What is the new AUDIT component of CA SYSVIEW?

Document ID : KB000054600
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:
The new AUDIT component of CA SYSVIEW r12.0 is automatically started at STC initialization, and will create Audit Event records for pre-defined system altering actions available in the product.

Solution:
The CA SYSVIEW Audit Event component lets you record events or actions occurring within CA SYSVIEW that change resources. You can then use the Audit Event displays to view and control the historical audit activities.

The AUDIT configuration information, which can be dynamically modified via the AUDITDEF command, is saved to the Persistent Data Store when the AUDIT task is terminated or can be done manually using the SAVE subcommand of the AUDITDEF command.
From the AUDITDEF command, you can change the options for each Audit Event that occurs where you can do any or all of the following:
Write a record to SMF recording the event.
Write a record to the logstream recording the event.
Notify CA OPS/MVS of the event.
Issue a WTO message recording the event.

For example if a user issues the ADD subcommand of the APFLIST primary command to add a dataset to the APFLIST, and AUDIT is active for this action (by default it is) you would see an entry on the AUDITLOG for that add.

Additional information contained in the log record is:
JobId            The job ID from where the event record was created
ASID             The ASID of the job from where the event record was created.
Terminal        The terminal name from where the event record was created.
Interface       The interface name from where the event record was created.
Profile           The profile name of the user that created the event record.
SecGroup       The security group of the user that created the event record.
UserName       The user name that created the event record.
Type             The record type.
Length           The record length
If you wish to turn off auditing use the AUDITDEF command to set entries ACTIVE or INACTIVE as desired.
If you wish to make all entries inactive, enter the following commands from the AUDITDEF display:
FILL ACTIVE INACTIVE 1-9999
SAVE