IBM Support

OA52576: FIELD TERMINAL IS NOT PRESENT IN THE LEEF OUTPUT OF SMF TYPE 119 RECORDS AND SHOULD BE INCLUDED

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • ERROR DESCRIPTION:Ø
When running the CKQCLEEF or CKQJLEEF jobs, the TERMINAL field
is not added to the output of SMF Type 119 records although it
is added for Type 118 records

Local fix

  • LOCAL FIX:Ø
N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED: Users of zSecure Audit exploiting the        *
*                 software to prepare data for QRadar SIEM.    *
****************************************************************
* PROBLEM DESCRIPTION: The zSecure Audit QRadar SIEM interface *
*                      does not generate the 'terminal' field  *
*                      for SMF records type 119.               *
****************************************************************
* RECOMMENDATION: Apply the PTF provided.                      *
****************************************************************
The zSecure Audit QRadar SIEM interface does not generate the
'terminal' field for the following SMF records:
 - type 119 sub-type 2 written by TN3270E Telnet server;
 - types 118 and 119 (TCP/IP Statistics);
 - 'IP connection data of type 119 plus tunnels plus SSH logon
   fail;
 - type 118 sub-types 1 and 2 (TCP API
   initialization/termination);

Problem conclusion

  • The zSecure Audit QRadar SIEM interface has been modified so
that the 'terminal' field is written to a QRadar LEEF file for
the following SMF events:
 - type 119 sub-type 2 written by TN3270E Telnet server;
 - types 118 and 119 (TCP/IP Statistics);
 - 'IP connection data of type 119 plus tunnels plus SSH logon
   fail;
 - type 118 sub-types 1 and 2 (TCP API
   initialization/termination);

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA52576
    • 

  • Reported component name
    ZSEC BASE,ADMIN
    • 

  • Reported component ID
    5655T0100
    • 

  • Reported release
    221
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-04-18
    • 

  • Closed date
    2017-07-07
    • 

  • Last modified date
    2017-08-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UA92574
    

    • 



Modules/Macros


    

  •    CKASMF77 CKQLEEF  CKQLEEFL C2ELEEF  GKRSMF77

    



Fix information


    

  • Fixed component name
    ZSEC BASE,ADMIN
    • 

  • Fixed component ID
    5655T0100
    • 



Applicable component levels


    

  • R221  PSY  UA92574
       UP17/07/13  P  F707
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"221","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            16 August 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback