SMF 83 statement
SMF type 83 records are RACF audit records for data sets.
For information about filterSpecifications, see FILTER-and-MATCH-parameters.
You might want to monitor type 83 records to keep track of audit records. The SMF 83 statement indicates that type 83 records are to be collected and forwarded to your syslog console. If you code an SMF 83 statement, then by default all SMF type 83 records are forwarded to your BMC Defender Server or syslog console with a facility of Security (4) and a severity of Informational.
If you code more than one SMF 83 statement, then a subsequent SMF 83 statement replaces any SMF 83 statements that came before.
Parameter | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SMF 83 | Must be specified as shown. | ||||||||||||
DESCription | The description parameter is depreciated and is accepted only for compatibility purposes. | ||||||||||||
EVENTs | One or more SMF record type 80 event codes and the syslog severity to be assigned to them Specify the event code or codes in one or more of the following formats. For all of the formats, eventCode must be in the range 1 to 255 and qualifier must be in the range 0 to 63.
For example, EVENT(8 10.2 6:2:3 12:14 SEV(WARN)) specifies that event codes 8, 12, 13, and 14, and event code/qualifiers 10.2, 6.2, and 6.3 are to be forwarded with a severity of Warning. SEVERITY(severity) specifies the syslog severity for the event code. See Syslog-facilities-and-severities. There are two operands of SEVERITY that are not RFC 3164 severities:
For example, you could code EVENT(2 SEV(NOTICE) EVENT(2.1:5 SEV(DEFAULT)) to indicate that code 2 events were to have a severity of Notice except for qualifiers 1 through 5 that are to have a default severity. If TRACE(PARM) is specified on the options statement, then the specified severity for each event and qualifier where there is an event map entry and displays in message CZA0242I. | ||||||||||||
INHibit | Specifies that the writing of the SMF record type 83 to the SMF data sets or logstream is to be inhibited by BMC AMI Defender SMF record type 83 is processed by BMC AMI Defender, but then inhibited from further processing by SMF. | ||||||||||||
FACILITY(facilityName) | Specifies the RFC 3164 facility that is to be indicated as the origin of the syslog records corresponding to SMF type 83 records If you omit this parameter, it defaults to SECURITY4. If you would like a different facility indicated, code one of the RFC 3164 facility names as listed in Syslog-facilities-and-severities. | ||||||||||||
FIELDs(fieldName…) | Specifies the names of the SMF type 83 record fields that are to be transmitted to the BMC Defender Server or other syslog console, and the order where they are to appear in the message Specify one or more of the fields as described in FIELDS-parameter. | ||||||||||||
filterSpecification | For information about filterSpecifications, see FILTER-and-MATCH-parameters. | ||||||||||||
LOG | LOG(HEX) | Specifies that the selected SMF records are to be logged on CZAPRINT and optionally dumped in hexadecimal and character format This parameter is intended primarily for diagnostic purposes. Use care in specifying LOG(HEX) as it might generate a large volume of print records, especially if BMC AMI Defender is left running for several hours or more. | ||||||||||||
PROCess(‘processTag’) | Specifies the tag that appears at the start of SMF 83 syslog messages, following the priority, timestamp and hostname, and preceding the formatted fields Specify the exact process tag that you want to include in syslog messages including any spaces and punctuation. Process-tag might be any length from the null string (‘’) to 32 characters. If SMF 83 PROCess is omitted, it defaults to RACF followed by the leading delimiter from OPTIONS DELIM. |