SMF 80 statement
SMF Type 80 records are written for security events. Security events include both problems such as a user attempting to log on with an invalid password as well as non-problem events such as RACF’s granting access to a particular resource to a particular user.
The statement described here is for RACF. For CA Top Secret SMF Type 80 formatting, see The SMF TSS80 Statement.
You might want to monitor. Type 80 records to keep track of security events. The SMF 80 statement indicates that Type 80 records are to be collected and forwarded to your syslog console. If you code an SMF 80 statement, then by default all SMF Type 80 records are forwarded to your BMC Defender Server or syslog console with a facility of Security (4) and a severity of informational, except for those records where RACF sets bit 0 (the event is a violation) or bit 3 (the event is a warning) in the field SMF80DES. Those records are forwarded by default with a severity of error or warning respectively.
While these events have non-zero qualifier codes (that usually indicate an error or violation), these events are in fact generally routine and benign (as the description successful would indicate). You might want to suppress these events by coding EVENTS(1.12 1.13 SEV(SUP)) on your SMF 80 statement.
If you code more than one SMF 80 statement, then a subsequent SMF 80 statement replaces any SMF 80 statement(s) that came before.
SMF 80 | Must be specified as shown. |
DESCription | The description parameter is depreciated and is accepted only for compatibility purposes. |
EVENTs | Specifies one or more SMF record Type 80 event codes and the syslog severity to be assigned to them. Specify the event code or codes in one or more of the following formats. |
eventcode | Specifies a single event code. |
.qualifier | Specifies a single qualifier for all events. The primary intent of the .qualifier syntax is to allow you to suppress or push down the severity of dot zero events (these all indicate some sort of successful access) but qualifier might be used with any valid qualifier number. |
eventcode.qualifier | Specifies a single event code and qualifier. |
eventcode.qualifier:qualifier | Specifies a range of qualifiers of a single event code. |
eventcode:eventcode | Specifies a range of event codes. For all of the formats, eventcode must be in the range 1 to 255 and qualifier must be in the range 0 to 63. EVENT(8 10.2 6:2:3 12:14 SEV(WARN)) specifies that event codes 8, 12, 13, and 14, and event code/qualifiers 10.2, 6.2, and 6.3 are to be forwarded with a severity of Warning. |
INHibit | Specifies that the writing of the SMF record type 80 to the SMF data sets or logstream is to be inhibited by BMC AMI Defender. SMF record type 80 is processed by BMC AMI Defender, but then inhibited from further processing by SMF. |
SEVERITY(severity) | Specifies the syslog severity for the specified event codes. See Syslog-facilities-and-severities. There are two possible operands of SEVERITY that are not RFC 3164 severities, SUPPRESS and DEFAULT. SUPPRESS indicates that the specified event records are not to be forwarded to the syslog server at all. DEFAULT restores the default severity processing based on the SMF80DES bit flags as described. If TRACE(PARM) is specified on the options statement, then the specified severity for each event and qualifier where there is an event map entry and displays in message CZA0242I. |
FACILITY(facility-name) | Specifies the RFC 3164 facility that is to be indicated as the origin of the syslog records corresponding to SMF Type 80 records. If you omit this parameter, it defaults to SECURITY4. If you would like a different facility indicated, code one of the RFC 3164 facility names as listed in Syslog-facilities-and-severities. |
FIELDs(fieldname…) | Specifies the names of the SMF Type 80 record fields that are to be transmitted to the BMC Defender Server or other syslog console, and the order where they are to appear in the message. Specify one or more of the fields as described in FIELDS-parameter. |
filter-specification | |
LOG | |
LOG(HEX) | Specifies that the selected SMF records are to be logged on CZAPRINT and optionally dumped in hexadecimal and character format. This parameter is intended primarily for diagnostic purposes. Use care in specifying LOG(HEX) as it might generate a large volume of print records, especially if BMC AMI Defender is left running for several hours or more. |
PROCess(‘process-tag’) | Specifies the tag that appears at the start of SMF 80 syslog messages, following the priority, timestamp and hostname, and preceding the formatted fields. Specify the exact process tag that you want to include in syslog messages including any spaces and punctuation. Process-tag might be any length from the null string (‘’) to 32 characters. If SMF 80 PROCess is omitted, it defaults to RACF followed by the leading delimiter from OPTIONS DELIM. |