Supported API event types, SMF types, and associated process tags
BMC AMI Defender supports the following API event types and SMF record types. Additionally, you can see the default process tags for each type and, where applicable, hyperlinks to reference information about FIELDS parameters.
API event types
BMC AMI Defender receives information from the following event types through the API or log stream. The default process tag is displayed at the start of the syslog message for the indicated type (following the priority, time stamp, and host name).
Event type | Short description | Default process tag | FIELDS parameter reference |
|---|---|---|---|
ChangeMan | Message data sent from the Micro Focus (formerly Serena) ChangeMan product through the BMC AMI Defender API For configuration details, see the ChangeMan product technical documentation. | ChangeMan | |
Console | z/OS console message processing For more information, see the Defining-CONSOLE-SETs topic. | Console | |
CorreLog | See SMF record type 202 (later in this topic). | CorreLog | |
DIAG | Diagnostic formatting of indicated SMF number | Diag | |
Used for generic records, not specific records | Generic | ||
IMS logtype 1 | IMS_1_3 | ||
IMS logtype 3 | IMS_1_3 | ||
IMS logtype 10 | IMS_10 | ||
IMS logtype 16 | IMS_16 | ||
IMS logtype 22 | IMS_22 | ||
IMS logtype 24 | IMS_24 | ||
IMS logtype 50 | IMS_50 | ||
IMS logtype F8 | IMS_F8 | ||
IND$FILE | Monitors all IND$FILE download and upload activities. Requires the installation of the IND$defender component. For more information, see the IND-defender and Customizing-BMC-AMI-IND-defender-to-report-IND-FILE-activity topics. See also SMF record type 202 (later in this topic). | IND$FILE | |
JOBLOG | JES job log processing captures JES2 and JES3 output. | JOBLOG | |
Log4j | Log4J events for Java log format messages, can be configured as SMF record type 109 (later in this topic) | Log4j | |
LSPACE | DASD free space Monitor DASD usage of Db2 STC to alert before running out of space. For more information, see the EVENT-LSPACE-fields topic. | LSPACE | |
OPERINS | Streams Db2 activity data to the BMC AMI Defender for Operational Insight product | Oper_Insight |
SMF record types
BMC AMI Defender receives information from the following system management facilities (SMF) types.
Some of the entries in the SMF type column have hyperlinks to additional information that is specific to BMC AMI Defender. Some are marked as variable, meaning that you can use any available value as a substitute. The record type indicated is the default value. For more information about SMF record types, refer to SMF records in IBM documentation, z/OS MVS System Management Facilities (SMF).
The Short description column displays the hexadecimal value of the record type in parentheses.
The Default process tag column presents what is displayed at the start of the syslog message for the indicated type (following the priority, time stamp, and host name).
SMF type | Short description | Default process tag | FIELDS parameter reference |
|---|---|---|---|
0 | Record type 0 (00), IPL | IPLHeader | |
7 | Record type 7 (07), Data lost | Data_Lost | |
8 | Record type 8 (08), I/O configuration | DeviceInfo | |
9 | Record type 9 (09), VARY device ONLINE Use case: A system programmer receives immediate notification when a new device is brought online but not according to schedule. | DeviceInfo | |
11 | Record type 11 (0B), VARY device OFFLINE | DeviceInfo | |
14 | Record type 14 (0E), INPUT or RDBACK data set activity | DS_Input | |
15 | Record type 15 (0F); OUTPUT, UPDAT, INOUT, or OUTIN data set activity | DS_Output | |
17 | Record type 17 (11), Scratch data set status | DS_Scratch | |
18 | Record type 18 (12), Rename non-VSAM data set status | Rename | |
22 | Record type 22 (16), Configuration Use case: A system programmer can use BMC AMI Defender to capture and track configuration changes and thereby demonstrate compliance to an auditor. | CONFIG | |
26 | Record type 26 (1A), JES2/JES3 job purge Use case: Similar to the SMF record types 55-58, this type is written by network job entry (NJE). | JES_Network | |
Record type 30 (1E), Common address space work | NA | ||
32 | Record type 32 (20), TSO/E user work accounting Use case: A security analyst can track anomalous behavior to identify a threat enumerating a logical partition to identify valuable information. | TSOUserWrkAcct | |
42 | Record type 42 (2A), DFSMS statistics and configuration | DFSMS | |
43 | Record type 43 (2B), JES2/JES3 start Use case: A machine learning algorithm notices a job starting at an unusual time and alerts the system programmer that something atypical is happening on the system. | JES | |
55 | Record type 55 (37), JES2 network SIGNON Use case: A security analyst notices two signon attempts in quick succession, indicating a man-in-the-middle attack (MITM). | JES_Network | |
56 | Record type 56 (38), JES2 network integrity Use case: A security analyst receives a real-time alert about an attempt to break onto a mainframe using NJE. | JES_Network | |
57 | Record type 57 (39), JES2 network SYSOUT transmission and JES3 networking transmission Use case: A security analyst sees all the NJE action that a hacker exploited and responds to the threat effectively. | JES_Network | |
58 | Record type 58 (3A), JES2 network SIGNOFF Use case: A security analyst uses the session records to quickly identify all NJE actions during an analysis of anomalous activity. | JES_Network | |
60 | Record type 60 (3C), VSAM volume data set updated | VSAM_Volume | |
61 | Record type 61 (3D), Integrated catalog facility define activity | ICF_Define | |
62 | Record type 62 (3E), VSAM component or cluster opened | VSAM_Open | |
64 | Record type 64 (40), VSAM component or cluster status | VSAM_Status | |
65 | Record type 65 (41), Integrated catalog facility delete activity | ICF_Delete | |
66 | Record type 66 (42), Integrated catalog facility alter activity | ICF_Alter | |
70 | Record type 70 (46), RMF processor activity | RMF_CPU | |
71 | Record type 71 (47), RMF paging activity | RMF_Paging | |
72 | Record type 72 (48), Workload activity, storage data, and serialization delay | RMF_Workload | |
73 | Record type 73 (49), RMF channel path activity | RMF_Channel | |
74 | Record type 74 (4A), RMF activity of several resources | RMF_Resources | |
75 | Record type 75 (4B), RMF page data set activity | RMF_PageDataset | |
76 | Record type 76 (4C), RMF trace activity | RMF_Trace | |
77 | Record type 77 (4D), RMF enqueue activity | RMF_Enqueue | |
78 | Record type 78 (4E), RMF virtual storage and I/O queuing activity | RMF78_VS_IO | |
79 | Record type 79 (4F), RMF monitor II activity | RMF_Monitor_II | |
Record type 80 (50), Security product processing Use case: A security analyst receives an alert that a single computer tried to log in to 1,000 accounts with the same password and failed. | NA | ||
Record type TSS80, CA Top Secret (TSS) processing | TSS80 | ||
Record type 81 (51), RACF initialization Use case: A security administrator can use additional RACF information to see numerous initializations that indicate a user is making more modifications than historically normal. | NA | ||
82 | Record type 82 (52), ICSF record | ICSF | |
Record type 83 (53), RACF audit record for data sets Use case: A security administrator can use additional RACF information to see numerous initializations that indicate a user is making more modifications than historically normal. | NA | ||
89 | Record type 89 (59), Usage data | Usage_Data | |
90 | Record type 90 (5A), System status | System_Status | |
92 | Record type 92 (5C), File system activity | zFS | |
Record type 100 (64), Db2 statistics | DB2 | ||
Record type 101 (65), Db2 accounting | DB2 | ||
Record type 102 (66), Db2 performance | DB2 | ||
109 | Record type 109 (6D), TCP/IP statistics See also Log4j (earlier in this topic). Use case: A mainframe administrator monitoring Log4J messages immediately identifies a mainframe application acting inappropriately because of a denial-of-service attack (DoS) and can take remediating actions. | Syslogd | |
Record type 110 (6E), CICS TS for z/OS statistics Use case: A system programmer receives notification about a dramatic spike in CICS transactions that can indicate an automated attack. | CICS | ||
113 | Record type 113 (71), Hardware capacity, reporting, and statistics | Hardware_Capacity | |
115 | Record type 115 (73), MQSeries statistics | MQ_Stats | |
116 | Record type 116 (74), MQ accounting | MQ_Accounting | |
119 | Record type 119 (77), TCP/IP statistics Use case: A security analyst can see connections to the mainframe on atypical ports, indicating a malicious command-and-control channel. | TCP/IP | |
120 | Record type 120 (78), WebSphere Application Server for z/OS Performance Statistics Use case: A security administrator can see WebSphere Application Server actions occurring on a privileged account far outside the normal work hours. The administrator can take remediating action to determine if the user behavior is legitimate. | Websphere | |
128 – 255 | Variable configuration numbers in case of conflict | Not applicable | |
202 (variable) | BMC AMI IND$defender records Monitors all IND$FILE download and upload activities. Requires the installation of the IND$defender component. See also IND$FILE and CorreLog (earlier in this topic). | CorreLog | |
205 (variable) | Compuware Abend-AID audit | Abend-AID | |
220 (variable) | Compuware Application Audit SMF | App_Audit | |
230 (variable) | ACF2 processing For more information, see SMF-ACF2-statement. | ACF2 | |
231 (variable) | CA Top Secret TSS for Unix System Services security events | TSS231 | |
249 (variable) | Action Software International | eventAction |