Implementing CA Compliance Manager for CA Chorus for Security and Compliance Management › Implement the Data Mart › Define Data Mart Security Event Selection › Input Control Statement Descriptions

Input Control Statement Descriptions

LOGSTREAM(logstream)

Specifies the name of the system logstream which contains the security event records that the Logger component extracted. Do not abbreviate this required keyword. Specify only one LOGSTREAM keyword in the SYSIN control statements.

Limits: 1 to 26 characters, uppercase

SDATE(mm/dd/yyyy|TODAY|TODAY-nnnn)

Specifies a 10-character string used for two purposes:

• The starting date from which all events are searched in the logstream.
• The starting date to determine whether an event record is selected for unload. Specify the date in the format mm/dd/yyy, , where mm is the month, dd is the day, and yyyy is the year. Specify only one SDATE keyword in the SYSIN control statements. Do not abbreviate this required keyword. Do not specify both mm/dd/yyyy and TODAY or TODAY-nnnn in the SDATE keyword. (Required)

mm/dd/yyyy

Specifies a 10-character date string in the format mm/dd/yyyy. mm is the month, dd is the day, and yyyy is the year.

TODAY

Represents the current date according to the system clock, and is internally translated to a date in the format mm/dd/yyyy. Use this format if you want to run the Data Mart batch jobs automatically at periodic intervals without requiring modification to this parameter. Do not abbreviate this value.

nnnn

Specifies a one- to four-digit number from 1 to 9999, which represents a negative offset. A negative offset is a number of days in the past from TODAY (the current date). The number is internally combined and interpreted with the TODAY value and translated to a date in the format: mm/dd/yyyy. Use this format if you want to automatically run the Data Mart batch jobs at periodic intervals in the past. This does not require modification to this parameter.

Note: If you also specify the POLICYSET keyword, no selection occurs based on this field. This field is still used with the STIME to determine when to start reading event records from the logstream. The starting date (SDATE) and starting time (STIME) are interpreted internally together as one time stamp value when reading events from the logstream and selecting events based on start date and time. These values are read in local time zone format.

STIME(hh|hh:mm|hh:mm:ss|hh:mm:ss:th|00:00:00:01)

(Optional) Specifies a string that is used for two purposes:

• The starting time from which all events are searched in the logstream.
• The starting time to determine whether an event record is selected for unload.

If you specify a string of only hh or hh:mm or hh:mm:ss, by default, the minutes, seconds, tenths, and hundredths of seconds appear as zeros. Specify only one STIME keyword in the SYSIN control statements. Do not abbreviate this optional keyword.

Limits: 2, 5, 8, or 11 characters in the format hh:mm:ss:th, where hh is hours, mm is minutes, ss is seconds, and th is tenths and hundredths of a second.

Default: 00:00:00:01

Note: If you also specify the POLICYSET keyword, no selection occurs based on this field. This field is still used to determine when to start reading event records from the logstream.

The starting date (SDATE) and starting time (STIME) are interpreted internally together as one time stamp value when reading and selecting events from the logstream. This value is interpreted in local time zone format. For the purposes of internally determining when to start reading event records from the logstream, a time interval of 5 minutes is automatically subtracted from the SDATE/STIME time stamp to help ensure that all requested event records are found in the logstream.

Examples

This example represents the time - 12 hours, 1 minute, 1 second, 100th of a second:

STIME(12:01:01:01)

This example represents the time - 12 hours, 1 minute, 1 second, 0 hundredths of a second:

STIME(12:01:01) 

This example represents the time - 12 hours, 1 minute, 0 seconds, 0 hundredths of a second:

STIME(12:01)

This example represents the time - 12 hours, 0 minutes, 0 seconds, 0 hundredths of a second:

STIME(12)

EDATE(mm/dd/yyyy|TODAY|TODAY-nnnn)

Specifies a 10-character string used for two purposes:

• The ending date from which all events are searched in the logstream.
• The ending date to determine whether an event record is selected for unload.

Specify the date in the format mm/dd/yyyy, where mm is the month, dd is the day, and yyyy is the year. Specify only one EDATE keyword in the SYSIN control statements. Do not abbreviate this required keyword. Do not specify both mm/dd/yyyy and TODAY or TODAY-nnnn in the SDATE keyword. (Required)

mm/dd/yyyy

Specifies a 10-character date string in the format mm/dd/yyyy, where mm is the month, dd is the day, and yyyy is the year

TODAY

Represents the current date according to the system clock, and is internally translated to a date in the format mm/dd/yyyy. Use this format if you want to automatically run the Data Mart batch jobs at periodic intervals without requiring modification to this parameter. Do not abbreviate this value.

nnnn

Specifies a one- to four-digit number from 1 to 9999, which represents a negative offset—a number of days in the past from TODAY (the current date). The number is internally combined and interpreted with the TODAY value and translated to a date in the format: mm/dd/yyyy. Use this format if you want to automatically run the Data Mart batch jobs at periodic intervals in the past without requiring modification to this parameter.

Note: If you also specify the POLICYSET keyword, no selection occurs based on this field. This field is still used to determine when to stop reading event records from the logstream.

The ending date (EDATE) and ending time (ETIME) are interpreted internally together as one time stamp value for the purposes of reading and selecting events from the logstream. This value is interpreted in local time zone format. For the purposes of internally determining when to stop reading event records from the logstream, a time interval of 5 minutes is automatically added to the EDATE/ETIME time stamp to verify that all event records are found in the logstream.

ETIME(hh|hh:mm|hh:mm:ss|hh:mm:ss:th|23:59:59:99)

(Optional) Specifies a string that is used for two purposes:

• The ending time from which all events are searched in the logstream.
• The ending time to determine whether an event record is selected for unload.

If you specify a string of only hh or hh:mm or hh:mm:ss, by default, the minutes, seconds, tenths, and hundredths of seconds each appear as zeros. Specify only one ETIME keyword in the SYSIN control statements. Do not abbreviate this optional keyword.

Limits: 2, 5, 8 or 11 characters in the format hh:mm:ss:th, where hh is hours, mm is minutes, ss is seconds, and th is tenths and hundredths of a second

Default: 23:59:59:99

Note: If you also specify the POLICYSET keyword, no selection occurs based on this field, although it is still used to determine when to stop reading event records from the logstream.

The ending date (EDATE) and ending time (ETIME) are interpreted internally together as one time stamp value in local time zone format for the purposes of reading events from the logstream and selecting events based on date and time. For the purposes of internally determining when to stop reading event records from the logstream, a time interval of 5 minutes is automatically added to the EDATE/ETIME time stamp to help ensure that all requested event records are found in the logstream.

Examples

The following example represents the time - 23 hours, 59 minutes, 59 seconds, 99 hundredths of a second:

ETIME(23:59:59:99)

The following example represents the time - 23 hours, 59 minutes, 59 seconds, 0 hundredths of a second:

ETIME(23:59:59)

The following example represents the time - 23 hours, 59 minutes, 0 seconds, 0 hundredths of a second:

ETIME(23:59)

The following example represents the time - 23 hours, 0 minutes, 0 seconds, 0 hundredths of a second:

ETIME(23)

EVENT(event)

(Optional) Specifies that logstream event records are selected for unload based on the 1- to 32-character name of a valid CA Compliance Manager security event. Do not abbreviate this optional keyword. You can specify more than one EVENT keyword in the SYSIN control statements. If you do not specify EVENT, no selection occurs based on this field.

Note: EVENT and POLICYSET are mutually exclusive.

Options:

• EVENT(START)
• EVENT(STOP)
• EVENT(STOPVIO)
• EVENT(MODIFY)
• EVENT(MODIFYVIO)
• EVENT(SIGNON)
• EVENT(SIGNONVIO)
• EVENT(SIGNOFF)
• EVENT(OBJECTACCESS)
• EVENT(OBJECTAUDIT)
• EVENT(OBJECTVIO)
• EVENT(ACCOUNTADMIN)
• EVENT(ACCOUNTADMINVIO)
• EVENT(POLICYADMIN)
• EVENT(POLICYADMINVIO)
• EVENT(OTHERADMIN)
• EVENT(OTHERADMINVIO)
• EVENT(INITUSP)
• EVENT(DELETEUSP)
• EVENT(R_SETUID)
• EVENT(R_SETEUID)
• EVENT(R_SETGID)
• EVENT(R_SETEGID)
• EVENT(INITACEE)
• EVENT(CK_ACCESS)
• EVENT(R_CHOWN)
• EVENT(R_CHMOD)
• EVENT(R_CHAUDIT)
• EVENT(R_AUDIT)
• EVENT(R_SETFACL)

NEWSYSID(sysid)

(Optional) Specifies an overriding system ID value that is inserted as the system ID value in each event record that gets loaded into the DB2 Data Mart repository. You cannot mask the NEWSYSID value. Specify only one NEWSYSID keyword in the SYSIN control statements. Do not abbreviate this optional keyword.

Limits: 1 to 8 character

Default: the system ID of the event record

POLICYSET(policyset)

(Optional) Specifies the name of the event policy set that the Data Mart uses to select events for unload. Do not abbreviate this optional keyword. Specify only one POLICYSET keyword in the SYSIN control statements.

Limits: 1 to 16 character, case-sensitive

Note: POLICYSET is mutually exclusive with the following input control statement keywords: EVENT, USERID, SYSID, and SYSPLEX.

SYSID(sysid)

(Optional) Specifies that logstream records be selected for unload based on a system ID. You cannot mask the SYSID value. Do not specify more than one SYSID keyword in the SYSIN control statements. Do not abbreviate this optional keyword.

Limits: 1 to 4 characters

Default: No selection occurs based on this field.

Note: SYSID and SYSPLEX are mutually exclusive. SYSID and POLICYSET are also mutually exclusive.

SYSPLEX(sysplex)

(Optional) Specifies that logstream records be selected for unload based on the name of a sysplex name. You cannot mask the SYSPLEX value. Specify only one SYSPLEX keyword in the SYSIN control statements. Do not abbreviate this optional keyword.

Limits: 1 to 8 characters

Default: No selection occurs based on this field.

Note: SYSID and SYSPLEX are mutually exclusive. SYSPLEX and POLICYSET are also mutually exclusive.

USERID(userid)

(Optional) Specifies that logstream event records be selected for unload based on a user ID field in a logstream event record. Do not abbreviate this optional keyword. You can specify more than one USERID keyword in the SYSIN control statements.

Limits: 1 to 8 characters

Default: No selection occurs based on this field.

Note: USERID and POLICYSET are mutually exclusive.