IBM Support

OA59473: ALERT 1120 IS NOT SENT TO DESTINATION ARCSIGHT CEF VIA SYSLOG

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Alert 1120 is not sent to destination ArcSight CEF via syslog.
This issue is only applicable to zSecure 2.3.0 and 2.3.1.

Local fix

  • Upgrade to zSecure 2.4.0. If this is not an option:

1) Create your_userid.SCKRSLIB based on the allocation for the
zSecure supplied hlq.SCKRSLIB

2) Copy hlq.SCKRSLIB(C2PS1120) to your_userid.SCKRSLIB

3) Edit your_userid.SCKRSLIB(C2PS1120) and f 'ArcSight CEF'

4) Change:

)SEL &C2PERCTP = CEF

 recno(nd) maxdatetime(cef_dt,15),


to


)SEL &C2PERCTP = CEF

 maxdatetime(cef_dt,15),


5) Save your_userid.SCKRSLIB(C2PS1120)

6) Now start the zSecure Admin UI using your_userid prefixed
files (in this case only SCKRSLIB): TSO CKR UPREFIX(your_userid)

7) Select Alert 1120 and choose the Arcsight destination

8) Verify and reFresh the alert configuration

Problem summary

  • ****************************************************************
* USERS AFFECTED: Users of zSecure Alert using predefined      *
*                 alert 1120 with the ArcSight destination     *
*                 selected.                                    *
****************************************************************
* PROBLEM DESCRIPTION: zSecure Alert 1120 does not work for    *
*                      destination ArcSight.                   *
****************************************************************
* RECOMMENDATION: Apply the PTF provided.                      *
****************************************************************
When the destination for predefined alert 1120 (Major
administrative activity) is set to 'ArcSight CEF via syslog',
alerts are not sent when the alert is triggered.

Problem conclusion

  • zSecure Alert has been modified so that predefined alert
1120 sends an alert to ArcSight when destination ArcSight is
selected.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA59473
    • 

  • Reported component name
    ZSEC BASE,ADMIN
    • 

  • Reported component ID
    5655T0100
    • 

  • Reported release
    230
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-04-24
    • 

  • Closed date
    2020-05-06
    • 

  • Last modified date
    2020-06-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ02827 UJ02828
    

    • 



Modules/Macros


    

  • C2PS1120

    



Fix information


    

  • Fixed component name
    ZSEC BASE,ADMIN
    • 

  • Fixed component ID
    5655T0100
    • 



Applicable component levels


    

  • R230  PSY  UJ02827
       UP20/05/07  P  F005
    • 

  • R231  PSY  UJ02828
       UP20/05/07  P  F005
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 June 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback