SMF TSS231 statement
SMF Type 231 records are written by CA Top Secret (TSS) for Unix System Services security events. Security events include both problems as well as non-problem events such as TSS’s granting access to a particular resource to a particular user. For legacy MVS events see SMF TSS80.
You might want to monitor Type 231 records to keep track of security events. The SMF 231 statement indicates that Type 231 records are to be collected and forwarded to your syslog console. If you code an SMF TSS231 statement, then by default, all SMF Type 231 records are forwarded to your BMC Defender Server or syslog console with a facility of Security (4) and a severity of informational, except for those records for which TSS sets bit 0 (the event is a violation) or bit 3 (the event is a warning) in the field SMF80DES. Those records are forwarded by default with a severity of error or warning respectively.
If you code more than one SMF TSS231 statement, then a subsequent SMF TSS231 statement replaces any SMF TSS231 statement(s) that came before.
SMF TSS231(recordtype) | Must be specified. For recordtype code, a single numeric value between 0 and 255 (usually a value between 128 and 255) that specifies the SMF record type number that you have configured your installation of TSS to use. If (recordtype) is omitted, it defaults to 231. |
EVENTs | Specifies one or more SMF record Type 231 event codes and the syslog severity to be assigned to them. Specify the event code or codes in one or more of the following formats. |
eventcode | Specifies a single event code. |
eventcode:eventcode | Specifies a range of event codes. For both of the preceding formats, eventcode might be specified as an integer or as a single character in quotes and must be in the range 1 to 255 (any quoted character satisfies this requirement). If you specify a range of quoted characters such as ‘S’:’T’, then you must enclose the entire operand in quotes, for instance, ’S’:’T’. |
SEVERITY(severity) | Specifies the syslog severity for the specified event codes. See Syslog-facilities-and-severities. There are two possible operands of SEVERITY that are not RFC 3164 severities, SUPPRESS and DEFAULT. SUPPRESS indicates that the specified event records are not to be forwarded to the syslog server at all. If TRACE(PARM) is specified on the options statement, then the specified severity for each event for which there is an event map entry is displayed in message CZA0242I. |
FACILITY(facility-name) | Specifies the RFC 3164 facility that is to be indicated as the origin of the syslog records corresponding to SMF Type 231 records. If you omit this parameter, it defaults to SECURITY4. If you would like a different facility indicated, code one of the RFC 3164 facility names as listed in Syslog-facilities-and-severities. |
FIELDs(fieldname…) | Specifies the names of the SMF Type 231 record fields that are to be transmitted to the BMC Defender Server or other syslog console, and the order in that they are to appear in the message. Specify one or more of the fields as described in FIELDS-parameter. |
filter-specification | |
INHibit | Specifies that the writing of the specified SMF record type to the SMF datasets and logstream is to be inhibited by BMC AMI Defender. The specified SMF record type is processed by BMC AMI Defender but then inhibited from further processing by SMF. |
LOG LOG(HEX) | Specifies that the selected SMF records are to be logged on CZAPRINT and optionally dumped in hexadecimal and character format. This parameter is intended primarily for diagnostic purposes. Use care in specifying LOG(HEX) as it might generate a large volume of print records, especially if BMC AMI Defender is left running for several hours or more. |
PROCess(‘process-tag’) | Specifies the tag that appears at the start of SMF TSS231 syslog messages, following the priority, timestamp and hostname, and preceding the formatted fields. Specify the exact process tag that you want to include in syslog messages including any spaces and punctuation. Process-tag might be any length from the null string (‘’) to 32 characters. If SMF 231 PROCess is omitted, it defaults to TSS231 followed by the leading delimiter from OPTIONS DELIM. |