IBM Support

OA49585: INTENT NOT SHOWN FOR SMF TYPE 42 SUBTYPE 21, 24, 25

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The INTENT field is to be added for SMF 42(21,24,25) as well as
    SMF type 119.
    

Local fix

  • not applicable
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Audit exploiting SMF        *
    *                 reports, users of zSecure Audit exploiting   *
    *                 the software to prepare data for QRadar      *
    *                 SIEM.                                        *
    ****************************************************************
    * PROBLEM DESCRIPTION: zSecure Audit generates SMF reports     *
    *                      where the INTENT field for SMF records  *
    *                      type 42, subtypes 21,24, and 25 is      *
    *                      empty. QRadar LEEF files generated by   *
    *                      zSecure Audit are missing INTENT field  *
    *                      for some SMF types 42, 118, and 119     *
    *                      preventing to combine these types       *
    *                      together with RACF events (SMF type 80) *
    *                      into one QRadar report.                 *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    When zSecure Audit generates SMF report, the INTENT field for
    SMF types 42 (subtypes 21, 24, and 25) are always empty. QRadar
    LEEF files generated by zSecure Audit are missing INTENT field
    for SMF events 42 (subtypes 21, 24, and 24), 118 (subtypes 3,
    70, 71, 72, 73, 74, and 75), and 119 (subtypes 3, 4, 24, 70, 71,
    72, 96 and 97) preventing the combination of these SMF types
    with RACF generated SMF events (type 80) into one QRadar report.
    

Problem conclusion

  • zSecure Audit has been modified so that:
    
     - SMF reports have INTENT field filled in with the value
       'UPDATE' for SMF records type 42 (subtypes 21, 24, and 25);
    
     - QRadar LEEF files generated by zSecure Audit have now the
       INTENT field filled in for the following SMF events:
    
      o type 42 (subtypes 21, 24, 25, and 26);
      o type 118 (subtypes 3, 70, 71, 72, 73, 74, and 75);
      o type 119 (subtypes 4, 4, 24, 70, 71, 72, 96, and 97);
    210Y
    211Y
    220Y
    CKASINT
    CKQLEEF
    C2ELEEF
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA49585

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    211

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-12-15

  • Closed date

    2016-02-17

  • Last modified date

    2016-03-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA80718 UA80719 UA80720

Modules/Macros

  •    CKASINT  CKQLEEF  C2ELEEF
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R210 PSY UA80718

       UP16/02/18 P F602

  • R211 PSY UA80719

       UP16/02/18 P F602

  • R220 PSY UA80720

       UP16/02/18 P F602

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCE68R","label":"zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":""}]

Document Information

Modified date:
03 March 2016