Idea Details

Top Secret TSSUTIL Enhancement

Last activity 05-31-2019 01:53 AM
Josef Thaler's profile image
07-24-2015 01:16 AM

As a Security-Administrator I need easy, clear, handy and efficient reports or reporting-facilites of tss audit data.

 

To adress this need I use TSSUTIL, which is easy to execute.

 

But my approaches in interpreting the data contain several disadvantages:

 

(1) in "regular" TSSUTIL Output the ressource class in column "RESOURCE (TYPE & NAME)" is a single letter, and often a question mark  (meaning "NONPRINTABLE RESOURCE TYPE") which unclear and not unique, for example all DB2 ressourceclasses appear there as "?" and I have to "derive" the RESCLASS from the ressource-name. 

 

(2) using TSSUTIL with Option 'LONG' outputs a clear ressource-class and Long ressource-name, but there are usually two lines per event. Wenn I check / analyze / investigate such a report (e.g. by SDSF "SE" Action in the ISPF-Editor) I can not exclude lines, sort the output etc. in a meaningful manner - unhandy!

 

(3) using TSSUTIL with Option "LONG" and postprocessing to join the two lines to a single one is my current workaround. But output to a dataset, read, transform and write again wastes ressources - inefficient!

 

To adress the need and avoid the disadvantages I suggest to create an alternative TSSUTIL-Option to "LONG" (let's say "WIDE"), resulting in a report, which outputs all data fields (like with option 'LONG') in one - wider- line.

 

All your votes an alternative approaches to address the need described above are appreciated very much.        .       


Comments

02-24-2017 11:24 AM

Hello, what is the status of this idea?

 

Basically I agree with all enhancement requests here. Every customer has different needs for audit data. 

I´d go a step further.

I´d like to see a Report Option that produces human readable data similar TSSUTIL REPORT in  a single Line format, that is easy to process. Also Output Columns  should be selectable.  A WIDE Option for an enhanced report is good, but not flexible enough.

 

Or provide few Sort examples for postprocessing TSSUTIl SMF EXTRACT Data to create such reports.

 

Or can anybody else provide a few examples to postprocess such output   ?

08-30-2016 12:48 AM

Hello Josef,

 

completely agree. The comments show that old fashioned thinking is still present everywhere. Wasting time and energy (including CPU) for building a sort statement (or for the SMF extract) in order to get a _standard_ functionality is just outdated.

 

BTW: The long report (LONG keyword) may not consist of two lines only:

- it may have only one

- i may have 4 and more

per timestamp. Just for info...

 

Best regards!

09-04-2015 07:22 AM

Hello, I have a similar problem. TSSUTIL without LONG is limited to 26char resource. This is too short for datasets (19 char for dsn, 6 for volser)

With LONG keyword multiline the report is too ugly for simple processing.  Similar Extract Report

A TSSUTIL WIDE report is a very good idea

 

Basically we load data into db2. So output in db2-load format would be nice too.

 

I call tssutil in a rexx skript very often . An additional option EXCLSEC(xxxx) would be helpful e.g. EXCLSEC(USS) - no USS Events in Report

09-03-2015 01:26 PM

Hi Josef - As we discussed earlier, CA is taking this idea under review to see what is possible for an enhancement to the product. I've changed the status on this idea and as soon as I know more, I will update the community.

 

Many thanks for your idea and for everyone's comments! Please continue to vote and comment!!

-Kim

08-30-2015 01:35 AM

John,

In my first approach to TSSUTIL-EXTRACT and SORT I got the same impressions and thoughts as Don! Taking a closer look, now I know, that it's possible to process TSS-Audit-SMF-records by SORT, but it sounds quite challenging!

 

I think, an average audit-user and in this role an average TSO/zOS-User, needs to be an expert about the security events taking place in his installation. He should NOT have to be an expert in SORT(-Exits), SMF-Dataformats, field conversions etc.

 

Therefore and as a summary for this idea:

I do NOT need the Option "WIDE" in TSSUTIL.

What I am asking for (me and all other average Audit users) is an approach (="Report" in what form ever) to TSS-Audit-Data.

  1. which is clear (no question marks for unprintable resclass-abbreviations, all data in a reasonable character format)
  2. simple ("flat" file, one record per Event)
  3. and efficient (no intermediate steps, transformations, etc.)

 

I need this not only to look at the data, but also to further process them, for example

  • to transform the data to TSSSIM commands (context e.g. Make OK+B audit records audit-adequate )
  • to make TSS Admin commands (PER, REV, etc.) out of it
  • to transform and use them in EXCEL for a different presentation.
  • I'm sure, you have plenty of additional ideas for "post-processing" audit data.

 

I'm open for all solutions, which correspont to the above  3 criteria:

  • If the solution of CA Technologies is a new TSSUTIL-REPORT-Option "WIDE", I'll be satisfied, because this corresponds to all criteria above, beyond this, I could imagine, that this new Option only Needs a slight code-modification in TSSUTIL-REPORT-Output-coding.
  • If the solution of CA Technologies would be an TSSUTIL Option "FLAT" to produce a flat file with all the data of TSSUTIL-REPORT-LONG: brilliant, Give it to me!
  • If CA's soulution would be a sample E15-SORT-EXIT + sample JCL, which "prepares" the Audit data within SORT to a reasonable(!)  Format like in TSSUTIL-REPORT-LONG) and offers further processing by sort: superb, give it to me!
  • If CA's solution would be an EXTRACT as CSV-Data, (in the way this is already provided in CA Endevor Software Change Manager CSVUTIL): unbelievable, give it to me!
  • I'm sure CA Technologies could evaluate many other sollutions ...

 

Thank you for reading this longer post so far. This is my point of view. And I would really like to get to know CA's positioning,

Josef

08-28-2015 06:24 PM

Don,

 

The EXTRACT file consists of SMF type 80 records and its layout is mapped by the #SMF80 macro in distribution librtary CAKOMAC0.

 

It is not at all difficult to produce reports using nothing more than a TSSUTIL EXTRACT step followed by a SORT step.

 

John P. Baker

08-28-2015 05:53 PM

John -

 

     TSSUTIL EXTRACT produces an UGLY file - certainly not something that can be used w/out reformatting it.  TSSUSUTIL EXTRACT followed by TSSUTIL REPORT TERSE also creates an UGLY file, but at least CA-Earl can read it.  There are a few sample EARL reports shipped with TSS.

 

     I still like the idea of WIDE - why should I have to do the work when TSSUTIL already has (just not on one line)?

 

- Don

08-28-2015 01:16 PM

John,

thank you to bring my attention to EXTRACT command, I'll play around and will come back to it later,

Regards, Josef

08-28-2015 10:43 AM

Josef,

 

If you run TSSUTIL with the EXTRACT command, you can create an output file with one (1) record per event.

 

It is then easy to use the SORT utility to select, sort, and format the records to you heart's desire.

 

John P. Baker