Implementing CIA Real-Time for CA Chorus for Security and Compliance Management › Begin the CIA Real-Time Recording › Define the CIA Real-Time Logstream

Define the CIA Real-Time Logstream

The CIA real-time feature uses a dedicated z/OS system logger logstream to record update requests made to any security product information that is replicated in the CIA repository. The CIA real-time component reads this logstream and communicates the update requests to the CIA repository.

Note: A separate and unique logstream is required for each z/OS image.

The CIALOGST job defines the logstream as DASDONLY(YES), AUTODELETE(NO), and RETPD(0). This is intended to keep the offloaded data maintained by z/OS system logger to a minimum. The z/OS system logger is prevented from deleting any event records that it has offloaded that the CIA real-time component has not marked as deleted. These values can be changed per your installations requirements.

The size required for the logstream depends on a number of factors. Under normal processing, the life of any given record in the logstream is measured in seconds or less. The record is marked deleted as soon as the CIA database update has been completed. A minimal number of active records is present in the logstream, and any offloaded data is marked deleted by the CIA real-time process. However, two situations exist where this does not occur.

• During the initial implementation, the time that elapses between when the security product begins recording update requests into the logstream and when the CIA real-time component is started. For that duration, update requests are carried in the logstream without being processed and deleted.
• When any of the components in the CIA real-time process communication path are unavailable, the update requests remain in the logstream until the process path is restored. The components in the communication path are:
  • CIA real-time component
  • TCP/IP
  • CA DSI Server
  • CIA subsystem with the CIA repository

We recommend that you evaluate your network and system stability and the effort involved to reload the CIA repository information. If the time involved in the situations described is greater than the size of the logstream allows, the logstream fills up and update requests are lost. In this case, the security information in the CIA repository for this system must be deleted and repopulated. If this occurrence is likely and the effort involved is great, increase the size of the logstream accordingly.

Each block on the logstream contains a single event record and is 4096 bytes long. The number of records which the logstream can hold has an initial value of 1000 (‘(STG_SIZE(1000)’). Increasing this number increases DASD space requirements and reduces the number of offloads performed by the z/OS system logger. Decreasing the number has the opposite effect. Because each system is different, it is important to monitor the number and frequency of offloads and balance it with the performance impact an offload can cause.

The definition of the parameters discussed and the various options and considerations for allocating and managing z/OS system logger logstreams can be found in the IBM Redbook System Programmer’s Guide to: z/OS System Logger (SG24-6898-01).

Follow these steps:

1. Edit the CIALOGST job in one of the following libraries to define the CIA real-time feature logstream:
   • CA ACF2 - CAI.CAX1JCL0
   • CA Top Secret - CAI.CAK0JCL0

   Modify the job to conform to your installation standards. Follow the instructions in the Notes and the Customization sections of the job to customize the job for your environment.

2. Submit the CIALOGST job.

   The job runs and completes.

3. Verify the output of the CIALOGST job.

   The CIA logstream is successfully defined.