IBM Support

OA59473: ALERT 1120 IS NOT SENT TO DESTINATION ARCSIGHT CEF VIA SYSLOG

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Alert 1120 is not sent to destination ArcSight CEF via syslog.
    This issue is only applicable to zSecure 2.3.0 and 2.3.1.
    

Local fix

  • Upgrade to zSecure 2.4.0. If this is not an option:
    
    1) Create your_userid.SCKRSLIB based on the allocation for the
    zSecure supplied hlq.SCKRSLIB
    
    2) Copy hlq.SCKRSLIB(C2PS1120) to your_userid.SCKRSLIB
    
    3) Edit your_userid.SCKRSLIB(C2PS1120) and f 'ArcSight CEF'
    
    4) Change:
    
    )SEL &C2PERCTP = CEF
    
     recno(nd) maxdatetime(cef_dt,15),
    
    
    to
    
    
    )SEL &C2PERCTP = CEF
    
     maxdatetime(cef_dt,15),
    
    
    5) Save your_userid.SCKRSLIB(C2PS1120)
    
    6) Now start the zSecure Admin UI using your_userid prefixed
    files (in this case only SCKRSLIB): TSO CKR UPREFIX(your_userid)
    
    7) Select Alert 1120 and choose the Arcsight destination
    
    8) Verify and reFresh the alert configuration
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Alert using predefined      *
    *                 alert 1120 with the ArcSight destination     *
    *                 selected.                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: zSecure Alert 1120 does not work for    *
    *                      destination ArcSight.                   *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    When the destination for predefined alert 1120 (Major
    administrative activity) is set to 'ArcSight CEF via syslog',
    alerts are not sent when the alert is triggered.
    

Problem conclusion

  • zSecure Alert has been modified so that predefined alert
    1120 sends an alert to ArcSight when destination ArcSight is
    selected.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA59473

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    230

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-04-24

  • Closed date

    2020-05-06

  • Last modified date

    2020-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UJ02827 UJ02828

Modules/Macros

  • C2PS1120
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R230 PSY UJ02827

       UP20/05/07 P F005

  • R231 PSY UJ02828

       UP20/05/07 P F005

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

Modified date:
02 June 2020