Steps for diagnosing the cause for missing ZERT audit records

Determine the cause for missing ZERT audit records.

When a connection maps to a ZERT rule with audit action specified, zERT policy-based enforcement writes a zERT connection detail record (SMF type 119, subtype 11) with 'zERT Enforcement' event type (where SMF119SC_SAEvent_Type is 0x07) to SMF and/or NMI depending on the TCP/IP configuration.

Procedure

Perform the following steps:
  1. If no TCP connections are mapping to ZERT rules in the stack, ensure that the zERT discovery function is enabled in the stack.
  2. Ensure a destination is selected for zERT connection detail SMF records to be recorded by zERT policy-based enforcement.
    • Message EZZ8565I is issued during a policy update when ZERTDETAILBYPOLICY and ZERTSERVICEBYPOLICY are not enabled in the stack.
      EZZ8565I NO AUDIT RECORD WILL BE WRITTEN BY ZERT POLICY ENFORCEMENTFOR tcpname - ZERTDETAILBYPOLICY AND ZERTSERVICEBYPOLICYNOT ENABLED
      See EZZ8565I in z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM) for more information.
    • If you want the policy-driven zERT connection detail records (SMF 119 subtype 11, event type 7) to be written to the z/OS® System Management Facility, specify the SMFCONFIG TYPE119 ZERTDETAILBYPOLICY parameter in the TCP/IP profile data set.
      Note: You must also have the recording of SMF 119 records specified in your SMF parmlib member.
    • If you use a network management application that consumes policy-driven zERT connection detail SMF records through the real-time zERT Detail NMI service (SYSTCPER), specify the NETMONITOR ZERTSERVICEBYPOLICY parameter in the TCP/IP profile data set.
      Note: SYSTCPER service also provides zERT connection detail SMF records that describe the cryptographic protection attributes at TCP and Enterprise Extender (EE) connection initiation or termination or whenever the cryptographic protection attributes change during the lifetime of the connection. This data is enabled with the NETMONITOR ZERTSERVICE parameter in the TCP/IP profile data set.

      See Selecting a destination for zERT discovery SMF records in z/OS Communications Server: IP Configuration Guide. See SMFCONFIG statement and NETMONITOR statement in z/OS Communications Server: IP Configuration Reference for more information.