SMF 80 statement
You can monitor type 80 records to keep track of security events. If you use an SMF 80 statement, all SMF type 80 records are forwarded to your BMC Defender Server or syslog console with a facility of Security (4) and a severity of Informational. Exceptions are records in which RACF sets bit 0 (violation) or bit 3 (warning) in the SMF80DES field. These records are forwarded with a severity of Error or Warning.
Some z/OS subsystems might generate a very large volume of RACF events with the event and qualifier codes 1.12 (successful RACINIT initiation) and 1.13 (successful RACINIT delete). These events have non-zero qualifier codes, which are routine and benign. You can suppress these events by entering EVENTS(1.12 1.13 SEV(SUP)) in your SMF 80 statement.
If you enter more than one SMF 80 statement, the subsequent statement replaces the previous ones.
The statement described in this topic is for RACF. For CA Top Secret SMF type 80 formatting, see SMF-TSS80-statement.
Syntax diagrams
The following diagrams describe the valid syntax for the SMF type 80 statement.
For information about filterSpecification, see FILTER-and-MATCH-parameters.
The following table describes the SMF 80 statement parameters:
Parameter | Description |
|---|---|
DESCription | Deprecated and accepted only for compatibility purposes |
EVENTs | Lists one or more SMF record type 80 event codes and the syslog severity assigned to them You can specify event codes more than once and must use a specific format. For more information, see Event code format. |
FACILITY(facilityName) | Specifies the originating RFC 3164 facility of the syslog records that correspond to SMF type records To use a different facility, enter one of the RFC 3164 facility names listed in Syslog facilities and severities. If you omit this parameter, the default SECURITY4 is used. |
FIELDs(fieldName…) | Specifies the names of the SMF type record fields that BMC AMI Datastream should forward to the BMC Defender Server or other syslog console Fields appear in the message in the order in which you listed them. Specify one or more of the fields as described in SMF-80-fields. |
filterSpecification | Filters the fields For information about filtering fields, see FILTER and MATCH parameters. |
INHibit | Inhibits writing the SMF type record to the SMF data sets or logstream BMC AMI Datastream processes the record, but SMF then inhibits further processing. |
LOG | LOG(HEX) | Logs SMF records on CZAPRINT and dumps them in hexadecimal or character format This parameter is intended primarily for diagnostic purposes. |
PROCess(‘processTag’) | Specifies the tag that appears at the start of SMF syslog messages The tag follows the priority, time stamp, and host name, and precedes the formatted fields. Enter the exact process tag that you want to include in syslog messages, including any spaces and punctuation. Process tags can be of any length from null string (‘’) to 32 characters. If you omit this parameter, the default RACF is used, followed by the leading delimiter from OPTIONS DELIM. For more information, see OPTIONS-statement. |
SEVERITY(severity) | Specifies the syslog severity for the event code. For more information about severities, see Syslog-facilities-and-severities. The following SEVERITY operands are not RFC 3164 severities:
If you enter TRACE(PARM) in the OPTIONS-statement, then message CZA0242I displays the specified severity for each event and qualifier in which an event map entry exists. |
Event code format
Specify the event codes in one or more of the following formats. For all formats, eventCode must be an integer from 1 to 255 and qualifier must be an integer from 0 to 63.
Format | Description |
|---|---|
eventCode | A single event code For example, EVENT(1 SEV(ERR)) indicates that event code 1 events (and all qualifiers) are forwarded with a severity of Error. |
.qualifier | A single qualifier for all events For example, EVENT( .0 SEV(SUP)), indicates that event code and qualifiers 1.0, 2.0, 3.0, and so on are suppressed. The primary intent of .qualifier is to suppress or push down the severity of dot zero events (which all indicate some sort of successful access). You can use .qualifier with any valid qualifier number. |
eventCode.qualifier | A single event code and qualifier For example, EVENT(7.0 SEV(INFO)) indicates that all event code 7 qualifier 0 records are forwarded with a severity of Informational. |
eventCode.qualifier:qualifier | Indicates a range of qualifiers with a single event code For example, EVENT(5.2:4 SEV(WARN)) indicates that qualifiers 2, 3, and 4 of event code 5 are forwarded with a severity of Warning. |
eventCode:eventCode | Indicates a range of event codes For example, EVENT(5:9 SEV(NOTICE)) indicates that event codes 5, 6, 7, 8, and 9 records are forwarded with a severity of Notice. |