SMF Common fields

You can specify these fields in the FIELDS parameter of any SMF statement.

Name
 (Filter)

Tag
 CEF Name

Description

EventJobID
 (EGNX)

EventJobID

Job ID (job number)

EventJobName
 (EGNX)

JobNm
 sproc

Job name

EventJobstepAuth
 (Boolean)

JSauth

APF-authorization state of jobstep

EventJobstepProg
 (EGNX)

Pgm
 deviceProcessName

Jobstep program name

EventPOE
 (EGNX)

POE

Job POE from RUTKN

EventPOEX
 (Integer)

POEclass

POE Class index from RUTKN

EventPOEXD
 (Mapped Integer)

POEclass

POE Class index from RUTKN expressed as text

EventPrivChangeD

PrivChgD

In the event of privilege escalation (see EventPrivilege) then this field is a textual representation of the specific escalated privileges, in the same format as EventRecACEEFLG1

Valid for RACF and TSS only.

EventPrivilege
 (EGNX)

PrivStat

One of four one-character values:
 ‘ ‘ - Not a privileged user. Because the value is blank, it would normally suppress and not be transmitted.
‘E’ - Escalated privileges. This userid is last seen as unprivileged or with lesser privileges, but now has escalated.
 ‘K’ - Known privileged user. This userid has been seen before, and the last time it was seen, it has the same privileges as currently.
‘P’ - New privileged user. This is the first time this userid has been seen in the current execution of BMC AMI Defender, and the user is privileged.

For more information, see Privilege Escalation Detection.

EventPrivilegeD
 (Mapped Integer)

PrivStatD

The data of EventPriv converted to a more readable form: Normal user, Known Privileged, New Privileged, or Escalated privileges

EventRecACEEADSP
 (Boolean)

ACEEADSP

ACEE Automatic Data Security Protection (ADSP) flag

EventRecACEEAUDT
 (Boolean)

ACEEAUDT

ACEE Auditor Attribute flag

EventRecACEEFLG1

ACEEFLG1

ACEE Flag 1 in textual format

EventRecACEELOGU
 (Boolean)

ACEELOGU

ACEE Have most RACF Functions Logged (UAUDIT) flag

EventRecACEEOPER
 (Boolean)

ACEEOPER

ACEE Operations Attribute flag

EventRecACEEPRIV
 (Boolean)

ACEEPRIV

ACEE User is a Started Procedure with the Privileged Attribute (ACEEPRIV) flag

EventRecACEERACF
 (Boolean)

ACEERACF

ACEE RACF Defined User (ACEERACF) flag

EventRecACEEROA
 (Boolean)

ACEEROA

ACEE Read-Only Auditor (ROAUDIT) Attribute flag

EventRecACEESPEC
 (Boolean)

ACEESPEC

ACEE Special Attribute flag

EventSType
 (Integer)

TokSType

Session type from RUTKN

EventSTypeD
 (Mapped Integer)

TokSType

Session type from RUTKN expressed as text

EventTokDFLT
 (Boolean)

TokDFLT

Default RUTKN

EventTokDGRP
 (Boolean)

TokDGRP

Default Group assigned

EventTokDSEC
 (Boolean)

TokDSec

Default SECLABEL assigned

EventTokENCR
 (Boolean)

TokENCR

Token is encrypted

EventTokERR
 (Boolean)

TokERR

Token in error

EventTokFlg1

TokFlg1

RUTKN Token Flag 1

EventTokFlg2

TokFlg2

RUTKN Token Flag 2

EventTokFlg3

TokFlg3

RUTKN Token Flag 3

EventTokIPV
 (Boolean)

ToIPV

IP value present for SERVAUTH POE

EventTokLOGU
 (Boolean)

TokLOGU

Log user indicator

EventTokNETF
 (Boolean)

TokNETF

Network name specified

EventTokPRIV
 (Boolean)

TokPRIV

Privileged user indicator

EventTokREMOT
 (Boolean)

TokREMOT

Remote job indicator

EventTokRSPEC
 (Boolean)

TokRSPEC

RACF special indicator

EventTokSUS
 (Boolean)

TokSUS

Surrogate userid

EventRecTOKSUSR
 (EGNX)

SurrogateFor

Submitting userid

EventTokTRST
 (Boolean)

TokTRST

Part of trusted computer base

EventTokUDUS
 (Boolean)

TokUDUS

Undefined user

EventTokUNUSR
 (Boolean)

TokUNUSR

NJE unknown user

EventTokVXPRP
 (Boolean)

TokVXPRP

Verifyx propagation occurred

EventTokWDWN
 (Boolean)

TokWDwn

When MLS is Active, Write-Down is allowed

EventUserID
 (EGNX)

EventUserID
 suid

User ID

EventUserID_L
 (EGNX)

usrName

User ID

This field’s formatting is conditioned on the software switch LEEF.

EventUserName
 (EGNX)

Name
 suser

User name from SAF

EventUserName_L
 (EGNX)

accountName

User name from SAF

This field’s formatting is conditioned on the software switch LEEF.

EventWRKTYP
 (EGNX)

WorkType

The type of work represented by the event record: ‘A’ ASCH/APPC transaction, ‘J’ Batch job, ‘S’ Started task, ‘T’ TSO user, ‘U’ type of work could not be determined

EventWRKTYPD
 (Mapped Integer)

WorkTypeD

The type of work represented by the event record expressed as text

EventWRKTYPDX
 (Mapped Integer)

WorkType

The type of work represented by the event record expressed as text, with the now-deprecated WorkType tag

SMFXXDTETME

Timestamp
rt

The SMF record timestamp formatted in accordance with the TIME statement

This field is largely redundant with the timestamp automatically generated by BMC Defender and most other syslog servers. It is also redundant with the RFC 3164 timestamp generated by OPTIONS TIMESTAMP.

SMFXXDTETME_L

devTime

The SMF record timestamp formatted in accordance with the TIME statement

This field’s formatting is conditioned on the software switch LEEF.

SMFXXRTY
 (Integer)

Rtype

The SMF record type

SMFXXSID
 (EGNX)

SID

The SMF system ID from the SMF record

This field is possibly redundant with the RFC 3164 host name. See OPTIONS HOSTNAME.

SMFXXSTY
 (Integer)

SubT

The SMF record subtype

The value of the halfword integer at displacement 22 into the base of the SMF record. Compare Event_SubType.

For more information, see ACF2-Specific-SMF-Common-fields.

Related topic

FIELDS-parameter


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*