Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Datastream for z/OS 7.1.

SMF common fields

You can specify these fields in the FIELDS parameter of any SMF statement.

Name

(Filter)

Tag

CEF Name

Description

EventJobID

(EGNX)

EventJobID


Job ID (job number)

EventJobName

(EGNX)

JobNm

sproc

Job name

EventJobstepAuth

(Boolean)

JSauth


APF-authorization state of jobstep

EventJobstepProg

(EGNX)

Pgm

deviceProcessName

Jobstep program name

EventPOE

(EGNX)

POE


Job POE from RUTKN

EventPOEX

(Integer)

POEclass


POE Class index from RUTKN

EventPOEXD

(Mapped Integer)

POEclass


POE Class index from RUTKN expressed as text

EventPrivChangeD


PrivChgD


In the event of privilege escalation (see EventPrivilege) then this field is a textual representation of the specific escalated privileges, in the same format as EventRecACEEFLG1

Valid for RACF and TSS only.

EventPrivilege

(EGNX)

PrivStat


One of four one-character values:
‘ ‘ - Not a privileged user. Because the value is blank, it would normally suppress and not be transmitted.
‘E’ - Escalated privileges. This userid is last seen as unprivileged or with lesser privileges, but now has escalated.
‘K’ - Known privileged user. This userid has been seen before, and the last time it was seen, it has the same privileges as currently.
‘P’ - New privileged user. This is the first time this userid has been seen in the current execution of BMC AMI Defender, and the user is privileged.

For more information, see "Privilege escalation detection" in SMF-record-enrichment .

EventPrivilegeD

(Mapped Integer)

PrivStatD


The data of EventPriv converted to a more readable form: Normal user, Known Privileged, New Privileged, or Escalated privileges

EventRecACEEADSP

(Boolean)

ACEEADSP


ACEE Automatic Data Security Protection (ADSP) flag

EventRecACEEAUDT

(Boolean)

ACEEAUDT


ACEE Auditor Attribute flag

EventRecACEEFLG1


ACEEFLG1


ACEE Flag 1 in textual format

EventRecACEELOGU

(Boolean)

ACEELOGU


ACEE Have most RACF Functions Logged (UAUDIT) flag

EventRecACEEOPER

(Boolean)

ACEEOPER


ACEE Operations Attribute flag

EventRecACEEPRIV

(Boolean)

ACEEPRIV


ACEE User is a Started Procedure with the Privileged Attribute (ACEEPRIV) flag

EventRecACEERACF

(Boolean)

ACEERACF


ACEE RACF Defined User (ACEERACF) flag

EventRecACEEROA

(Boolean)

ACEEROA


ACEE Read-Only Auditor (ROAUDIT) Attribute flag

EventRecACEESPEC

(Boolean)

ACEESPEC


ACEE Special Attribute flag

EventRecTOKSUSR

(EGNX)

SurrogateFor


Submitting userid

EventSType

(Integer)

TokSType


Session type from RUTKN

EventSTypeD

(Mapped Integer)

TokSType


Session type from RUTKN expressed as text

EventTokDFLT

(Boolean)

TokDFLT


Default RUTKN

EventTokDGRP

(Boolean)

TokDGRP


Default Group assigned

EventTokDSEC

(Boolean)

TokDSec


Default SECLABEL assigned

EventTokENCR

(Boolean)

TokENCR


Token is encrypted

EventTokERR

(Boolean)

TokERR


Token in error

EventTokFlg1


TokFlg1


RUTKN Token Flag 1

EventTokFlg2


TokFlg2


RUTKN Token Flag 2

EventTokFlg3


TokFlg3


RUTKN Token Flag 3

EventTokIPV

(Boolean)

ToIPV


IP value present for SERVAUTH POE

EventTokLOGU

(Boolean)

TokLOGU


Log user indicator

EventTokNETF

(Boolean)

TokNETF


Network name specified

EventTokPRIV

(Boolean)

TokPRIV


Privileged user indicator

EventTokREMOT

(Boolean)

TokREMOT


Remote job indicator

EventTokRSPEC

(Boolean)

TokRSPEC


RACF special indicator

EventTokSUS

(Boolean)

TokSUS


Surrogate userid

EventTokTRST

(Boolean)

TokTRST


Part of trusted computer base

EventTokUDUS

(Boolean)

TokUDUS


Undefined user

EventTokUNUSR

(Boolean)

TokUNUSR


NJE unknown user

EventTokVXPRP

(Boolean)

TokVXPRP


Verifyx propagation occurred

EventTokWDWN

(Boolean)

TokWDwn


When MLS is Active, Write-Down is allowed

EventUserID

(EGNX)

EventUserID

suid

User ID

EventUserID_L

(EGNX)

usrName


User ID

This field’s formatting is conditioned on the software switch LEEF.

EventUserName

(EGNX)

Name

suser

User name from SAF

EventUserName_L

(EGNX)

accountName


User name from SAF

This field’s formatting is conditioned on the software switch LEEF.

EventWRKTYP

(EGNX)

WorkType


The type of work represented by the event record: ‘A’ ASCH/APPC transaction, ‘J’ Batch job, ‘S’ Started task, ‘T’ TSO user, ‘U’ type of work could not be determined

EventWRKTYPD

(Mapped Integer)

WorkTypeD


The type of work represented by the event record expressed as text

EventWRKTYPDX

(Mapped Integer)

WorkType


The type of work represented by the event record expressed as text, with the now-deprecated WorkType tag

SMFXXDTETME


Timestamp

rt

The SMF record timestamp formatted in accordance with the TIME statement

This field is largely redundant with the timestamp automatically generated by BMC AMI Defender and most other syslog servers. It is also redundant with the RFC 3164 timestamp generated by OPTIONS TIMESTAMP.

SMFXXDTETME_L


devTime


The SMF record timestamp formatted in accordance with the TIME statement





This field’s formatting is conditioned on the software switch LEEF.

SMFXXRTY

(Integer)

Rtype


The SMF record type

SMFXXSID

(EGNX)

SID


The SMF system ID from the SMF record

This field is possibly redundant with the RFC 3164 host name. See OPTIONS HOSTNAME.

SMFXXSTY

(Integer)

SubT


The SMF record subtype

The value of the halfword integer at displacement 22 into the base of the SMF record. Compare Event_SubType.

For more information, see SMF-ACF2-common-fields.

Related topic

Supported-SMF-field-names


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*