Overview
Many IT customers require a method for tracking events related to their IT processes and consequently to the business information produced. These audited events include user actions performed interactively on business reports and changes performed internally by Control-D and Control-V to the business information that it maintains and processes. The auditing option enables tracking user actions and changes to reports, providing the audit information to designated users for analysis.
The audit service is used for logging events in a central storage. Logging event information can be useful for:
-
tracking user actions
-
tracking system actions defined by user
-
tracking workflow and history reports
-
making Control-D SOX compliant
Actions can be created by:
-
Users of mainframe online facilities
-
Administrators System facilities
-
Users of Control-D/WebAccess either through the regular screens or Control-D/CITKit
-
Control-D and Control-V components
At a customer site, events can be reported from several MVS images, multiple IOA and Control-D components, and multiple Control-D/WebAccess servers, but all events are stored in the same storage. Centralizing the events information allows analyzing the data from a single data source.
If the Control-D and IOA components run on different MVS images their audit sysouts must be available for processing by one of the Control-D monitors. A common spool or Sysplex facility is required for this purpose. For more information, see Running Multiple Monitors Using Sysplex Support
The audit reports can be delivered to the specified recipients. All parameters for the reports are defined by the administrator in the audit decollation mission. Periodically unnecessary audit reports are deleted by the CTDDELRP utility. The audit reports can viewed with the U-screen, Control-D/WebAccess, and KSL commands and options.
Running the auditing service
The general procedure involves the following steps:
-
Prepare the auditing service by
-
configuring the AUDTPARM member so the required audit information is generated
-
creating a set of decollation and printing missions, included in the NEWDAY procedure, that will collect the audit data
-
specifying audit reports in the Housekeeping procedures
-
-
Activate the auditing service
The following sections describe these steps in detail.
Preparing the auditing service
The following preparations are required:
-
Customize the AUDTPARM member in the PARM library to configure the auditing service for your system. In the AUDTPARM member you
-
define audit SYSOUTs parameters
-
define audit events
Each event consists of an action, such as Create or Print, an entity, and an audit level, by which you specify which event records are written to the audit SYSOUT. A user can define several levels of auditing in several EVENT blocks with different levels. However, only the level specified in the LEVEL block by LEVELA is active.
-
specify which missions collect and combine the audit information
This specification prevents the events of the audit missions from being included in the audit report.
-
For more information, see Example 2 - AUDTPARM member.
-
Create a decollation mission to collect audit SYSOUTs produced during a specific period. This decollation mission processes the SYSOUTs and creates many reports (one report for each SYSOUT) and stores the intermediate reports in the ControlD repository. See Example 3 - Decollation mission for collecting audit SYSOUTs.
-
Create a printing mission to create one SYSOUT. This printing mission combines the many intermediate reports stored in the Control-D repository and prints one audit SYSOUT for a specified period. See Example 4 - Audit print mission.
-
Create a decollation mission to create one audit report for a specific period. This decollation mission processes the audit SYSOUT produced by the printing mission and creates an audit report for a specified period, storing it in the Control-D repository. ControlV indexes can be created with this decollation mission to provide efficient access to the audit information. See Example 5 - Decollation mission for storing audit report
-
Specify the audit reports in the Housekeeping procedures (Backup and Migrate missions, CTDDELRP, CTVCLMIG, CTDCLHST utilities).
Table 346 AUDTPARM parameters
|
Block |
Parameter |
Description |
|---|---|---|
|
SYSOUT |
PORTION |
Maximum number of events in one SYSOUT |
|
INTERVLA |
Maximum time interval between SYSOUTs in HHMMSS format |
|
|
CLASSA |
Audit CLASS |
|
|
EXTWTR |
External writer name |
|
|
DEST |
Printing destination for the audit reports |
|
|
FORM |
Printing FORM for the audit reports |
|
|
DECMIS |
Specifies the audit decollation missions group - This specification prevents the events of the audit decollation mission from being included in the audit report. |
|
|
LEVEL |
LEVELA |
Audit level. The level can be one of the following: 0 (Disables the audit service.) one of the LEVELE values used by the event definitions in the EVENT blocks |
|
EVENT |
LEVELE |
Specifies the level of the event. Events defined with the same level will be registered together for auditing. It is possible to define multiple EVENT blocks with the same LEVELE value. All of the events defined in these EVENT blocks are active if the same value that is specified for LEVELE is also specified for LEVELA. |
|
ACTION |
Specifies a list of actions (operations), which will be registered for auditing if they are associated with one of the entities specified in the event definition (in the same EVENT block). The valid associations between the actions and entities appear in Event List. The valid action values are:
|
|
|
ENTITY |
Specifies a list of entities, which will be registered for auditing if they are associated with one of the actions specified in the event definition (in the same EVENT block). The valid associations between the actions and entities appear in Event List. The valid entity values are:
|
Activating the auditing service
To activate auditing service
-
In the AUDTPARM member, specify the current audit level by setting the LEVELA parameter, in the LEVEL block, to the required audit level number. If LEVELA=0 no auditing will be preformed.
-
Restart all the Control-D and IOA online components.
Event record structure
The event record, which is automatically stored in the audit database as a result of an action, contains the following information:
-
Basic event information has a common structure for all the events (see the Event List). For example, an event, event time, and user name.
-
Detailed event informationincludes additional data fields that vary according to the event. For example, a ruler name.
Basic event information
Table 347 Basic event information
|
Field |
Description |
|---|---|
|
Event date and time |
The event timestamp |
|
Event |
Consists of the event action and the entity type. To know which associations between the possible actions and entities are valid, see the Event List. |
|
Owner type |
The following two types of owners can perform audit actions:
|
|
Owner name |
The name of the event owner: either the ID of the logged-in user or the component name in the case of a system event. |
|
Session ID |
User Login Session Event Identification |
|
Entity ID |
Entity Identification |
|
Event description |
Free text describing the event nature. For example, message code for unauthorized requests. |
|
Event status |
Event return code (including unauthorized request) |
Event List
The following table, by showing the valid associations between the possible actions and entities, shows which events are possible to specify in AUDTPARM and to expect in the audit reports. In addition, the components, which are related to the entity types, are displayed. The table is divided into functional categories, such as security and housekeeping.
Table 348 Event list
|
Action |
Entity type |
Component |
|---|---|---|
| Security | ||
|
Create (Login) |
Session |
IOA online IOA online monitor Control-D Application Server
|
|
Delete |
||
|
Preparation |
||
|
Create |
Mission |
R-screen M-screen |
|
Update |
||
|
Copy |
||
|
Delete |
||
|
Order (including Force) |
||
|
Create |
Member
|
R-screen M-screen
|
|
Update |
||
|
Delete |
||
|
Add |
Default report |
U-screen (Permanent) |
|
Update |
||
|
Delete |
||
|
Create |
Tree |
T-screen, CTDUPTR utility |
|
Update |
||
|
Delete |
||
|
Create |
Element |
T-screen, CTDUPTR utility |
|
Update |
||
|
Copy |
||
|
Delete |
||
|
Decollation |
||
|
Create |
Report |
Control-D monitor |
|
Create |
Sysdata |
|
|
Create |
Index |
|
|
Print with STORE=Y |
Report |
Control-D monitor |
|
Report Viewing |
||
|
Create |
Ruler |
U-screen |
|
Update |
||
|
Delete |
||
|
Create |
Ruler (including Logical View) |
Control-D Application Server, Control‑D/WebAccess |
|
Update |
||
|
Delete |
||
|
View |
Report |
U-screen Control-D Application Server, Control‑D/WebAccess |
|
Report Update |
||
|
Copy (Give To) |
Report |
U-screen Control-D Application Server, Control‑D/WebAccess |
|
Move |
Report |
Control-D Application Server, Control‑D/WebAccess |
|
Delete |
Report |
U-screen Control-D Application Server, Control‑D/WebAccess |
|
Update |
||
|
Update |
Sysdata |
U-screen |
|
Create |
Note |
U-screen Control-D Application Server, Control‑D/WebAccess |
|
Printing |
||
|
Print (Immediate) |
Report |
U, P-screen Control-D Application Server, Control‑D/WebAccess |
|
Deferred print |
||
|
Print (including special destinations and excluding STORE=Y) |
Report |
Control‑D Print monitor |
|
Create (Print STORE=Y) |
Report |
Control‑D Print monitor |
|
Create (Print STORE=Y) |
Sysdata |
|
|
Create (Print STORE=Y) |
Index |
|
|
Local print |
Report |
Control-D Application Server, Control‑D/WebAccess |
|
Local save |
||
|
|
||
|
Housekeeping |
||
|
Restore request |
Report |
U-screen |
|
Update (No Restore) |
||
|
Backup |
Sysdata |
Backup job |
|
Migrate |
Sysdata |
Migration job |
|
Restore |
Sysdata |
Restore job |
|
Restore |
Report |
Restore job |
|
Backup |
Report |
CTDDELRP Utility |
|
Delete |
Report |
CTDDELRP Utility CTVCLMIG Utility CTDCLHST Utility
|
|
Delete |
Sysdata |
|
|
Delete |
Data_set |
|
Detailed event information
Detailed event information consists of several data fields that are attached to the basic event information only when additional event data is required. The list of fields varies according the event. For example, for the Report View event, the additional required fields include the Report ID, the Report Name, the Report Type, and information about report manipulation and filtering data such Index path, and Logical View. The available additional fields that are associated with each event are predefined and constant.
Audit Examples
This section contains the following examples that illustrate audit reports, the AUDTPARM member, and auditing missions:
-
Audit report, Example 1a, records three events reported after the ControlD monitor decollated the BANKING REPORT.
-
Audit report, Example 1b, records four events reported after the end user viewed, updated, and printed the BANKING REPORT under separate TSO sessions.
Audit report, Example 1a, records three events reported after the Control-D monitor decollated the BANKING REPORT.
-
-
Shows the top of the report beginning with the following fields: VERSION=,COMPUTER=,SOURCE=,DATE=.
-
The section contains data for the following fields: Event timestamp, Action, Entity, and Owner.
-
-
Example 1a - Audit report (Continuation 1)
-
Shows data for the following fields: Report, ODate, Category, User, Job, JID/Rul, DSN/Backup, and Time ID
-
-
Example 1a - Audit report (Continuation 2)
-
Shows data for the following fields: Type, Status, Loc, #cops, Missions Dest
-
-
Example 1a - Audit report (Continuation 3)
-
Shows data for the following fields: #pag/frp, #lin/top, Mis/Dec time, Job start time, Module, Act status
-
-
Example 1a - Audit report (Continuation 4)
-
Shows data for the following fields: Dscr Session ID, Entity ID
-
-
Example 1a - Audit report (Continuation 5)
-
Shows data for the following fields: Rel ID, Mis category, Mis ODate
-
-
Example 1a - Audit report (Continuation 6)
-
Shows data for the following fields: Mis RBA Key fields
-
VERSION='01',COMPUTER='MVS3',SOURCE='IOAR900',DATE='2009-12-03 8:20:38'
Event timestamp Action Entity Owner
_______________________________________________________________________
2009-12-03 8:20:38 Create Sysdata S DECMON4
2009-12-03 8:20:38 Create Index S DECMON4
2009-12-03 8:20:38 Create Report S DECMON4 Example 1a - Audit report (Continuation 1)
Report ODate Category User Job JID/Rul
DSN/Backup Time ID
Note name
Member Type Mission
CTD.D70.I900INR.J68988.D3371020.S94.N001B00 I900INR 368988
BANKING REPORT
BANKING REPORT 2015-12-03 DAILY MKT I900INR 368988Example 1a - Audit report (Continuation 2)
Type Status Loc #cops Missions Dest C
#day
Page Line Column #vers
Library DSN
A BKPMIS MIGMIS T
Wait print A 0001 PRTMIS AAA TExample 1a - Audit report (Continuation 3)
#pag/frp #lin/top Mis/Dec time Job start time Module Act status
CTDRPUF OK
CTDRPUF OK
1 525 2009-12-03 8:20:36,465 2009-12-03 8:20 CTDRPUF OK Example 1a - Audit report (Continuation 4)
Dscr Session ID Entity ID
C52DEF32B9646684 $SYSDATAI900INR C52DEF34FF822884
C52DEF32B9646684 $INDEXI900INR C52DEF34FF8228840001
C52DEF32B9646684 MKT I900INR C52DEF35165E4C06 Example 1a - Audit report (Continuation 5)
Rel ID 1 Mis category Mis ODate
$SYSDATAI900INR C52DEF34FF822884
$SYSDATAI900INR C52DEF34FF822884 Example 1a - Audit report (Continuation 6)
Mis RBA Key fields
DS='CTV.CTV70.I900INR.C09337.T102036.M4A96'
000037 Audit report, Example 1b, records four events reported after the end user viewed, updated, and printed the BANKING REPORT under separate TSO sessions
-
-
Shows the top of the report beginning with the following fields: VERSION=,COMPUTER=,SOURCE=,DATE=.
-
The section contains data for the following fields: Event timestamp, Action, Entity, and Owner.
-
-
Example 1b - Audit report (Continuation 1)
-
Shows data for the following fields: Report, ODate, Category, User, Job, JID/Rul, DSN/Backup, and Time ID
-
-
Example 1b - Audit report (Continuation 2)
-
Shows data for the following fields: Type, Status, Loc, #cops, Missions Dest
-
-
Example 1b - Audit report (Continuation 3)
-
Shows data for the following fields: #pag/frp, #lin/top, Mis/Dec time, Job start time, Module, Act status
-
-
Example 1b - Audit report (Continuation 4)
-
Shows data for the following fields: Dscr Session ID, Entity ID
-
-
Example 1b - Audit report (Continuation 5)
-
Shows data for the following fields: Rel ID, Mis category, Mis ODate
-
-
Example 1b - Audit report (Continuation 6)
-
Shows data for the following fields: Mis RBA Key fields
-
VERSION='01',COMPUTER='MVS3',SOURCE='IOAR900',DATE='2009-12-03 9:28:46'
Event timestamp Action Entity Owner
_______________________________________________________________________
2009-12-03 9:28:46 Create Session U Q23
2009-12-03 9:28:58 View Report U Q23
2009-12-03 9:28:58 Update Report U Q23
2009-12-03 9:29:32 Print Report U Q23
2009-12-03 9:29:35 Delete Session U Q23 Example 1b - Audit report (Continuation 1)
Report ODate Category User Job JID/Rul
DSN/Backup Time ID
Note name
Member Type Mission
TSO
BANKING REPORT 2009-12-03 DAILY MKT I900INR
BANKING REPORT 2009-12-03 DAILY MKT I900INR
BANKING REPORT 2009-12-03 DAILY MKT I900INR DEFAULT
TSO Example 1b - Audit report (Continuation 2)
Type Status Loc #cops Missions Dest C
#day
Page Line Column #vers
Library DSN
A
A
A 0001 MExample 1b - Audit report (Continuation 3)
#pag/frp #lin/top Mis/Dec time Job start time Module Act status
IOATBMN OK
IOATOLV OK
CTDTFRM OK
1 5 CTDDPR OK
IOATBMN OK Example 1b - Audit report (Continuation 4)
Dscr Session ID Entity ID
C52DFE6F427FA084
C52DFE6F427FA084 MKT I900INR C52DEF35165E4C06
C52DFE6F427FA084 MKT I900INR C52DEF35165E4C06
C52DFE6F427FA084 MKT I900INR C52DEF35165E4C06
C52DFE6F427FA084 Example 1b - Audit report (Continuation 5)
Rel ID 1 Mis category Mis ODate Example 1b - Audit report (Continuation 6)
Mis RBA Key fields
Exec remark='Good',OLD_Exec remark=''
The following AUDTPARM member code sample, defines the following audit configuration:
-
The Control-D and IOA components issue an audit SYSOUT report every hour or if the audit report contains 10,000 events.
-
The audit SYSOUT has the following parameters:
-
CLASS=A
-
EXTWTR=AUDIT
-
DEST=AUDIT
-
FORM=AUDT
-
-
Any decollation mission in which AUDIT is specified for the GROUP parameter will not be registered.
-
The following three levels of audit are defined:
-
Level 1 allows report viewing, e-mailing, saving, and printing, and all note actions to be registered.
-
Level 2 allows all actions with reports, notes, missions, and members to be registered.
-
Level 3 allows all actions to be registered.
-
-
The current audit level is 2.
*-------------------------------------
* Audit sysout
*-------------------------------------
SYSOUT PORTION=10000, Max # of events in one sysout
INTERVLA=010000, Max interval HHMMSS between sysouts
CLASSA=A, Class
EXTWTR=AUDIT, External Writer name
DEST=AUDIT, Destination
FORM=AUDT, Form
DECMIS=AUDIT Specific Decollation missions group
*-------------------------------------
* Audit level
*-------------------------------------
LEVEL LEVELA=2 Audit level or 0
*-------------------------------------
*-------------------------------------
* Audit events level 1
*-------------------------------------
EVENT LEVELE=1, Level of events
ACTION=(View,Print,Defer_print,
Local_print,Local_save,E-mail),
ENTITY=Report
EVENT LEVELE=1, Level of events
ACTION=ALL,
ENTITY=Note
*-------------------------------------
* Audit events level 2
*-------------------------------------
EVENT LEVELE=2, Level of events
ACTION=ALL,
ENTITY=(Report,Note,Mission,Member)
*-------------------------------------
* Audit events level 3
*-------------------------------------
EVENT LEVELE=3, Level of events
ACTION=ALL,
ENTITY=ALLExample 3 - Decollation mission for collecting audit SYSOUTs
The Audit decollation mission code sample for collecting audit SYSOUTs are generated by different Control-D and IOA components. Every day, this generic mission runs continuously, selecting any SYSOUT from CLASS A that has the following parameters (as they are defined in AUDTPARM):
-
EXTWTR=AUDIT
-
DEST=AUDIT
-
FORM=AUDT
This mission creates intermediate audit reports and sets the AUDIT print mission for them.
The GROUP parameter is set to AUDIT, preventing the actions of this mission from being included in the audit report registration.
Audit decollation mission code sample for collecting audit SYSOUTs
CATEGORY AUDIT_COLLECTION JOBNAME * GENERIC Y MONITOR 1
OWNER ADMIN TASKTYPE REP GROUP AUDIT JOBID
DESC DAILY AUDIT COLLECTION
DESC
===========================================================================
DAYS ALL DCAL
AND/OR
WDAYS WCAL
MONTHS 1- Y 2- Y 3- Y 4- Y 5- Y 6- Y 7- Y 8- Y 9- Y 10- Y 11- Y 12- Y
DATES
CONFCAL SHIFT RETRO N MAXWAIT 00
MINIMUM PDS
===========================================================================
IN
WHEN IN QUEUE CLS TIME FROM UNTIL INTERVAL PRIORITY
DSN
===========================================================================
OUT
SHOUT WHEN TO URG
MSG
===========================================================================
DEF COPIES LVL USER DEST MAX COPIES
===========================================================================
ON CLASS = A EXTWTR AUDIT DEST AUDIT FORM AUDT
PRT COPIES LVL USER DEST MAX COPIES
PRINT/CDAM PARMS =
DO
WHEN LINE - COL - PRINT REF NXT CT AND/OR
STRING =
DO USER = AUDITOR LVL LINE COL -
S N T B SYNONYM = CONCAT =
DO NAME = AUDIT SINGLE REPORT
DO PRINT = AUDIT MUST = Example 4 - Audit print mission
The Code sample of an audit print mission for consolidating the audit reports into one SYSOUT consolidates the intermediate audit reports into one SYSOUT. This print mission runs under the main print monitor (MONITOR set to 1) immediately after the new day procedure. The mission issues one consolidated audit SYSOUT into CLASS B based on the intermediate audit reports created during the previous day. The SYSOUT has no banners (NOBANNER) and uses existing control characters (ASIS‑).
This SYSOUT has the following parameters:
-
DEST=AUDIT
-
EXTWTR=CONSOLID
-
FORM=AUDT
The AUDIT-PRINT OUT condition is specified to start the audit decollation mission for the created SYSOUT.
Code sample of an audit print mission for consolidating the audit reports into one SYSOUT
CATEGORY ASIS-,NOBANNER,AUDIT MISSION AUDIT MONITOR 1
OWNER ADMIN TASKTYPE PRT GROUP AUDIT
BATCH N SKELETON FREE CLOSE TIMEOUT
OVERRIDE CLASS B DEST AUDIT EXTWTR CONSOLID FORM AUDT
WRITER OPTION
DESC DAILY AUDIT CONSOLIDATION
DESC
===========================================================================
INCLUDE USER
EXCLUDE USER
SORT PARAMETERS: 1-USER 2-JOB 3-REPORT NAME 4-CATEGORY 5-LEVEL 6-TREE
7-FORMS 8-CHARS 9-MODIFY T-TIME/DATE E-USER DEFINED
ENTER SORT SEQ :
===========================================================================
DAYS DCAL
AND/OR
WDAYS WCAL
MONTHS 1- Y 2- Y 3- Y 4- Y 5- Y 6- Y 7- Y 8- Y 9- Y 10- Y 11- Y 12- Y
DATES
CONFCAL SHIFT RETRO N MAXWAIT 00
CONFCAL SHIFT RETRO N MAXWAIT 00
MINIMUM PDS
===========================================================================
IN
TIME FROM TO NOT LATER THAN PRIORITY
ON PAGE# ON LINE# INTERVAL
===========================================================================
OUT AUDIT-PRINT ODAT +
SHOUT WHEN TO URGN
MSG
PRINTER DEST CHUNKSIZE
ON FORM
REQUEST
===========================================================================
STORE BACKUP MIGRATE Example 5 - Decollation mission for storing audit report
The Code sample of a audit decollation mission for storing the audit reportin the Control-D repository. This regular mission runs immediately after the audit print mission because of the AUDIT-PRINT IN condition. The mission processes the main print monitor SYSOUT (JOBNAME=CTDPRINT) from CLASS B, which has the following parameters (as they are defined in the audit print mission):
-
EXTWTR=CONSOLID
-
DEST=AUDIT
-
FORM=AUDT
This mission creates an audit consolidated report with record level indexes. The indexes provide efficient access to the audit information. The GROUP parameter is set to AUDIT, preventing the actions of this mission from being included in the audit report registration. The AUDIT-PRINT condition is deleted.
Code sample of a audit decollation mission for storing the audit report
CATEGORY AUDIT_REPORTING JOBNAME CTDPRINT GENERIC N MONITOR
OWNER ADMIN TASKTYPE REP GROUP AUDIT JOBID
DESC DAILY AUDIT REPORTING
DESC
===========================================================================
DAYS ALL DCAL
AND/OR
WDAYS WCAL
MONTHS 1- Y 2- Y 3- Y 4- Y 5- Y 6- Y 7- Y 8- Y 9- Y 10- Y 11- Y 12- Y
DATES
CONFCAL SHIFT RETRO N MAXWAIT 00
MINIMUM PDS
===========================================================================
IN AUDIT-PRINT ODAT
WHEN IN QUEUE CLS TIME FROM UNTIL INTERVAL PRIORITY
DSN
===========================================================================
OUT AUDIT-PRINT ODAT -
SHOUT WHEN TO URG
MSG
===========================================================================
DEF COPIES LVL USER DEST MAX COPIES
===========================================================================
ON CLASS = B EXTWTR CONSOLID DEST AUDIT FORM AUDT
PRT COPIES LVL USER DEST MAX COPIES
PRINT/CDAM PARMS =
DO
WHEN LINE - COL - PRINT REF NXT CT AND/OR
STRING =
DO USER = AUDITOR LVL LINE COL -
S N T B SYNONYM = CONCAT =
DO NAME = AUDIT CONSOLIDATED REPORT
DO INDEX = ENTITY M R G LINE +00000 COL 00034 - 00043
MASK = : RC Y LINE 00001 - 00100 COL 00015 - 00015
PRINT= TYPE
02 SUBINDX = NAME M LVL 02 LINE +00000 COL 00057 - 00076
MASK = : RC Y LINE 00001 - 00100 COL 00015 - 00015
PRINT= TYPE 
Communities
Support Center
YouTube
Twitter
Facebook
LinkedIn