Configuring Endpoint Local Filters

Endpoint Local Filters (ELFs) allow you to set up filters on Endpoints themselves to eliminate unwanted or unnecessary data retrieval. This is beneficial, for example, if you would like a log file assessment request to include specific log file entry types from a specific location (e.g. *Lib, *PGM, or a specific object name), and disregard all other events. It can also be used to omit specific types of events, for example, events from a specific profile. This can greatly decrease the duration of the data retrieval process for that Endpoint, and also greatly decrease the length of the report.

NOTE: To isolate specific types of information after the data has been collected, use Report Filters.

The actions of an ELF can give results such as:

  • Pass T/ZC entries only if they are for *PGM objects.
  • Pass T/ZC entries only if they are for *PGM objects OR if they are for objects from library PAYROLL.
  • Pass T/ZC entries only if they are for *PGM objects AND if they are for objects from library PAYROLL.
  • Pass T/JS entries if they mark the start of an interactive job or the end of an interactive job.
  • Pass T/CA entries if they grant *OBJEXIST authority to any profile other than QSECOFR or PAYUSER to *FILE objects in library PAYROLL.

To create an Endpoint Local Filter that includes a single event type

  1. Run the following command:

    2. CALL PTCMT3/SETLCLFTR

    This program is used to create and maintain filters.

    For this example, we will be creating an Endpoint Local Filter for Object Changes that includes only journal entries that have Object Type of *PGM.

  2. Set FTRCODE to T.
  3. For FTRTYPE, specify the entry type. For example, the FTRTYPE for Object Changes in ZC.

    4. The entry type is listed in the Report Description as you select the report.

  4. For FTRFTRID, enter the ID number. For example, if this is the first ELF you are adding, enter 1. If it is the second, enter 2. Up to 99 filters can be defined.
  5. For FTRFTRSEQ, enter the sequence number (part) of this ELF. Each 'part' of a given filter is identified by a Filter Sequence Number, and all 'parts' will be combined with all other 'parts' for the same filter. If this is the first, enter 1.
  6. Leave FTRTESTTYPE blank.
  7. For FTRSLTOMT, select whether you want to OMIT (0) the entry type you are specifying in this filter, or include (1) it. For this example, we will enter 1 to include.
  8. For FTROFFSET, specify the offset for the entry type you are including or omitting. To find the offset, refer to the IBM i documentation. For example, if you are running IBM i 7.1, Refer to the following page:

    9. http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzarl/rzarllayout.htm

    For this example, we need the offset for the ZC type, so we will scroll down to ZC (Change to Object).

    The information required for setting up ELFs can be found in the "Layout of Audit Journal Entries" section of the IBM i documentation for your version.

    Open the "ZC (Change to Object) journal entries" page and look under the Description column for the desired entry, in this case, 'Type of object.'

    Use the Offset under the 'J5' column for the most recent format, in this case 631.

  9. For FTRLEN, enter the number of bytes to be tested, listed under the 'Format' column in the offset number row, in this case, 8.

  10. For FTRTSTVAL, enter the Object Type you want to include in the report, in this case *PGM. The screen should look like this:

  11. Press ENTER, then F3 to view the filter.

  12. Return to Powertech Compliance Monitor for IBM i and request a '(T:ZC) Object Changes' assessment for the Endpoint with the ELF. Only events with the Object Type *PGM will be reported.
WARNING: With ELF applied and configured, an unknowing Powertech Compliance Monitor for IBM i administrator may not get the results or data they expect. They need to be aware the filter will override any assessment requests for the event type if the event type is specified in ELF.