO
- Specifies that you no longer want WTO message selection to occur for messages starting with prefix-chars.
- Prefix
- Specifies the first characters of the WTO message identifier. If you want to include all ICH messages, simply specify ICH. If you only want to include ICH408I messages, specify the full seven (7) characters of the message identifier. The maximum length of the message prefix is eight (8) characters. The minimum length is one (1) character.