Supported API event types, SMF types, and associated process tags
Related topics
BMC AMI Datastreamsupports the following API event types and SMF record types. Additionally, you can see the default process tags for each type and, where applicable, hyperlinks to reference information about FIELDS parameters.
API event types
BMC AMI Datastreamreceives information from the following event types through the API or log stream. The default process tag is displayed at the start of the syslog message for the indicated type (following the priority, time stamp, and host name).
Event type | Short description | Default process tag | FIELDS parameter reference |
|---|---|---|---|
ChangeMan | Message data sent from the Micro Focus (formerly Serena) ChangeMan product through the BMC AMI Datastream API For configuration details, see the ChangeMan product technical documentation. | ChangeMan | |
Console | z/OS console message processing For more information, see the Defining CONSOLE SETs topic. | Console | |
CorreLog | (Does not apply to Datastream for Ops) See SMF record type 202 (later in this topic). | CorreLog |
|
| DCOLECT | Process the DCOLLECT command output records and send them to SIEM | DCOLLECT | DCOLLECT fields |
DIAG | (Does not apply to Datastream for Ops)Diagnostic formatting of indicated SMF number | Diag | |
Generic | Used for generic records, not specific records | Generic | |
IMS Connect events | |||
IMS Connect 1 | Region initialization mapping | ICON_01 | |
IMS Connect 2 | Region termination mapping | ICON_02 | |
IMS Connect 16 | Datastore becomes available mapping | ICON_16 | |
IMS Connect 17 | Datastore becomes unavailable mapping | ICON_17 | |
IMS Connect 18 | IMS TMEMBER joins XCF group mapping | ICON_18 | |
IMS Connect 19 | IMS TMEMBER leaves XCF group mapping | ICON_19 | |
IMS Connect 28 | Begin SSL open mapping | ICON_28 | |
IMS Connect 29 | End SSL open mapping | ICON_29 | |
IMS Connect 32 | Begin SSL close mapping | ICON_32 | |
IMS Connect 33 | End SSL close mapping | ICON_33 | |
IMS Connect 41 | Begin ODB registration mapping | ICON_41 | |
IMS Connect 42 | End ODB registration mapping | ICON_42 | |
IMS Connect 43 | Begin ODB deregistration mapping | ICON_43 | |
IMS Connect 44 | End ODB deregistration mapping | ICON_44 | |
IMS Connect 63 | Begin SAF SEC REQ | ICON_63 | |
IMS Connect 64 | End SAF SEC REQ | ICON_64 | |
IMS Connect 69 | OTMA timeout | ICON_69 | |
IMS Connect 71 | Session error | ICON_71 | |
IMS Connect 91 | DRDA command | ICON_91 | |
IMS Connect 92 | DRDA reply | ICON_92 | |
IMS Connect 99 | Enter security exit | ICON_99 | |
IMS Connect 100 | Return from SEC exit | ICON_100 | |
IMS Connect 255 | ICON refresh RACF UID | ICON_255 | |
IMS logtype 1 IMS logtype 3 IMS logtype 10 IMS logtype 16 IMS logtype 22 IMS logtype 24 IMS logtype 50 IMS logtype F8 IMS logtype F9 IMS logtype FA (SPE2310) | IMS log processing events | IMS_1_3 IMS_1_3 IMS_10 IMS_16 IMS_22 IMS_24 IMS_50 IMS_F8 IMS_F9 IMS_FA IMS_C0 | |
IND$FILE | (Does not apply to Datastream for Ops) For more information, see: See also SMF record type 202 (later in this topic). | IND$FILE | |
JOBLOG | (Does not apply to Datastream for Ops) | JOBLOG | |
Log4j | Log4j events for Java log format messages written to one of the following sources:
| Log4j | |
LSPACE | DASD free space Monitor DASD usage of Db2 STC to alert before running out of space. | LSPACE | |
OPERINS | Streams Db2 activity data to the BMC AMI Datastream for Operational Insight product | Oper_Insight |
|
(SPE2307) | Change record and user details for system PROCLIB and PARMLIB comparisons | SIVSRC | |
| (SPE2504) SPM | Support for BMC AMI Security Policy Manager | SPM | EVENT SPM fields |
(SPE2307) | Delta changes for system PROCLIB and PARMLIB comparisons | SRCCOMP | |
(SPE2304) | Capture issued commands and the console from which they are issued | SSCmd | |
(SPE2404) | Capture the entire command text of RACF commands executed from the TSO command shell and the operator console | RACFcmd | |
(SPE2501) | Capture the operator console messages | VMCONSOLE | |
(SPE2501) | Capture the RACF SMF 80 messages of the z/VM system | VMRACF | |
(SPE2504) | Capture the FTP messages | VMRACFT | |
(SPE2504) | Capture the Performance Toolkit messages | VMRACPK | |
(SPE2504) | Capture the TN3270 logon/logoff messages | VMRACTN | |
(SPE2501) | Capture the CA VM:SECURE messages | VMSECURE |
SMF record types
BMC AMI Datastreamreceives information from the following system management facilities (SMF) types.
Some of the entries in the SMF type column have hyperlinks to additional information that is specific to BMC AMI Datastream. Some are marked as variable, meaning that you can use any available value as a substitute. The record type indicated is the default value. For more information about SMF record types, refer to SMF records in IBM documentation, z/OS MVS System Management Facilities (SMF).
The Short description column displays the hexadecimal value of the record type in parentheses.
The Default process tag column presents what is displayed at the start of the syslog message for the indicated type (following the priority, time stamp, and host name).
SMF type | Short description | Default process tag | FIELDS parameter reference |
|---|---|---|---|
0 | Record type 0 (00), IPL | IPLHeader | |
7 | Record type 7 (07), Data lost | Data_Lost | |
8 | Record type 8 (08), I/O configuration | DeviceInfo | |
9 | Record type 9 (09), VARY device ONLINE Use case: A system programmer receives immediate notification when a new device is brought online but not according to schedule. | DeviceInfo | |
11 | Record type 11 (0B), VARY device OFFLINE | DeviceInfo | |
14 | Record type 14 (0E), INPUT or RDBACK data set activity | DS_Input | |
15 | Record type 15 (0F); OUTPUT, UPDAT, INOUT, or OUTIN data set activity | DS_Output | |
16 | Record type 16 (10), DFSORT usage SMF records Use case: A system programmer monitors and analyzes the execution of data facility sort (DFSORT) tasks in batch jobs. | DFSORT | |
17 | Record type 17 (11), Scratch data set status | DS_Scratch | |
18 | Record type 18 (12), Rename non-VSAM data set status | Rename | |
22 | Record type 22 (16), z/OS system configuration changes Use case: A system programmer can use BMC AMI Datastream to capture and track configuration changes and thereby demonstrate compliance to an auditor. | CONFIG | |
26 | Record type 26 (1A), JES2/JES3 job purge Use case: Similar to the SMF record types 55-58, this type is written by network job entry (NJE). | JES_Network | |
26 | Record type 26 (1A), encryption and compression | JES_Network | |
Record type 30 (1E), Common address space work, performance data fields Use case: A security analyst can monitor the activities of security-related address spaces and track any unusual or unauthorized activities. | SMF | ||
32 | Record type 32 (20), TSO/E user work accounting Use case: A security analyst can track anomalous behavior to identify a threat enumerating a logical partition to identify valuable information. | TSOUserWrkAcct | |
36 | Record type 36 (24), Integrated catalog facility catalog export | ICFC | |
Record type 41 (29), provides resource usage information regarding data-in-virtual (DIV) objects and VLF statistics | DIVObjects_VLFStats | ||
42 | Record type 42 (2A), DFSMS statistics and configuration | DFSMS | |
43 | Record type 43 (2B), JES2/JES3 start Use case: A machine learning algorithm notices a job starting at an unusual time and alerts the system programmer that something atypical is happening on the system. | JES | |
55 | Record type 55 (37), JES2 network SIGNON Use case: A security analyst notices two signon attempts in quick succession, indicating a man-in-the-middle attack (MITM). | JES_Network | |
56 | Record type 56 (38), JES2 network integrity Use case: A security analyst receives a real-time alert about an attempt to break onto a mainframe using NJE. | JES_Network | |
57 | Record type 57 (39), JES2 network SYSOUT transmission and JES3 networking transmission Use case: A security analyst sees all the NJE action that a hacker exploited and responds to the threat effectively. | JES_Network | |
58 | Record type 58 (3A), JES2 network SIGNOFF Use case: A security analyst uses the session records to quickly identify all NJE actions during an analysis of anomalous activity. | JES_Network | |
60 | Record type 60 (3C), VSAM volume data set updated | VSAM_Volume | |
61 | Record type 61 (3D), Integrated catalog facility define activity | ICF_Define | |
62 | Record type 62 (3E), VSAM component or cluster opened | VSAM_Open | |
64 | Record type 64 (40), VSAM component or cluster status | VSAM_Status | |
65 | Record type 65 (41), Integrated catalog facility delete activity | ICF_Delete | |
66 | Record type 66 (42), Integrated catalog facility alter activity | ICF_Alter | |
70 | Record type 70 (46), RMF processor activity | RMF_CPU | |
71 | Record type 71 (47), RMF paging activity | RMF_Paging | |
72 | Record type 72 (48), Workload activity, storage data, and serialization delay | RMF_Workload | |
73 | Record type 73 (49), RMF channel path activity | RMF_Channel | |
74 | Record type 74 (4A), RMF activity of several resources | RMF_Resources | |
75 | Record type 75 (4B), RMF page data set activity | RMF_PageDataset | |
76 | Record type 76 (4C), RMF trace activity | RMF_Trace | |
77 | Record type 77 (4D), RMF enqueue activity | RMF_Enqueue | |
78 | Record type 78 (4E), RMF virtual storage and I/O queuing activity | RMF78_VS_IO | |
79 | Record type 79 (4F), RMF monitor II activity | RMF_Monitor_II | |
Record type 80 (50), Security product processing Use case: A security analyst receives an alert that a single computer tried to log in to 1,000 accounts with the same password and failed. | RACF | ||
Record type TSS80, CA Top Secret (TSS) processing | TSS80 | ||
Record type 81 (51), RACF initialization Use case: A security administrator can use additional RACF information to see numerous initializations that indicate a user is making more modifications than historically normal. | RACF | ||
82 | Record type 82 (52), ICSF record | ICSF | |
Record type 83 (53), RACF audit record for data sets Use case: A security administrator can use additional RACF information to see numerous initializations that indicate a user is making more modifications than historically normal. | RACF | ||
Record type 88 (58), reports system logger activity for one log stream or structure after every SMF global recording interval has ended | System_Logger | ||
89 | Record type 89 (59), Usage data | Usage_Data | |
90 | Record type 90 (5A), System status | System_Status | |
92 | Record type 92 (5C), File system activity | zFS | |
Record type 98 (62), High Frequency Throughput Statistics (HFTS) data for various z/OS system components | HFTS | ||
Record type 99 (63), this record type is written by the SRM component. The records contain:
| SRM Decisions | ||
Record type 100 (64), Db2 statistics | DB2 | ||
Record type 101 (65), Db2 accounting | DB2 | ||
Record type 102 (66), Db2 performance | DB2 | ||
103 | Record type 103 (67), IBM HTTP Server | IBMHTTPServer | |
106 | Record type 106 (6A), BCPii activity | BCPii | |
109 | Record type 109 (6D), TCP/IP statistics See also Log4j (earlier in this topic). Use case: A mainframe administrator monitoring Log4J messages immediately identifies a mainframe application acting inappropriately because of a denial-of-service attack (DoS) and can take remediating actions. | Syslogd | |
Record type 110 (6E), CICS TS for z/OS statistics Use case: A system programmer receives notification about a dramatic spike in CICS transactions that can indicate an automated attack. | CICS | ||
113 | Record type 113 (71), Hardware capacity, reporting, and statistics | Hardware_Capacity | |
115 | Record type 115 (73), MQSeries statistics | MQ_Stats | |
116 | Record type 116 (74), MQ accounting | MQ_Accounting | |
117 | Record type 117 (75), this record type is written by the IBM Integration Bus. The records contain: Message flow statistics and accounting data | MSGFLOW_ACCTNG_STAT | SMF-117-fields |
119 | Record type 119 (77), TCP/IP statistics Use case: A security analyst can see connections to the mainframe on atypical ports, indicating a malicious command-and-control channel. | TCP/IP | |
120 | Record type 120 (78), WebSphere Application Server for z/OS Performance Statistics Use case: A security administrator can see WebSphere Application Server actions occurring on a privileged account far outside the normal work hours. The administrator can take remediating action to determine if the user behavior is legitimate. | Websphere | |
120, type 12 | Record type 120 (78), subtype 12, WebSphere Application Server for z/OS records that are generated by the Java batch SMF logging feature | Websphere | |
123 | Record type 123 (7B) subtype 1 and 2, z/OS Connect EE, enhanced data for individual API provider and requester requests | API_Provider_Requester | |
128 – 255 | Variable configuration numbers in case of conflict | Not applicable |
|
132 | Record type 132 (84), IBM Connect:Direct for z/OS | Connect_Direct | |
133 (variable) | Process Connect Direct High Water mark SMF records and send them to SIEM | SESSION_HIGHWATER_MARK | |
175 | Record type 175 (AF) subtype 20 and 21, field descriptions for PAM and SSPR | PAM, SSPR | |
201 (variable) | BMC AMI Storage IAM | IAM | |
202 (variable) | IND$Detect records Monitors all IND$FILE download and upload activities. Requires the installation of the IND$Detect component. See also IND$FILE and CorreLog (earlier in this topic). | CorreLog |
|
205 (variable) | Compuware Abend-AID audit | Abend-AID | |
220 (variable) | BMC AMI Security Session MonitorSMF | SessMon | |
227 (variable) | BMC AMI Enterprise Connector for OktaSMF record processing | EC_FOR_OKTA | |
230 (variable) | ACF2 processing For more information, see SMF-ACF2-statement. | ACF2 | |
231 (variable) | CA Top Secret TSS for Unix System Services security events | TSS231 | |
240 (variable) | IBM CL/SuperSession for z/OS | SuperSession | |
249 (variable) | Action Software International | eventAction | |
1552 (variable) | BMC AMI Ops Monitor for IMS SMF record | OPSMIMS |