General SMF record type statement
This statement format applies to SMF 7, 14, 15, 17, 18, 42, 60, 61, 62, 64, 65, 66, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 90, 92, 109, 115, 116, 119, BMC Defender, and DIAG statements.
(Version 5.9.02) This statement format also applies to SMF 00, 08, 09, 11, 43, 82, 113, and 119.
You can find specific IBM SMF record layouts in the IBM z/OS MVS System Management Facilities (SMF) manual. For non-IBM SMF record layouts, refer to the specific vendor documentation.
For information about filter-specification , see FILTER-and-MATCH-parameters.
For information about default subtype severity, see the statement descriptions.
Statement | Description |
|---|---|
SMF 00—IPL | SMF type 00 records are written at SMF initialization, usually after IPL. The record contains the virtual and central storage settings and some SMF options at IPL time. |
SMF 07 statement | SMF type 07 records are written each time all SMF buffers become full, either as a result of no available output data sets for SMF to write to, or the system generating records faster than SMF can physically write them. Monitoring SMF 07 records helps to monitor system integrity. |
SMF 08—I/O Configuration | SMF type 08 records are written after the IPL is complete. The record contains all the online devices at IPL time. |
SMF 09—VARY Device ONLINE | SMF type 09 records are written when a VARY ONLINE command is processed. The record identifies the device being added to the system configuration. |
SMF 11—VARY Device OFFLINE | SMF type 11 records are written when a VARY OFFLINE command is processed. The record identifies the device being removed from the system configuration. |
SMF 14 statement | SMF type 14 records are written each time that a non-VSAM direct access, VIO or tape data set that is defined by a DD statement or dynamic allocation and opened for INPUT or RDBACK is closed or processed by end-of-volume (EOV). PCI DSS and other regulatory standards require that you monitor access to certain data sets. |
SMF 15 statement | SMF type 15 records are written each time that a non-VSAM direct access, VIO, or tape data set that is defined by a DD statement or dynamic allocation and opened for OUTPUT, UPDAT, INOUT, or OUTIN is closed or processed by end-of-volume (EOV). Monitoring SMF type 15 records can be an important part of file integrity monitoring, as it records the modification (or potential modification) of non-VSAM data sets. |
SMF 17 statement | SMF type 17 records are written when a DASD data set (temporary or not) is scratched. Monitoring type 17 records can play a part in file integrity monitoring. |
SMF 18 statement | SMF type 18 records are written each time that a non-VSAM data set defined by a DD statement (either explicitly or implicitly) is renamed. |
SMF 42 statement | SMF type 42 records are written each time that the DFSMS (the Data Facility Storage Management Subsystem of z/OS) macro STOW or DESERV is used to add, delete, rename, or replace a member of a PDS or PDSE, or that the STOW macro is used to initialize (delete all members of) a PDS or PDSE directory. Monitoring SMF type 42 records can be an important part of file integrity monitoring, as most z/OS system parameter files are PDS or PDSE members. Default subtype severity:
|
SMF 43—JES2 and JES3 Start | SMF type 43 records are written when the S JESn command is issued. The record contains the warm start indicator and start options. |
SMF 60 statement | SMF type 60 records are written when a VSAM Volume Record (VVR) or a non-VSAM Volume Record (NVR) is inserted, updated, or deleted from a VSAM Volume Data Set (VVDS); |
SMF 61 statement | SMF type 61 records are written for any DEFINE requests to catalog management services. Monitoring type 61 records can play a part in file integrity monitoring. |
SMF 62 Statement | SMF type 62 records are written for every successful or unsuccessful opening of a VSAM component or cluster. The information in the SMF type 62 records complements the file integrity monitoring information in SMF type 64 records. |
SMF 64 statement | SMF type 64 records are written each time that a VSAM component or cluster (including catalogs) is closed, or VSAM attempts to switch to another volume for processing. Monitoring SMF type 64 records can be an important part of file integrity monitoring, as it records the modification (or potential modification) of VSAM components and clusters. |
SMF 65 statement | SMF type 65 records are written for all DELETE requests to Catalog Management Services. Monitoring type 65 records can play a part in file integrity monitoring. |
SMF 66 statement | SMF type 66 records are written for all ALTER request to Catalog Management Services. Monitoring type 66 records can play a part in file integrity monitoring. |
SMF 70—RMF Processor Activity | Reports measurement data for general purpose, cryptographic, logical partitions and internal coupling facility processors and accelerators |
SMF 71—RMF Paging Activity | Reports paging demands and utilization of central, expanded and external storage |
SMF 72—RMF Workload, Storage and Serialization Activity | Reports workload service class statistics along with storage utilization and serialization delays |
SMF 73—RMF Channel Path Activity | Reports individual channel path activity |
SMF 74—RMF Activity of Resources | Reports individual hardware device activity SMF limits record sizes to 32 K. A large number of devices in an environment can cause the record to exceed this size. Consequently, RMF writes multiple records for any given subtype. The multiple records can exceed the MAXMSGLEN (message) buffer size specification and result in CZA0301W messages. You can expand the message buffer size, and you can limit the number of fields passed to the SIEM by commenting unnecessary fields in the amihlq.CZAGENT.CNTL(CZPRMF) member. |
SMF 75—RMF Page Data Set Activity | Reports auxiliary storage page slot usage |
SMF 76—RMF Trace Activity | Reports field name trace minimum and maximum values |
SMF 77—RMF Enqueue Activity | Reports enqueue and dequeue contention information |
SMF 78—RMF Monitor I Activity | Reports virtual and common storage usage and I/O queuing activity |
SMF 79—RMF Monitor II Activity | Reports detailed address space monitoring information such as enqueue contention, storage and processor activity, paging activity, device and path activity, and I/O queuing activity |
SMF 82—ICSF Record | SMF type 82 records are written at the completion of an Integrated Cryptographic Service Facility (ICSF) function. The record contains specific information about the ICSF function performed and its status. |
SMF 90 statement | SMF type 90 records are written in response to certain operator commands. All of the subtypes of SMF 90 have a default severity value INFORMATIONAL. |
SMF 92 statement | SMF type 92 records are written to record activity (open and close) for mounted file systems and files (zFS and HFS). Type 92 records extend zDefender’s file integrity monitoring to UNIX file system files. Default subtype severity:
|
SMF 109 Statement | SMF type 109 records are written to log USS Syslogd messages. |
SMF 113—Hardware Capacity | Provides hardware capacity, reporting, and statistics information about the central processor complex (CPC) |
SMF 115—MQ Performance Statistics | Reports usage and performance data for the message, buffer, lock, storage, coupling facility, log manager, and Db2 manager |
SMF 116—MQ Websphere Accounting Statistics | Reports message manager, message queue, and message channel accounting information |
SMF 119 Statement | If properly configured, TCP or IP writes activity records as SMF type 119 records. You can also monitor type 119 records to maintain an audit trail where individuals and processes accessed resources through TCP or IP. Default subtype severity:
|
SMF ABEND-AID statement | Compuware Abend-AID SMF records, by default SMF record type 205, can be written by the Compuware Abend-AID product. See the appropriate Compuware Abend-AID documentation. |
SMF APP_AUDIT statement | Compuware Application Audit SMF records, by default SMF record type 220, can be written by the Compuware Application Audit product. See the appropriate Compuware Application Audit documentation. |
SMF CORRELOG statement | BMC Defender SMF records, by default SMF record type 202, can be written by the IND$defender product. For more information, see IND-defender. |
SMF DIAG statement | The SMF DIAG statement is intended for diagnostic purposes. The default severity value is DEBUG. |
Common parameters
Parameter | Description | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SMF ABEND-AID(recordtype) | Must code as shown Code a single numeric value between 128 and 255. If the record type is omitted, the default value is 205. | ||||||||||||||||||||||||||||||||||||||||||
SMF APP_AUDIT(recordtype) | Must code as shown Code a single numeric value between 128 and 255. If the record type is omitted, the default value is 220. | ||||||||||||||||||||||||||||||||||||||||||
SMF CORRELOG(recordtype) | Must code as shown Code a single numeric value between 128 and 255. If the record type is omitted, the default value is 202. | ||||||||||||||||||||||||||||||||||||||||||
SMF DIAG(recordtype) | Must specify as shown There is no default for the SMF record type. For record type code a single numeric value between 0 and 255 indicating the SMF record type you want to monitor. If you code more than one SMF statement for the same record type, then a subsequent SMF statement for the same record type replaces any SMF statement(s) for that record type that came before. | ||||||||||||||||||||||||||||||||||||||||||
FACILITY(facility-name) | Specifies the RFC 3164 facility that is to be indicated as the origin of the syslog messages corresponding to the indicated SMF records If you omit this parameter, the default value is LOGALERT or as shown in the table. If you want a different facility indicated, code one of the RFC 3164 facility names as listed in Syslog-facilities-and-severities.
| ||||||||||||||||||||||||||||||||||||||||||
FIELDs(fieldname…) | Specifies the names of the SMF record fields that are to be transmitted to the BMC Defender Server or other syslog console and the order they are to appear in the message Specify one or more of the fields as described in FIELDS-parameter. You can specify fields only if they are appropriate to the SMF record type, for example, you can specify SMF18JBN for SMF 18, but not for SMF 14 or any other record type. | ||||||||||||||||||||||||||||||||||||||||||
Filter-specification | |||||||||||||||||||||||||||||||||||||||||||
INHibit | Specifies that the writing of the specified SMF record type to the SMF data set or log stream is to be inhibited by BMC AMI Defender The specified SMF record type is processed by BMC AMI Defender, but then inhibited from further processing by SMF. | ||||||||||||||||||||||||||||||||||||||||||
LOG LOG(HEX) | Specifies that the selected SMF records are to be logged on CZAPRINT and optionally dumped in hexadecimal and character format This parameter is intended primarily for diagnostic purposes. Use care in specifying LOG(HEX) as it can generate a large volume of print records, especially if BMC AMI Defender is left running for several hours or more. | ||||||||||||||||||||||||||||||||||||||||||
PROCess(‘process-tag’) | Specifies the tag that appears at the start of the syslog messages for the indicated SMF record type, following the priority, timestamp, and hostname, and preceding the formatted fields Specify the exact process tag that you want to include in syslog messages including any spaces and punctuation. A process tag can be any length from the null string (‘’) to 32 characters. If PROCess is omitted, the default value is as indicated and followed by the leading delimiter from OPTIONS DELIM.
| ||||||||||||||||||||||||||||||||||||||||||
SEVerity(severity) | Specifies the syslog severity (for record types without subtypes) or the default severity (for record types with subtypes) See Syslog-facilities-and-severities. You can also code SUPPRESS. SUPPRESS indicates that the default is that records are not to be formatted and forwarded to the syslog server at all. If you omit SEVerity, the default value is as described under each record-type description. | ||||||||||||||||||||||||||||||||||||||||||
SUBTypes | Specifies one or more SMF record subtypes and the syslog severity to be assigned to them This parameter is only valid for SMF record types that include subtypes. Record types 7, 14, 15, 17, 18, 60, 61, 62, 64, 65 and 66 do not contain subtypes. BMC Defender SMF records are always written as subtype 1. The subtype default values for each record type are listed under the description of that record type. Specify the subtype or subtypes in one or more of the following formats. | ||||||||||||||||||||||||||||||||||||||||||
subtype | Specifies a single record subtype | ||||||||||||||||||||||||||||||||||||||||||
subtype:subtype | Specifies a range of record subtypes | ||||||||||||||||||||||||||||||||||||||||||
SEVerity(severity) | Specifies the syslog severity for the specified record subtypes See Syslog-facilities-and-severities. You can also code DEFAULT or SUPPRESS. DEFAULT indicates that the severity default value is the defined severity; SUPPRESS indicates that the specified event records are not to be forwarded to the syslog server at all. If TRACE(PARM) is in effect, then the effect of any SUBTypes and SEVerity parameters is indicated by message CZA0069I, for instance: CZA0069I SMF_T42 Maximum Subtype 30 CZA0069I Subtype 0 Severity DEFault CZA0069I Subtype 1 Severity SUPpress ... |
This section provides information about the following topics:
Related topic