E-mail alerts for critical z/OS events

Situation:
There are some security events that really spell danger – and in this case the security officer will want to be informed immediately. For example, our security officer would like to get an e-mail as soon as someone tries to log on to the system with a administrator ID, but is refused access because of a wrong password.

Complications:
Provided that it's configured correctly, RACF will log this event as an SMF record. However, finding and evaluating this record takes time. First of all, a very large log has to be downloaded, then it has to be analyzed. With the routines supplied by the operating system, it's impossible to get the data you need immediately, so it's just as impossible to react immediately; the security officer can't be notified as soon as something happens.

Solution:
Real-time monitoring is the answer. A special program is needed, one that works with predefined rules that are compared with every log record as soon as it's written. Then, when a log record meets certain criteria, this program prepares the information in the record and immediately escalates it to the recipient defined in the rules.
Beta 89 zSecurity Monitor can do all of this: An exit routine checks every record and delivers all the filtered events to a central server. Here, the events are converted to a standard, easily understandable format and sent to the specified recipient immediately, for example by e-mail or as a text message to a mobile cell phone. You can also use dedicated consoles to know what has happened as soon as it happens.