SMF record type overview
System Management Facilities (SMF) is at the root of many critical mainframe-monitoring functions. Mainframe administrators can control how much or how little SMF data is collected on the system. Each SMF record has a specific record type and message data format. For more information about SMF, see the IBM documentation.
SMF records are classified by a record type number between 0 and 255. The SMF record types processed by BMC AMI Defender are as follows:
SMF record type | Description |
|---|---|
Record Type 7 | Data Lost A Data Lost record is written if all SMF buffers become full (either a result of no available output data sets for SMF to write to or the system generating records at a rate faster than SMF can physically write them). When this condition occurs, record type 7 tracks the number of lost records. |
Record Type 14 | INPUT or RDBACK Data Set Activity A Type 14 record is written each time that a non-VSAM direct access, VIO or tape data set that is defined by a DD statement or dynamic allocation and opened for INPUT or RDBACK is closed or processed by end-of-volume (EOV). |
Record Type 15 | OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity A Type 15 record is written each time that a non-VSAM direct access, VIO or tape data set that is defined by a DD statement or dynamic allocation and opened for OUTPUT, UPDAT, INOUT, or OUTIN is closed or processed by end-of-volume (EOV). |
Record Type 17 | Scratch Data set Status A Type 17 record is written when a DASD data set (temporary or not) is scratched. |
Record Type 18 | Rename Non-VSAM Data Set A Type 18 record is written each time that a non-VSAM data set defined by a DD statement (either explicitly or implicitly) is renamed. |
Record Type 30 | Common Address Space Work A Type 30 record is written at the start and end of every z/OS work unit such as a TSO session or batch job. |
Record Type 42 | DFSMS PDS member add, delete, rename, or replace A Type 42 record is written by DFSMS when a caller uses the STOW or DESERV macro to add, delete, rename, or replace a member. |
Record Type 60 | VSAM Volume Data Set Updated A Type 60 record is written when a VSAM Volume Record (VVR) or a Non-VSAM Volume Record (NVR) is inserted, updated, or deleted from a VSAM Volume Data Set (VVDS); for example, when a VSAM cluster is defined, closed, or deleted. One type 60 record is written for each VVR or NVR written or deleted. |
Record Type 61 | Integrated Catalog Facility Define Activity A. One type 61 record is written for each record inserted or updated in a catalog. |
Record Type 62 | VSAM Component or Cluster Opened A Type 62 record is written at the successful or unsuccessful opening of a VSAM component or cluster. |
Record Type 64 | VSAM Component or Cluster Close A Type 64 record is written each time that a VSAM component or cluster (including catalogs) is closed, or VSAM attempts to switch to another volume for processing. |
Record Type 65 | Integrated Catalog Facility Delete Activity A Type 65 record is written for any DELETE request to Catalog Management Services. One type 65 record is written for each record updated or deleted from a catalog. |
Record Type 66 | Integrated Catalog Facility Alter Activity A Type 66 record is written for every ALTER request to Catalog Management Services. One type 66 record is written for each record written or deleted from a catalog. |
Record Type 70 | RMF CPU activity This periodically generated SMF record contains CPU, PR/SM and Address space statistics |
Record Type 71 | RMF Storage activity This periodically generated SMF record contains Paging, Central Storage and Expanded Storage statistics. |
Record Type 73 | RMF Channel Path activity This SMF record contains channel path information for all channels defined to the system. |
Record Type 74 | RMF Hardware activity This periodically generated SMF record contains various hardware performance and statistics information. |
Record Type 75 | RMF Page Data Set activity This periodically generated SMF record contains performance and statistics information for each page data set. |
Record Type 76 | RMF Trace data This periodically generated SMF record contains selected trace information. |
Record Type 77 | RMF Enqueue activity This periodically generated SMF record contains enqueue contention during the interval. |
Record Type 78 | RMF I/O and Storage Queuing activity This periodically generated SMF record contains virtual storage and I/O queuing statistics. |
Record Type 79 | RMF Monitor II This SMF record is generated when RMF Monitor II SMF data be produced. It contains data produced for the RMF Monitor II report. |
Record Type 80 | RACF or CA Top Secret (TSS) processing A Type 80 record is written by RACF or TSS for security events such as the entry of an invalid password or an attempt by an unauthorized user to access a data set (mainframe file). Type 80 records are also written for other security-related events such as password changes and changes to the access rights for a data set. For TSS, only legacy MVS events are recorded as SMF 80 records; UNIX Systems Services events are recorded as a variable record type, typically 231. |
Record type 90 | System Status A Type 90 record is written during initialization processing and whenever certain operator commands are issued. This record is created for operator tracking and reporting of reliability data. It allows the installation to establish availability statistics. |
Record Type 92 | File System Activity A Type 92 record is written to record activity (open, close, etc.) for mounted file systems and files (zFS and HFS). |
Record Types 100, 101 and 102 | DB2 Statistics Accounting, Audit and Performance records. DB2 might be configured to write SMF records at various times and in response to various events. The DB2 support might be used for Db2 Database Activity Monitoring (DAM). |
Record Type 109 | USS System Messages (syslogd) TCP/IP server applications and components use syslogd to write log messages and trace messages. |
Record Type 110 | CICS Monitoring You might configure CICS and BMC AMI Defender to monitor CICS transactions that you consider sensitive. |
Record Type 115 | MQ System Status This record is periodically generated (at a specified time interval) and provides performance statistics for various MQ internal components. |
Record Type 116 | MQ Accounting This record contains accounting and statistics data for individual MQ tasks and threads. |
Record Type 119 | TCP/IP Statistics Correlating Type 119 records with TSO security events enables the BMC Defender Server to more accurately pinpoint the source of Internet security threats. |
Variable record type, but typically 202 | BMC Defender SMF records, by default SMF record type 202, might be written by the BMC AMI IND$defender product. For more information, see IND-defender. |
Variable record type, but typically 205 | Compuware Abend-AID has the option to write out SMF records containing information for each ABEND at the time of dump capture These records can then be transmitted with BMC AMI Defender and used with analytics products to build dashboards for reporting on abend activity, alerting, and reporting. The SMF Record Type 205 is enabled through an Abend-AID configuration parameter, where the number used can also be changed. |
Variable record type, but typically 220 | Compuware Application Audit is used to monitor VTAM 3270 network traffic, looking for criteria matching that was specified by a user, typically an auditor. Application Audit has the option to write out SMF records containing the data that it collected. The data can then be transmitted using BMC AMI Defender to an analytics engine, or SIEM, where it can be used for general auditing of who performed what function, and saw what specific data, analytics, user behavior analytics, dashboarding and alerting. The choice to use SMF vs XML, as well as the SMF record number to use, is configured through the Application Audit configuration. |
Variable record type, but typically 230 | An SMF record is written by ACF2 for most security events such as the entry of an invalid password or an attempt by an unauthorized user to access a data set (mainframe file). |
Variable record type, but typically 231 | An SMF record is written by CA Top Secret (TSS) for UNIX System Services events such as an attempt by an unauthorized user to access a file. |