For any event or system action to be reportable, it must first be logged in the system log.
Events and system actions that are retrieved from the system log (SYSTEM/SUMLOG) and reported by a utility such as LOGANALYZER are a subset of all the events and system actions that are logged in the system log.
The values in the MCP array LOG_OPTIONS determine which activities are recorded in the SYSTEM/SUMLOG and in job files. Users can set and interrogate the values in this array with the LOGGING (Logging Options) system command.
Two factors determine which events are recorded in SYSTEM/SUMLOG:
-
The system wide logging specifications, which are designated by the LOGGING system command
-
The usercode-specific logging specifications, which are designated by the value of the LOGSELECT usercode attribute in the USERDATAFILE
The LOGSELECT attribute can specify logging of all successful actions, all failed actions, all security-relevant actions, and all security violations for processes running under the usercode.
The events designated by the value of LOGSELECT are logged in addition to those events designated with the LOGGING system command, which are logged for all users and activities.
The LOGSELECT usercode attribute enables you to conserve system resources by designating logging of actions for specific users you want to audit, either because of the sensitivity of a user position or because you suspect a user of system misuse. This approach is more efficient than logging the same information for all users.
For more information about LOGSELECT, see the System Software Utilities Operations Reference Manual.
LG (Log for Mix Number) System Command
The LG (Log for Mix Number) system command causes logging of all events and actions associated with one or more mix numbers.
| Note: | The LG command is available only as part of either the Secure Access Control Module security-enhancement software or the Secure Accountability Facility security feature package. |
Use the MIX option in LOGANALYZER to retrieve all these records from the SUMLOG, or use other LOGANALYZER options to retrieve some of these records. The features of the LG command are available from the M and SM selections on the Menu-Assisted Resource Control (MARC) LOG screen.
The LG command is of the following form:
Syntax
──<mix number list>── LG ─┬──────────┬─────────────────────────────────┤
└─<action>─┘<action>
──<integer>────────────────────────────────────────────────────────────┤
In place of <mix number list>, enter a mix number or a series of mix numbers separated by commas (,).
In place of <action>, you can enter one of the following integer values:
-
To force the actions logged, enter a value between 1 and 14.
Value
Activities Logged
1
Successful actions
2
Failed actions
4
Security-relevant actions
8
Security violations
To log a combination of these actions for a mix number or list of mix numbers, enter the sum of the values of the actions to be logged. Entering <mix number> LG 15 has the same effect as entering <mix number> LG.
-
To return logging for a mix number or mix numbers to the system standard procedure, enter 0 for the <action> value.
For example, to log security-relevant actions and security violations for mix number 4763, add 4 (security-relevant actions) and 8 (security violations) and use the sum, 12, in the LG command as follows:
4763 LG 12
To return logging for mix number 4763 to the system standard, enter the following command:
4763 LG 0
LOGGING (Logging Options) System Command
The LOGGING command enables you to designate or interrogate the events and system actions that are included in the SYSTEM/SUMLOG and the job file.
The features of the LOGGING command can be accessed from the LOG screen in MARC. When you select CMM (for logging of individual minor types) or CM (for major types), you are presented with a series of screens.
| Note: | The LOGGING command can be used to inquire and make changes to the logging configuration. Security Center also provides this functionality as part of the System Policy definition, which is the preferred way to make changes to the logging configuration. |
Syntax
── LOGGING ─┬────────────────────────────────────────────────────┬─────┤
│ ┌◄────────────────────── ; ──────────────────────┐ │
├─┴─<major>─┬──────────────┬─┬───────────────────┬─┴─┤
│ └─ , ──<minor>─┘ └─<log option list>─┘ │
├─┬─ DEFAULT ─┬──────────────────────────────────────┤
│ └─ * ───────┘ │
├─ MINIMAL ──────────────────────────────────────────┤
└─ ALL ──────────────────────────────────────────────┘<major>
──<integer>────────────────────────────────────────────────────────────┤
<minor>
──<integer>────────────────────────────────────────────────────────────┤
<log option list>
┌◄─────────── , ───────────┐
──┴─┬───────────┬─┬─ ALL ──┬─┴─────────────────────────────────────────┤
├─ SUMLOG ──┤ └─ NONE ─┘
├─ SUM ─────┤
├─ JOBFILE ─┤
└─ JOB ─────┘Explanation
You can use the LOGGING command to
-
Designate major and minor types of SUMLOG entries to be logged.
-
Interrogate whether specific major and minor types are currently being logged.
The LOGGING command can designate or interrogate logging for the SUMLOG and the job file.
Major and Minor Types
You can use the
-
<major> syntax to designate the major log type
-
<minor> syntax to designate the minor log type
When you designate only <major>, the command applies to all the minor log types under that major type.
When logging has been designated for the entire major type, interrogating the setting of a particular minor type of the major type returns the logging for the major type. For example, if LOGGING 5 ALL was designated previously, the response to LOGGING 5,7 is as follows:
No Minor Type 5,7. Logging 5 All
If logging was previously specified for a major type and you then designate logging for a particular minor type of that major type, causes the logging of all the greater minor types of the major type to be unspecified.
When a minor type is unspecified, it is logged in both the SUMLOG and the job file. For example, the following specifications invoke logging for major type 11 minor type 14:
LOGGING 11 SUMLOG ALL JOBFILE NONE LOGGING 11, 14 SUMLOG NONE JOBFILE ALL
When this occurs, logging for major type 11 minor types 15, 16, 17, and so on becomes unspecified. Minor types 15, 16, 17, and so on are logged in both the SUMLOG and the job file.
Log Option List
When you enter LOGGING without <log option list>, the command returns the following:
-
Pairs of integers, indicating specific major and minor types
-
Information about whether the pairs are currently logged in the SYSTEM/SUMLOG and the job file.
If logging for a minor type is the same for both the SUMLOG and the job file, the LOGGING command returns “ALL” or “NONE,” depending on whether the minor type is logged in the SUMLOG and job file.
If logging for the SUMLOG differs from that for the job file, the LOGGING command returns “ALL” or “NONE” for SUMLOG and JOBFILE.
Examples
-
The following command returns all the minor types, organized by major type, specifying for each minor type whether it is logged in the SUMLOG and whether it is logged in the job file:
LOGGING
-
The following command returns all the minor types for major type 4 (MCS entry), specifying for each minor type whether it is logged in the SUMLOG and whether it is logged in the job file:
LOGGING 4
The response might resemble the following:
Logging 4,1 All;4,2 All; 4,3 None;4,4 Sumlog None, Jobfile All; 4,5 None;4,6 All;4,7 All,4,8 None; 4,9 Sumlog All, Jobfile None;4,10 None; 4,11 All -
The following command returns, for major type 4 (MCS entry) minor type 1 (log-on entry), whether it is logged in the SUMLOG and whether it is logged in the job file:
LOGGING 4,1
-
The following command specifies that minor type 4 (security violation) under major type 6 (miscellaneous entry) is to be logged in the SUMLOG and in the job file:
LOGGING 6,4 SUM ALL,JOB ALL
When you designate logging for a particular minor type of a major type, the logging of all greater minor types of that major type is then “Sumlog All, Jobfile All.”
-
The following command assigns the current logging options specification to the system default value:
LOGGING *
To obtain the system logging defaults, transmit LOGGING *, which invokes the system logging defaults, and then transmit LOGGING, which returns the current logging specifications. You must reset any logging options you want to be other than the system defaults.
-
The following command assigns the current logging options specification to the system minimal default value:
LOGGING MINIMAL
To obtain the system logging defaults, transmit LOGGING MINIMAL, which puts the system logging defaults into effect, and then transmit LOGGING, which returns all the current logging specifications. You must reset any logging options you want to be other than the system defaults.
-
The following command specifies that all the minor types of all the major types are to be logged in both the SUMLOG and the job file:
LOGGING ALL
LOGGING queries entered by a SYSTEMUSER or SYSADMIN user from the Action line of a MARC screen produce a response that differs from the response returned at an ODT. The MARC response indicates activities logged for the type. A plus sign (+) indicates an activity is logged, and a minus sign (–) indicates an activity is not logged.
For example, the MARC response to LOGGING 4 looks like the following:
Response returned at 01:35 PM: Success Failure Relevant Violation MCS Entries (4) Session log-ons (4,1).... Sum: + + + + Job: + + + + Session log-offs (4,2)... Sum: + + + + Job: + + + + MCS Messages (4,4)..... Sum: + + + + Job: + + + + MCS Time Accrual (4,5)... Sum: + + + + Job: + + + + MCS Security Violations (4,6) Sum: + + + + Job: - - - - MCS Station Application (4,7) Sum: + + + + Job: - - - - Remote Window Open/Close (4,8) Sum: - - - - Job: - - - - Window Open/Close (4,9)... Sum: - - - - Job: - - - - Direct Window Open/Close (4,10) Sum: + + + + Job: - - - -
You can use the System Data Access (SDA) support library to limit a nonprivileged user SUMLOG access to the following log records:
-
All log records produced by actions the user took on the system except for actions that were security violations, such as an attempt to log on with an incorrect usercode/password combination
-
Maintenance records, except for those records containing file names
-
Halt/load records
The effect of the SDA support library is to grant the nonprivileged user access to log records relating to his or her legitimate work on the system, and access to certain other records that are not considered sensitive.
