The /MODIFY-SAT-ALARM-CONDITIONS command can be used to modify an existing alarm definition (/ADD-SAT-ALARM-CONDITIONS).

NAME = <name 1..8>
Name of the alarm.

SELECT = *PARAMETERS(...)
This specifies which of the existing conditions are to be modified.

EVENT-NAME = *UNCHANGED / *ALL / list-poss(50): <name 3..3>(...)
Type and result of the event(s) to be monitored.

EVENT-NAME = *ALL
All events which can be recorded by SAT are to be monitored for the alarm function.

EVENT-NAME = list-poss(50): <name 3..3>(...)
Explicit name of an event. The name of the event must be taken from “Table of objec-trelated events”. If you specify POSIX events, please pay special attention to Note 6.

SELECT-SWITCH =
This specifies whether the event is to be added or removed.

SELECT-SWITCH = *ON(...)
The event and result are to be added to the alarm definition.

RESULT = *ALL / *SUCCESS / *FAILURE
This specifies the result the event is to have.

SELECT-SWITCH = *OFF
The event is to be removed from the alarm definition.

USER-IDENTIFICATION = *UNCHANGED / *ALL / list-poss(50): <name 1..8>(...)
User IDs which are to be monitored.

USER-IDENTIFICATION = *ALL
All user IDs are to be monitored.

USER-IDENTIFICATION = list-poss(50): <name 1..8>(...)
The specified user IDs are to be monitored. The user ID does not need to exist at the time when the alarm condition is defined.

SELECT-SWITCH =
User ID to be added to or deleted from the alarm definition.

SELECT-SWITCH = *ON
The user ID is to be added to the alarm definition.

SELECT-SWITCH = *OFF
The user ID is to be deleted from the alarm definition.

FIELD-NAME = *UNCHANGED / *ALL / list-poss(50): <name 3..7>(...) This specifies which field of an event is to be monitored.

FIELD-NAME = *ALL
All fields of an event are to be monitored.

FIELD-NAME = list-poss(50): <name 3..7>(...)
Only the field(s) specified here are to be monitored. A list of the possible field names can be found in “Tables of auditable information on object-related events (1)”.

SELECT-SWITCH =
The information to be monitored is to be added to or deleted from the alarm definition if it corresponds to a value specified using the VALUE operand. The table of field names together with the output information can be found in “Tables of auditable information on object-related events (1)”. <text> depends on the logged data field.

SELECT-SWITCH = *ON(...)

The information to be monitored is to be added to the alarm definition.

VALUE = *ALL
All information is to be monitored.

VALUE = *MATCH(...)
Specifies a pattern for the information. The condition is valid when the
comparison value fits into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).

PATTERN = <text>
Pattern specification in the format c-string 1..255 where, analogously to the SDF data type <c-string with-wild (n)>, parts of the character string can be replaced by wildcards.
The available wildcard characters are as follows:

VALUE = *NOT-MATCH(...)
Specifies a pattern for the information. The condition is valid when the
comparison value does not fit into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).

PATTERN = <text>
Pattern specification as under VALUE=*MATCH.

VALUE = list-poss(10): <text>
The explicitly specified information for the event is to be added to the alarm definition. <text> depends on the field being logged. A list of the field names and the information output in these fields can be found in “Tables of auditable information on object-related events (1)”.

VALUE = list-poss(10): <integer 0..2147483647>(...)
The information specified explicitly for the field in the form of a numerical value is monitored. This entry is only allowed for field names whose value is of type <integer>.

UNIT = *BYTES / *KB / *MB / *GB
Specifies the units to be used in interpreting the value specified with the VALUE operand. This entry is only allowed for field names filpos, curlim2 and maxlim2.

The following thereby applies:

SELECT-SWITCH = *OFF
The information to be monitored is to be deleted from the alarm definition.

VALUE = *ALL
All information is to be deleted.

VALUE = *MATCH(...)
Specifies a pattern for the information. The condition is valid when the
comparison value fits into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).

PATTERN = <text>
Pattern specification in the format c-string 1..255 where, analogously to the SDF data type <c-string with-wild (n)>, parts of the character string can be replaced by wildcards.
The available wildcard characters are as follows:

VALUE = *NOT-MATCH(...)
Specifies a pattern for the information. The condition is valid when the
comparison value does not fit into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).

PATTERN = <text>
Pattern specification as under VALUE=*MATCH.

VALUE = list-poss(10): <text>
The explicitly specified information for the event is to be deleted from the alarm definition. <text> depends on the field being logged. A list of the field names and the information output in these fields can be found in “Tables of auditableinformation on object-related events (1)”.

VALUE = list-poss(10): <integer 0..2147483647>(...)
The information specified explicitly for the field in the form of a numerical value is removed from the alarm definition. This entry is only allowed for field names whose value is of type <integer>.

UNIT = *BYTES / *KB / *MB / *GB
Specifies the units to be used in interpreting the value specified with the VALUE operand. This entry is only allowed for field names filpos, curlim2 and maxlim2.

The following thereby applies:

TIME-LIMIT = *UNCHANGED / *UNDEFINED / *WITHIN(...)
The period within which x (defined with REPEAT) occurrences of an event are to trigger an alarm.

TIME-LIMIT = *UNDEFINED
The entire period of SAT logging is to be evaluated. This means that x occurrences of an event cause an alarm to be triggered. If, for example, incorrect entry of passwords is to be monitored, specifying TIME-LIMIT=*UNDEFINED will eventually cause the alarm to be triggered even if a user enters the password incorrectly (perhaps due to a typing error) only once per week. Alarms of this kind are clearly less effective; for this reason, long-time monitoring is better executed by evaluation of the SATLOG files.

TIME-LIMIT = *WITHIN(...)
The period within which the specified number of events must occur in order to trigger an alarm. Values must be specified for all three operands.

DAYS = <integer 0..365>
Specification of the period, in days.

HOURS = <integer 0..23>
Specification of the period, in hours.

MINUTES = <integer 0..59>
Specification of the period, in minutes.

REPEAT= *UNCHANGED / <integer 1..255>
The number of times the event must occur within the specified period in order to trigger an alarm.

TRIGGER-ACTION = *UNCHANGED / *OPERATOR-MESSAGE(...)
The action to be executed when the alarm is triggered, and the expected response to this action. In this version, the only possible action is the output of a message (SAT2200) on the operator console.

TRIGGER-ACTION = *OPERATOR-MESSAGE(...)
Specifies the expected response to the output of the message.

WAIT-RESPONSE = *YES / *NO
Specifies whether or not the message must be acknowledged.

Command return codes

Notes

1. When using patterns for values of a field no check is made as to whether any overlaps occur.

2. Identically specified patterns for a value of a field are replaced.

   Examples

   Let us assume that an alarm condition is defined as follows:

   /add-sat-alarm-conditions name=alarm1, ... -
/        field-name=filname(value=*match('*abc*')), ...

   1. The command

      /modify-sat-alarm-conditions name=alarm1, ... - /  field-name=filname( - /       select-switch=*on(value=*not-match('*abc*'))), ...

      overwrites the comparison pattern. The effect is as if the condition had been defined in the following manner:

      /add-sat-alarm-conditions name=alarm1, ... -
/        field-name=filname(value=*not-match('*abc*')), ...

   2. Either specifying SELECT-SWITCH=*OFF(VALUE=*MATCH('*ABC*')) or specifying SELECT-SWITCH=*OFF(VALUE=*NOT-MATCH('*ABC*')) removes *MATCH('*ABC*') from the list of values.

3. The specification of a fixed value has no influence on a pattern specification.

   For example, a /MODIFY-SAT-ALARM-CONDITIONS command with the specification VALUE='XABCY' has no effect on an alarm condition which was defined using VALUE=*MATCH('*ABC*')). The value ’XABCY’ is already present in the pattern specification ’*ABC*’ and the condition VALUE=’XABCY’ is therefore automatically fulfilled if *MATCH=’*ABC*’ is fulfilled.

   However, the specification VALUE=’XABCY’ does have an effect on an alarm condition defined with VALUE=*NOT-MATCH('*ABC*')). In this case, the condition applies to all the values which do not match the pattern ’*ABC*’ as well as to the value ’XABCY’.

4. SELECT-SWITCH=*OFF removes the specified objects from a list defined with SELECT-SWITCH=*ON or a corresponding /ADD-SAT-ALARM-CONDITIONS command. If *ALL is in effect, the object is included in a negative list.

   The specifications for the SELECT-SWITCH operand (in all cases) are only taken into consideration if they result in the creation of conditions. If, for example, USER-ID=*ALL was defined with the /ADD-SAT-ALARM-CONDITIONS command for an alarm, then specifying USER-ID=HUGO(SELECT-SWITCH=*ON) in the /MODIFY-SAT-ALARM-CONDITIONS command has no effect. Specifying USER-ID=HUGO(SELECT-SWITCH=*OFF) causes these fields to be entered in a negative list.

5. If a pattern is in effect for a field value, it is not possible to extract any subset from the pattern by means of SELECT-SWITCH= *OFF(VALUE=value): If, for example, an alarm condition was defined with SELECT-SWITCH=*ON(VALUE=*MATCH('*ABC*')) or a corresponding /ADD-SAT-ALARM-CONDITIONS command, a /MODIFY-SAT-ALARM-CONDITIONS command specifying SELECT-SWITCH=*OFF(VALUE= 'SYSABC') has no effect.

   Example

   Let us assume that an alarm condition is defined as follows:

   /add-sat-alarm-conditions name=alarm1, -
/        field-name=filname(value=*match('*abc*')), ...

   The following command has no effect:

   /modify-sat-alarm-conditions name=alarm1, ... - /  field-name=filname( - /       select-switch=*off(value=:cati:$tsos.sysabc))

   
   

6. If an alarm definition contains a product event for which the activation of SAT support can be controlled with /MODIFY-SAT-SUPPORT-PARAMETERS (in the current version, this is restricted to POSIX) then, if the event occurs, this alarm can only be issued if SAT support is activated for the product in question.

7. When evaluating an alarm condition with a UNIT entry, only the value resulting from multiplying the VALUE and UNIT entries together is relevant, but not how this value is reached.

   Examples

   The following values are considered to be equivalent since they all represent the same value of 3145728 bytes:

   VALUE=3145728(UNIT=*BYTES)
   VALUE=3072(UNIT=*KB)
   VALUE=3(UNIT=*MB)
   

   1. A MODIFY-SAT-ALARM-CONDITIONS command with the following entry

      FIELD-NAME=*FILPOS(SELECT-SWITCH=*ON(

                  VALUE=(3072(UNIT=*KB),3(UNIT=*MB))))
      is therefore rejected with the following message:

      SAT1023 FIELD 'FILPOS' CONTAINS DUPLICATE VALUES. COMMAND REJECTED

   2. An alarm condition that was set with the entry VALUE=3145728(UNIT=*BYTES) in an ADD-SAT-ALARM-CONDITIONS command, can be removed from the alarm table with the entry VALUE=3(UNIT=*MB) in a MODIFY-SAT-ALARM-CONDITIONS command.

   3. An alarm condition with the entry

      FIELD-NAME=*FILPOS(SELECT-SWITCH=*ON(VALUE=3072(UNIT=*KB)))

      is valid if the record to be logged contains FILPOS=6144. Reason: the entry in the record represents a multiple of 512 bytes (see “filpos” in Table of auditable information (field names)) and 6144*512 Bytes = 3145728 Bytes = 3072 KB.

8. Posix filenames und Kerberos names are logged by SAT without any restriction. The following SAT fields are case-sensitive in the definition of SAT alarm conditions: AUDITID, HOMEDIR, LINKNAM, NEWPATH, PATHNAM, PRINCCL, PRINCSV, SHELL, SYMBDEV. With the exception of SYMBDEV, however, these field can be specified with a maximum length of 255 bytes only. Events with longer field contents may be specified by using wildcards. In the specification of a single name (without wildcard) the same special characters are allowed as for posix filenames or Kerberos names.

9. See also the general comments on SAT commands on "Functional overview".

Example

In the example for the /ADD-SAT-ALARM-CONDITIONS command, an alarm with the name badlogon was defined. This alarm is triggered each time there is a failed attempt to log on at terminal DSN30151 under the user ID SYSPRIV:

This alarm is now to be modified in such a way that any failed attempt to log on under the user ID SYSPRIV causes an alarm irrespective of the terminal at which it is performed. The alarm definition is modified as follows:

/modify-sat-alarm-conditions name=badlogon,select=*parameters( -
/ field-name=station(select-switch=*on(value=*all)))