Auditing and tracking with z/OS Connect

Audit and track requests with z/OS® Connect, which includes an interceptor that records data to the z/OS SMF data store.

About this task

You can enable the interceptor in z/OS Connect on a single or group of z/OS Connect services. The z/OS Connect audit interceptor records request activity to the SMF data store on z/OS operating systems. SMF type 120, subtype 11 records are generated.

The SMF data in the 120-11 record contains the standard header for SMF records. Then, there are two triplets. The first triplet points to the server identification section of which there is one instance. The second triplet points to the user data section of which there can be multiple instances.

The server data section consists of the following parameters: (values in decimal)
  • Offset Length Data
  • 0 4 Version (1)
  • 4 8 System name
  • 12 8 Sysplex name
  • 20 8 Job id(jsabjbid)
  • 28 8 Job name (jsabjbnm)
  • 36 8 SToken (assbstkn)
The user data consists of the following parameters (values in decimal):
  • Offset Length Data
  • 0 4 Version (1)
  • 4 4 Type
  • 8 4 Length of data (user data sections are 2 K, this field indicates how much of that is used)
  • 12 ? Data
The user data consists of the following parameters (values in decimal):

For z/OS Connect the user data type is 102 (decimal). The data contains the following parameters:

  • Offset length Data
  • 0 4 Version (3)
  • 4 8 Arrival time (STCK format)
  • 12 8 Completion time (STCK format)
  • 20 64 Target URI (EBCDIC, right padded with blanks)
  • 84 4 Input payload length in bytes
  • 88 64 Service name (EBCDIC, right padded with blanks)
  • 152 8 Method (EBCDIC)
  • 160 4 Respond length in bytes
  • 164 64 User name (EBCDIC, right padded with blanks)
  • 228 23 Request id (bytes, right padded with zeros)
  • 251 1 Boundary padding (zero)
  • 252 64 Service grouping name (EBCDIC, right-padded with blanks)
  • 316 8 Mapped user name (EBCDIC, right-padded with blanks) Only valid on version 3 or later.

Procedure

  1. Enable the z/OS Connect-provided audit interceptor for a service or set of services.
    The z/OS Connect-supplied audit interceptor implements the com.ibm.wsspi.zos.connect.Interceptor SPI to store auditing/tracking information in the z/OS System Management Facility (SMF) data sets. The following is an example that shows how to enable the audit interceptor for a single service:
    
    <!-- Audit interceptor configuration --> 
    <auditInterceptor id="auditInterceptor" sequence="1"/> 
    
    <!-- Interceptor list configuration --> 
    <zosConnectInterceptors id="interceptorList1" interceptorRef="auditInterceptor"/> 
    
    <!-- z/OS Connect service definitions -->   
    <zosConnectService id="zcs1" serviceName="recordOpsCreate" serviceRef="wolaOpsCreateService"        
    	interceptorsRef="interceptorList1"/>   
    
  2. Retrieve live statistic data.
    Feature start time, total number of service requests and the distribution of requests are available by using this operational capability. Valid authenticated clients are able to use a HTTP GET for one of the following URIs to retrieve statistics about the z/OS Connect server:
    • Get statistics for a single service:
      https://<hostname:port>/zosConnect/services/HelloWorld?action=getStatistics
    • Get statistics for all services in the server:
      https://<hostname:port>/zosConnect/operations/getStatistics
    • Get statistics for all services under a single service provider by specifying the provider=<service provider name> query parameter. For example to retrieve statistics for all services that are associated with the provider name of WOLA-1.0 use the following URL:
      https://<hostname:port>/zosConnect/operations/getStatistics?provider=WOLA-1.0" 
    • The response data is returned in JSON object format.