Audit data

The following actions are logged:

• System access (connect, disconnect)
• JES spool access (submit, display, hold, release, cancel, purge, change CLASS, change MSGCLASS)
• Data set access (read, write, create, delete, rename, compress, migration, recall)
• File access (read, write, create, delete, rename)
• Execution of TSO and z/OS® UNIX commands

Each logged action is stored (with a date/timestamp) using the CSV (Comma Separated Value) format, which can be read by an automation or data analysis tool. For example:

yyyy/mm/dd hh:mm:ss.sss,userid,action,dataset_name[,returncode]
  [,additional_information]]

Data set and member statistics are also logged when the file is opened. They are appended to the line documenting completion of the READ action, and the fields are delimited with %n. For example:

yyyy/mm/dd hh:mm:ss.sss,userid,action,dataset_name,returncode,create%nmodify%n…

The following attributes are logged, in the listed order:

• Creation date and time (mm/dd/yyyy hh:mm)
• Last modify date and time (mm/dd/yyyy hh:mm:ss)
• Last access date and time (mm/dd/yyyy hh:mm:ss)
• Record format (RECFM)
• SCLM revision indicator (N = revision number is set, D = revision number is not set)
• SCLM revision number
• ”Bad Hex” characters included (Y = yes, N = no)
  Note: “Bad Hex” characters require z/OS Explorer mapping services because they do not survive a trip to the client and back due to code page mismatches.
• Logical record length (LRECL)
• File size
• Reserved for future use
• Reserved for future use
• User ID
• Lock (enqueue) owner for this data set or member
• CR (carriage return), LF (line feed) and NL (new line) host code points and their substitution characters.