Skip to Content

SMF TSS80 statement

SMF Type TSS80 records are written by CA Top Secret (TSS) for legacy MVS security events, such as users attempting to log on with an invalid password and TSS granting a particular user access to a particular resource. For Unix System Services events, see SMF-TSS231-statement.

Warning

Important

Your installation might use customized TSS to suppress writing records for certain events.

Related topics

Command-and-syntax-reference

Parameter-file-statements

General-SMF-record-type-statement

You can monitor type 80 records to keep track of security events. If you use an SMF 80 statement, all SMF type 80 records are forwarded to your BMC Defender Server or syslog console with a facility of Security (4) and a severity of Informational. Exceptions are records in which TSS sets bit 0 (violation) or bit 3 (warning) in the field SMF80DES. These records are forwarded with a severity of Error or Warning.

If you enter more than one SMF TSS80 statement, the subsequent statement replaces the previous ones.

The statement described in this topic is for CA Top Secret (TSS). For RACF SMF Type 80 formatting, see The SMF 80 Statement.

Syntax diagrams

The following diagrams describe the valid syntax for the SMF type TSS80 statement.

Syntax diagram for the SMF TSS80 statement provides a visual representation of the command syntax and parameters.

Syntax diagram for Events provides a visual representation of the available events.

For information about filterSpecification, see FILTER-and-MATCH-parameters.

The following table describes the SMF TSS80 statement parameters:

Parameter

Description

EVENTs

Lists one or more SMF record type 80 event codes and the syslog severity assigned to them

You can specify event codes more than once and must use a specific format.

Format

Description

eventCode

Specifies a single event code.

Information
Example

EVENT(1 SEV(ERR)) specifies that event code 1 events are forwarded with a severity of Error.

eventCode:eventCode

Specifies a range of event codes.

Information
Example

EVENT(55:59 SEV(NOTICE)) specifies that all event code 55, 56, 57, 58, and 59 records are forwarded with a severity of Notice.

eventcode can be specified as an integer or as a single character in quotes.  eventcode must be in the range of 1 to 255 (any quoted character satisfies this requirement). If you specify a range of quoted characters, such as ‘S-’T’, you must enclose the entire operand in quotes, for example, ’S’:’T’.

FACILITY(facilityName)

Specifies the originating RFC 3164 facility of the syslog records that correspond to SMF type records

To use a different facility, enter one of the RFC 3164 facility names listed in Syslog facilities and severities.

If you omit this parameter, the default SECURITY4 is used.

FIELDs(fieldName…)

Specifies the names of the SMF type record fields that BMC AMI Datastream should forward to the BMC Defender Server or other syslog console

Fields appear in the message in the order in which you listed them.

Specify one or more of the fields as described in Supported-record-field-names.

filterSpecification

Filters the fields

For information about filtering fields, see FILTER and MATCH parameters.

INHibit

Inhibits writing the SMF type record to the SMF data sets or logstream

BMC AMI Datastream processes the record, but SMF then inhibits further processing.

LOG | LOG(HEX)

Logs SMF records on CZAPRINT and dumps them in hexadecimal or character format

This parameter is intended primarily for diagnostic purposes.

Warning

Important

Specifying LOG(HEX) might generate a large volume of print records, especially if BMC AMI Datastream is left running for several hours.

PROCess(‘processTag’)

Specifies the tag that appears at the start of SMF syslog messages

The tag follows the priority, time stamp, and host name, and precedes the formatted fields.

Enter the exact process tag that you want to include in syslog messages, including any spaces and punctuation. Process tags can be of any length from null string (‘’) to 32 characters.

If you omit this parameter, the default TSS is used, followed by the leading delimiter from OPTIONS DELIM. For more information, see OPTIONS-statement.

SEVERITY(severity)

Specifies the syslog severity for the event code. For more information about severities, see Syslog-facilities-and-severities.

The following SEVERITY operands are not RFC 3164 severities:

  • SUPPRESS indicates that the specified event records are not forwarded to the syslog server.
  • DEFAULT restores the default severity processing based on the SMF80DES bit flags.
Information
Example
EVENT(50:59 SEV(NOTICE) EVENT(52 SEV(DEFAULT))

The statement indicates that code 50 through 59 events have a severity of Notice except for 52, which has default severity.

If you enter TRACE(PARM) in the OPTIONS-statement, then message CZA0242I displays the specified severity for each event and qualifier in which an event map entry exists.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Datastream for z/OS 7.1