After I configured the product to send events to Splunk using the SIEM action, I noticed that the Journal data set fills up quickly. What can I do to resolve this issue?

Document ID : KB000014527
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

After I configured the product to send events to Splunk using the SIEM action, I noticed that the Journal data set fills up quickly. What can I do to resolve this issue?

Answer:

With SIEM actions, the volume of successful and failed actions that are logged in the Journal data set might be high depending on your site's environment. By default(with TR95499 or RO95499), the product logs only the failed actions to reduce the number of actions that are logged in the Journal data set. If your site is not using the default option, your Journal data set can fill up quickly.

Do the following steps as needed:

  • If your site is not using the default option of logging only the failed actions in the Journal data set, we recommend restoring the Journal log option to the default.

    Important! Before you restore the default value, verify with your security administrator that this setting is acceptable for your site.

    To review and configure this setting, edit the CEM_JOURNAL variable in the data set member that is pointed to by the CEEVARS DD (CEMECEEV, by default):

    - To log failed actions only, enter a value of 1. (Default)
    - To log successful actions only, enter a value of 2.
    - To log successful and failed actions, enter a value of 3.

  • Allocate more space to the Journal data set to accommodate the volume of actions that are being logged. For more information about estimating the storage needs for the Journal data set, see Best Practices.