Steps for diagnosing the cause for missing ZERT audit records
Determine the cause for missing ZERT audit records.
When a connection maps to a ZERT rule with audit action specified, zERT policy-based enforcement writes a zERT connection detail record (SMF type 119, subtype 11) with 'zERT Enforcement' event type (where SMF119SC_SAEvent_Type is 0x07) to SMF and/or NMI depending on the TCP/IP configuration.
Procedure
Perform the following steps:
- If no TCP connections are mapping to ZERT rules in the stack, ensure that the zERT discovery
function is enabled in the stack.
- Message EZZ8564I is issued when ZERT policy is installed in the TCP/IP stack and the zERT
discovery function is not enabled in the stack.
See EZZ8564I in z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM) for more information.EZZ8564I NO ZERT POLICY WILL BE ENFORCED FOR tcpname BECAUSE ZERT FUNCTION IS NOT ENABLED
- Use the Netstat CONFIG/-f command to determine the current setting of ZERT.
- If zERT discovery is not enabled, specify ZERT on the GLOBALCONFIG statement in the TCP/IP profile data set to enable the zERT discovery function. For more information, see GLOBALCONFIG statement in z/OS Communications Server: IP Configuration Reference.
- Message EZZ8564I is issued when ZERT policy is installed in the TCP/IP stack and the zERT
discovery function is not enabled in the stack.
- Ensure a destination is selected for zERT connection detail SMF records to be recorded by zERT
policy-based enforcement.
- Message EZZ8565I is issued during a policy update when ZERTDETAILBYPOLICY and
ZERTSERVICEBYPOLICY are not enabled in the
stack.
See EZZ8565I in z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM) for more information.EZZ8565I NO AUDIT RECORD WILL BE WRITTEN BY ZERT POLICY ENFORCEMENTFOR tcpname - ZERTDETAILBYPOLICY AND ZERTSERVICEBYPOLICYNOT ENABLED
- If you want the policy-driven zERT connection detail records (SMF 119 subtype 11, event type 7)
to be written to the z/OS® System Management Facility, specify
the
SMFCONFIG TYPE119 ZERTDETAILBYPOLICY
parameter in the TCP/IP profile data set.Note: You must also have the recording of SMF 119 records specified in your SMF parmlib member. - If you use a network management application that consumes policy-driven zERT connection detail
SMF records through the real-time zERT Detail NMI service (SYSTCPER), specify the
NETMONITOR ZERTSERVICEBYPOLICY
parameter in the TCP/IP profile data set.Note: SYSTCPER service also provides zERT connection detail SMF records that describe the cryptographic protection attributes at TCP and Enterprise Extender (EE) connection initiation or termination or whenever the cryptographic protection attributes change during the lifetime of the connection. This data is enabled with the NETMONITOR ZERTSERVICE parameter in the TCP/IP profile data set.See Selecting a destination for zERT discovery SMF records in z/OS Communications Server: IP Configuration Guide. See SMFCONFIG statement and NETMONITOR statement in z/OS Communications Server: IP Configuration Reference for more information.
- Message EZZ8565I is issued during a policy update when ZERTDETAILBYPOLICY and
ZERTSERVICEBYPOLICY are not enabled in the
stack.