Configuring auditing on a monitoring server

Auditing captures significant events occurring in your site's monitoring environment and records them in permanent storage for later retrieval and analysis. Each audit record fully describes some event that has changed the state of your monitoring environment: authorization and authentication failures (such as those that allow or disallow the execution of Take Action commands), and major and minor state changes (though they do not reflect the minor service messages stored in the RAS logs). You can configure the Tivoli Enterprise Monitoring Server running on z/OS to write audit records to the z/OS System Management Facility (SMF). This configuration enables you to use SMF to integrate OMEGAMON events with the event data recorded by other products and components that run on your z/OS system. You can extract OMEGAMON XE audit record data from SMF data sets (or from the archives of such data sets) for analysis of performance or resource utilization, and for validation of security events (authorization and authentication).

About this task

Initially, the auditing function is turned off by default on all Tivoli Management Services nodes. In the RTE configuration profile, set the following parameters to control the audit function:

KDS_AUDIT_TRACE

This parameter is used to enable or disable auditing collection in SMF and set the level of tracing. Message trace levels (from low to high) are X (Disabled), M (Minimum), B (Basic), and D (Detail). Higher levels imply all lower levels.

KDS_AUDIT_MAX_HIST

This parameter specifies the maximum number of entries kept in the in-memory cache for direct queries. Possible values are 10–1000.

KDS_AUDIT_ITM_DOMAIN

This parameter specifies an identifier that may be used to associate audit records. Possible value is a string of up to 32 characters.

For more information on auditing, see Auditing in the Planning section.