|
View previous topic :: View next topic
|
| Author |
Message |
rahul shanmuganatan
New User
Joined: 03 Jun 2016
Posts: 2
Location: kuwait
|
|
|
|
Hello All,
I have a Audit requirement where i need to find a Last login of a Deleted userid.
We have Deleted the USERID 6 months back, but we need to know what was the last login date of the deleted id.
If there is any way kindly share.
Thanks Again..
Rahul |
|
| Back to top |
|
 |
expat
Global Moderator
Joined: 14 Mar 2007
Posts: 8796
Location: Welsh Wales
|
|
|
|
SMF data would be my first call
Types 30 if I remember correctly.
This should get the address space name and date and time it started. |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8700
Location: Dubuque, Iowa, USA
|
|
|
|
| Or use type 32 SMF records which records TSO activity. |
|
| Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006
Posts: 262
|
|
|
|
Do you have zSecure (or equivalent) installed . If yes just ask your RACF Administrator.
if not ..... good luck |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1744
Location: Tirupur, India
|
|
|
|
Hi,
| Quote: |
| Or use type 32 SMF records which records TSO activity. |
I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
It might be easier to look at SYSLOG data if it is available for the message,
| Code: |
| $HASP373 <USERID> STARTED |
However if the user logs onto CICS directly without TSO, then SYSLOG might not have the CICS logon. Also Type 30 might not capture CICS logon, I am not sure.
I think the sure fire way is to process SMF type 80, to catch all type of logons like Direct DB2 access, CICS logon, TSO etc..
Please correct me if I am wrong.
Regards,
Vasanth.S |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8700
Location: Dubuque, Iowa, USA
|
|
|
|
Vasanthz, your approach would only work if the site retains the SYSLOG for more than 6 months; I'm not sure there's a lot of sites that do so. Most sites retain SMF records for quite a long time, but not SYSLOG. The topic started by asking about deleted userid, which I assume rules out CICS logons -- if not, then the answer becomes more complicated since the type 30 records do NOT include CICS logons.
| Quote: |
| I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity. |
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32. And the type 80 records require more analysis since you have to extract the correct event / code qualifiers. |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1744
Location: Tirupur, India
|
|
|
|
| Quote: |
| your approach would only work if the site retains the SYSLOG for more than 6 months; |
Yes :-) It would work only if the user is lucky to have SYSLOG for the required duration. We have it archived in SAR for 1 year. Which is the first point of investigation we use, before going to SMF.
Thanks for the information Robert.
| Quote: |
| Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32. |
Ya I agree there are a lot of type 80 records for several events.
I just extracted only SMF type 80, Event 1 for a day and there were 86K records. which is kind of a lot.
Regards,
Vasanth.S |
|
| Back to top |
|
|
rahul shanmuganatan
New User
Joined: 03 Jun 2016
Posts: 2
Location: kuwait
|
|
|
|
Thanks All,
We used SMF record type 80 to 83 to find the last login , and Used ICETOOL to sort them properly.
Also we have a DB2 Table which contain all the CICS Programs and sessions used by User.
Were able to write some SQL and fetch the data from DB2 Table.
Thanks All ... It was really help full ..!
Regads,
Rahul |
|
| Back to top |
|
|
|
|
