IBM Mainframe syslog



Post anything related to mainframes (IBM & UNISYS) if not fit in any of the above categories

IBM Mainframe syslog

Postby hazwan » Wed Sep 30, 2015 12:31 pm

Hi All,

Pardon me if post wrong topic here since I'm very newbie in IBM Mainframe and its programming language used. I have query about IBM Mainframe syslog. I have a sample of syslog for IBM Mainframe and how do I read it according to its column. I have seen others type of syslog but IBM Mainframe totally difference. Actually I need to do parser for IBM Mainframe to integrate with SIEM. From there SIEM will pull Mainframe syslog and analyze it. I'm very newbie and can say not even know anything about IBM Mainframe, I need help on this. Please help me. :cry: :cry:

Sample of logs :

1 SDSF SYSLOG PRINT STC32183 DATA SET 117 SYSID IBMainframe DATE 08/22/2015 2015.234 LINE 85,980 PAGE 1
0M 4000000 IBMainframe 15234 07:00:01.44 STC32260 00000090 BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file
S 437
E 437 00000090 /OPER/syslogd/08/22/local0 was created
M 4000000 IBMainframe 15234 07:00:01.44 STC32260 00000090 BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file
S 438
E 438 00000090 /OPER/syslogd/08/22/local4 was created
M 4000000 IBMainframe 15234 07:00:01.44 STC32260 00000090 BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file
S 439
E 439 00000090 /OPER/syslogd/08/22/log was created
M 4000000 IBMainframe 15234 07:00:01.44 STC32260 00000090 BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file
S 440
E 440 00000090 /OPER/syslogd/08/22/Q5D1BRK was created
M 4000000 IBMainframe 15234 07:00:01.45 STC32260 00000090 BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file
S 441
E 441 00000090 /OPER/syslogd/08/22/IKED was created
N 0140000 IBMainframe 15234 07:00:01.45 STC32260 00000090 FSUM1252 SYSLOGD RECONFIGURATION COMPLETE
N 0200000 IBMainframe 15234 07:00:01.46 JOB77202 00000281 $HASP100 OPERLVTC ON INTRDR FROM STC32191
S OPC1
N 0000000 IBMainframe 15234 07:00:01.47 JOB77202 00000290 IRR010I USERID OPCC IS ASSIGNED TO THIS JOB.
M 4000000 IBMainframe 15234 07:00:01.56 STC32219 00000281 EQQE037I JOB LOGDLY1 ( ), OPERATION(0010), IN APPLICATION 445
E 445 00000281 SYSLOG#DAILY , IS LATE, WORK STATION = CPU1, IA = 1508212350
N 0200000 IBMainframe 15234 07:00:01.57 JOB77203 00000281 $HASP100 SMFDLY1I ON INTRDR FROM STC32191
S OPC1
N 0000000 IBMainframe 15234 07:00:01.57 JOB77203 00000290 IRR010I USERID OPCC IS ASSIGNED TO THIS JOB.
N 0200000 IBMainframe 15234 07:00:01.67 JOB77204 00000281 $HASP100 SMFDLY2I ON INTRDR

I'm notice have paging count in the syslog. :?: :?:

S ----PAGING COUNTS---
N 0004000 IBMainframe 15234 07:00:02.58 JOB77203 00000290 -JOBNAME STEPNAME PROCSTEP RC EXCP CPU SRB CLOCK SERV PG
S PAGE SWAP VIO SWAPS STEPNO
N 0004000 IBMainframe 15234 07:00:02.58 JOB77203 00000290 -SMFDLY1I SWITCH 00 10 .00 .00 .00 303 0
1 SDSF SYSLOG PRINT STC32183 DATA SET 117 SYSID IBMainframe DATE 08/22/2015 2015.234 LINE 86,033 PAGE 2
0S 0 0 0 0 1
N 0200000 IBMainframe 15234 07:00:02.62 JOB77211 00000281 $HASP100 DPEBKBFM ON INTRDR DPEBKBFM FROM STC32191
S OPC1
N 0000000 IBMainframe 15234 07:00:02.62 JOB77211 00000290 IRR010I USERID OPCC IS ASSIGNED TO THIS JOB.
N 0200000 IBMainframe 15234 07:00:02.73 JOB77212 00000281 $HASP100 MALNNJ01 ON INTRDR MALNNJ01 FROM STC32191
S OPC1
N 4000000 IBMainframe 15234 07:00:02.99 JOB77206 00000090 $HASP373 HSMRECYC STARTED - INIT 4 - CLASS A - SYS IBMainframe
N 0020000 IBMainframe 15234 07:00:03.04 JOB77207 00000090 ICH70001I OPCC LAST ACCESS AT 07:00:02 ON SATURDAY, AUGUST 22, 2015
N 0020000 IBMainframe 15234 07:00:03.04 JOB77208 00000090 ICH70001I OPCC LAST ACCESS AT 07:00:03 ON SATURDAY, AUGUST 22, 2015
N 4000000 IBMainframe 15234 07:00:03.09 JOB77207 00000090 $HASP373 BKEBKRPT STARTED - INIT 5 - CLASS A - SYS IBMainframe
N 4000000 IBMainframe 15234 07:00:03.09 JOB77208 00000090 $HASP373 DA$DCOLL STARTED - INIT 6 - CLASS A - SYS IBMainframe
N 0004000 IBMainframe 15234 07:00:03.15 JOB77206 00000290 - --TIMINGS (MINS.)--
S ----PAGING COUNTS---
N 0004000 IBMainframe 15234 07:00:03.15 JOB77206 00000290 -JOBNAME STEPNAME PROCSTEP RC EXCP CPU SRB CLOCK SERV PG
S PAGE SWAP VIO SWAPS STEPNO
N 0004000 IBMainframe 15234 07:00:03.15 JOB77206 00000290 -HSMRECYC DISPLAY 00 20 .00 .00 .00 374 0
S 0 0 0 0 1
NC0000000 IBMainframe 15234 07:00:03.18 INTERNAL 00000290 START DUMPXY,DSNAME=SYS1.IBMainframe.MAN1
N C020000 IBMainframe 15234 07:00:03.18 00000090 IEFU29 HAS ISSUED 'START DUMPXY,DSNAME=SYS1.IBMainframe.MAN1
S '
N 0000000 IBMainframe 15234 07:00:03.18 00000290 IEF196I IEFU29 HAS ISSUED 'START DUMPXY,DSNAME=SYS1.IBMainframe.MAN1
N 0000000 IBMainframe 15234 07:00:03.18 00000290 IEF196I '
M 4000000 IBMainframe 15234 07:00:03.18 00000090 IEE388I SMF NOW RECORDING ON VOLSER OIBMainframe1, DSN=SYS1.IBMainframe.MAN2 TIME= 489
E 489 00000090 07.00.03
N 0200000 IBMainframe 15234 07:00:03.32 STC77213 00000281 $HASP100 DUMPXY ON STCINRDR
N 0004000 IBMainframe 15234 07:00:03.33 JOB77202 00000290 -
hazwan
 
Posts: 3
Joined: Tue Sep 29, 2015 10:01 pm
Has thanked: 0 time
Been thanked: 0 time

Re: IBM Mainframe syslog

 

Re: IBM Mainframe syslog

Postby enrico-sorichetti » Wed Sep 30, 2015 12:57 pm

when posting code and sysout snippets use the code tags
they keep things aligned for better readability
with

**********
1234567890
.........          1234567890
**********

without
**********
1234567890
......... 1234567890
**********

depending on the customisation
the syslog/console hardcopy
might contain the end_of_step/eind_of_job statistics
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2644
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 130 times

Re: IBM Mainframe syslog

Postby hazwan » Wed Sep 30, 2015 1:18 pm

Sorry, here is the aligned logs

1     SDSF  SYSLOG  PRINT  STC32183  DATA SET     117  SYSID IBMainframe     DATE 08/22/2015 2015.234  LINE  85,980  PAGE       1           
0M 4000000 IBMainframe     15234 07:00:01.44 STC32260 00000090  BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file       
 S                                                       437                                                                         
 E                                         437 00000090  /OPER/syslogd/08/22/local0 was created                                     
 M 4000000 IBMainframe     15234 07:00:01.44 STC32260 00000090  BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file       
 S                                                       438                                                                         
 E                                         438 00000090  /OPER/syslogd/08/22/local4 was created                                     
 M 4000000 IBMainframe     15234 07:00:01.44 STC32260 00000090  BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file       
 S                                                       439                                                                         
 E                                         439 00000090  /OPER/syslogd/08/22/log was created                                         
 M 4000000 IBMainframe     15234 07:00:01.44 STC32260 00000090  BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file       
 S                                                       440                                                                         
 E                                         440 00000090  /OPER/syslogd/08/22/Q5D1BRK was created                                     
 M 4000000 IBMainframe     15234 07:00:01.45 STC32260 00000090  BPXF024I (OMVSKERN) Aug 22 07:00:01 CDRM51 syslogd: FSUM1230 Log file       
 S                                                       441                                                                         
 E                                         441 00000090  /OPER/syslogd/08/22/IKED was created                                       
 N 0140000 IBMainframe     15234 07:00:01.45 STC32260 00000090  FSUM1252 SYSLOGD  RECONFIGURATION COMPLETE                                 
 N 0200000 IBMainframe     15234 07:00:01.46 JOB77202 00000281  $HASP100 OPERLVTC ON INTRDR                            FROM STC32191       
 S                                                       OPC1                                                                       
 N 0000000 IBMainframe     15234 07:00:01.47 JOB77202 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 M 4000000 IBMainframe     15234 07:00:01.56 STC32219 00000281  EQQE037I JOB LOGDLY1 (        ), OPERATION(0010), IN APPLICATION 445       
 E                                         445 00000281    SYSLOG#DAILY    , IS LATE, WORK STATION = CPU1, IA = 1508212350           
 N 0200000 IBMainframe     15234 07:00:01.57 JOB77203 00000281  $HASP100 SMFDLY1I ON INTRDR                            FROM STC32191       
 S                                                       OPC1                                                                       
 N 0000000 IBMainframe     15234 07:00:01.57 JOB77203 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 N 0200000 IBMainframe     15234 07:00:01.67 JOB77204 00000281  $HASP100 SMFDLY2I ON INTRDR                            FROM STC32191       
 S                                                       OPC1                                                                       
 N 0000000 IBMainframe     15234 07:00:01.67 JOB77204 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 N 0200000 IBMainframe     15234 07:00:01.79 JOB77206 00000281  $HASP100 HSMRECYC ON INTRDR                            FROM STC32191       
 S                                                       OPC1                                                                       
 N 0000000 IBMainframe     15234 07:00:01.79 JOB77206 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 N 0200000 IBMainframe     15234 07:00:01.90 JOB77207 00000281  $HASP100 BKEBKRPT ON INTRDR      BACK UP               FROM STC32191       
 S                                                       OPC1                                                                       
 N 0020000 IBMainframe     15234 07:00:01.90 JOB77203 00000090  ICH70001I OPCC     LAST ACCESS AT 06:59:12 ON SATURDAY, AUGUST 22, 2015     
 N 0000000 IBMainframe     15234 07:00:01.91 JOB77207 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 N 0020000 IBMainframe     15234 07:00:01.92 JOB77202 00000090  ICH70001I OPCC     LAST ACCESS AT 06:59:12 ON SATURDAY, AUGUST 22, 2015     
 N 0200000 IBMainframe     15234 07:00:02.01 JOB77208 00000281  $HASP100 DA$DCOLL ON INTRDR                            FROM STC32191       
 S                                                       OPC1                                                                       
 N 0000000 IBMainframe     15234 07:00:02.02 JOB77208 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 N 4000000 IBMainframe     15234 07:00:02.08 JOB77202 00000090  $HASP373 OPERLVTC STARTED - INIT 1    - CLASS A - SYS IBMainframe                 
 N 4000000 IBMainframe     15234 07:00:02.08 JOB77203 00000090  $HASP373 SMFDLY1I STARTED - INIT 3    - CLASS A - SYS IBMainframe                 
 N 0300000 IBMainframe     15234 07:00:02.24 JOB77203 00000281  $HASP120 INTRDR $VS,'IBMainframe I SMF' FROM JOB77203 SMFDLY1I                     
 NC0000000 IBMainframe     15234 07:00:02.25 INTERNAL 00000290  I SMF                                                                       
 N 0200000 IBMainframe     15234 07:00:02.40 JOB77209 00000281  $HASP100 MAACN033 ON INTRDR      PBB ACT GEN           FROM STC32191       
 S                                                       OPC1                                                                       
 N 0020000 IBMainframe     15234 07:00:02.51 JOB77206 00000090  ICH70001I OPCC     LAST ACCESS AT 07:00:01 ON SATURDAY, AUGUST 22, 2015     
 N 0200000 IBMainframe     15234 07:00:02.51 JOB77210 00000281  $HASP100 DPEBKFMT ON INTRDR      DPEBKFMT              FROM STC32191       
 S                                                       OPC1                                                                       
 N 0000000 IBMainframe     15234 07:00:02.52 JOB77210 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 N 0004000 IBMainframe     15234 07:00:02.58 JOB77203 00000290  -                                         --TIMINGS (MINS.)--     


And the noticed paging count in the syslog
S                                                        ----PAGING COUNTS---                                                       
 N 0004000 IBMainframe     15234 07:00:02.58 JOB77203 00000290  -JOBNAME  STEPNAME PROCSTEP    RC   EXCP    CPU    SRB  CLOCK   SERV  PG   
 S                                                          PAGE   SWAP    VIO SWAPS STEPNO                                         
 N 0004000 IBMainframe     15234 07:00:02.58 JOB77203 00000290  -SMFDLY1I          SWITCH      00     10    .00    .00    .00    303   0   
1     SDSF  SYSLOG  PRINT  STC32183  DATA SET     117  SYSID IBMainframe     DATE 08/22/2015 2015.234  LINE  86,033  PAGE       2           
0S                                                             0      0      0     0     1                                           
 N 0200000 IBMainframe     15234 07:00:02.62 JOB77211 00000281  $HASP100 DPEBKBFM ON INTRDR      DPEBKBFM              FROM STC32191       
 S                                                       OPC1                                                                       
 N 0000000 IBMainframe     15234 07:00:02.62 JOB77211 00000290  IRR010I  USERID OPCC     IS ASSIGNED TO THIS JOB.                           
 N 0200000 IBMainframe     15234 07:00:02.73 JOB77212 00000281  $HASP100 MALNNJ01 ON INTRDR      MALNNJ01              FROM STC32191       
 S                                                       OPC1                                                                       
 N 4000000 IBMainframe     15234 07:00:02.99 JOB77206 00000090  $HASP373 HSMRECYC STARTED - INIT 4    - CLASS A - SYS IBMainframe                 
 N 0020000 IBMainframe     15234 07:00:03.04 JOB77207 00000090  ICH70001I OPCC     LAST ACCESS AT 07:00:02 ON SATURDAY, AUGUST 22, 2015     
 N 0020000 IBMainframe     15234 07:00:03.04 JOB77208 00000090  ICH70001I OPCC     LAST ACCESS AT 07:00:03 ON SATURDAY, AUGUST 22, 2015     
 N 4000000 IBMainframe     15234 07:00:03.09 JOB77207 00000090  $HASP373 BKEBKRPT STARTED - INIT 5    - CLASS A - SYS IBMainframe                 
 N 4000000 IBMainframe     15234 07:00:03.09 JOB77208 00000090  $HASP373 DA$DCOLL STARTED - INIT 6    - CLASS A - SYS IBMainframe                 
 N 0004000 IBMainframe     15234 07:00:03.15 JOB77206 00000290  -                                         --TIMINGS (MINS.)--   


Your kinds help very appreciate.
hazwan
 
Posts: 3
Joined: Tue Sep 29, 2015 10:01 pm
Has thanked: 0 time
Been thanked: 0 time

Re: IBM Mainframe syslog

Postby enrico-sorichetti » Wed Sep 30, 2015 1:34 pm

Actually I need to do parser for IBM Mainframe to integrate with SIEM.

Nice to know, :mrgreen:

without proper guidance is not a task for a beginner
but a forum is to ask specific questions,
not to ask for guidance to the extent You need for this task
speak to the powers of Your organisation to get proper support

what happened when You googled with ibm z/OS syslog layout
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2644
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 130 times

Re: IBM Mainframe syslog

Postby hazwan » Wed Sep 30, 2015 5:52 pm

Thanks for your advice. Honestly I'm jump to conclusion because I really dont know about IBM Mainframe. Perhaps you can guide me which website suit to learn about IBM Mainframe Syslog. May I know what model the IBM Mainframe syslog that i posted. Maybe from there I can googling from the keyword. Is it ibm z/Os syslog layout as you suggested? I'm not go for the 'rich things' to solve my issue, at least I got some input how to start solve what I want. Actually customer dont know about their IBM mainframe because it supported by vendor and I'm a SIEM vendor need to learn the product which I have 0 knowledge. That is how I start begin search for my solution into this forum.
hazwan
 
Posts: 3
Joined: Tue Sep 29, 2015 10:01 pm
Has thanked: 0 time
Been thanked: 0 time

Re: IBM Mainframe syslog

Postby steve-myers » Thu Oct 01, 2015 5:20 am

About the only message in z/OS SYSLOG, and only in the systems that use the RACF security system, useful for SIEM is the ICH408I message. For example -
ICH408I USER(MXXXX1  ) GROUP(GGGGG02 ) NAME(MMMM XXXX           )
  CATALOG.CCCCC8.UCAT CL(DATASET ) VOL(VVVVVV)
  INSUFFICIENT ACCESS AUTHORITY
  FROM CATALOG.** (G)
  ACCESS INTENT(ALTER  )  ACCESS ALLOWED(UPDATE )
An analyst extracting SIEM data from this must be aware -
  • Sometimes the severity implied by the message is incorrect for no obvious reason. In this case, every time we have been able to trace what the "perp" was actually trying to create this message, the "perp" was trying to do something that most people would consider innocent, but is not allowed because the resource contains security data, as indicated in this case by
    IEC161I 040(056,006,IGG0CLFT)-002,MXXXX1,SYSUSER SYSUSER,SYS00033,,,
    IEC161I CATALOG.CCCCCC8.UCAT
  • There are many forms of the ICH408I message. For example -
    ICH408I USER(JEEVASH ) GROUP(USERG02 ) NAME(JEEVA S             )
      LOGON/JOB INITIATION - REVOKED USER ACCESS ATTEMPT
  • The SIEM analyst must understand z/OS security issues very thoroughly.
steve-myers
Global moderator
 
Posts: 1886
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times


Return to All other Mainframe Topics

 


  • Related topics
    Replies
    Views
    Last post