SMF field descriptions N-Z

The SMF NEWLIST provides the following fields for reporting.

NAME

Full user name or programmer name. It is found in:

Job Initiation, Termination and Accounting records (SMF record types 5, 20, 30 and 32), where the name is taken from the job card.
JES Job Purge records (SMF record type 26)
RACF® processing records (SMF record types 80 and 83 subtype 1), where the name is taken from the ACEE,
(ACF2 only) ACF2 processing records (system-dependent SMF record type), but only for data set and resource use subtypes.
(Top Secret only) TSS processing records (SMF record type 80), but only for session initialization records (TSS_EVENT=1)

NRP_POLICY_RULE_NAME

This field reflects the matching zERT IPsec policy rule name, if any. The field is reported missing if there is no matching zERT IPsec policy rule name. The field is included in SMF record type 119, subtypes 2 and 11. The value is reported missing for z/OS 2.4 or earlier. The default length of the field is 48 characters.

OBJECT_TYPE

Object type. This field is found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82, subtype 41, 42, 45, and 46). The input format and default output format of the field is ObjectType. The following table lists the possible values:

Value	Meaning
SymKey	Symmetric key
PubKey	Public key
PrivKey	Private key
Certificate	Certificate
DomainParms	Domain parameters
Data	Data object
PubPrivKeys	Public/Private key pair
P11Token	PKCS #11 token
TrustedBlk	Trusted block

OMCMD_ALLOWED

This flag field applies only to z/OS systems. It indicates whether the Omegamon command was suppressed by the security facility. (See also OMCMD_NAME.)

OMCMD_NAME

This field applies only to z/OS systems. The OMCMD_NAME field contains the name of the Omegamon major or minor command that generated the audit record.

OMCMD_TEXT

This field applies only to z/OS systems. The OMCMD_TEXT field contains the command text that was entered on the OMEGAMON II screen. Records of minor commands also reference their associated major commands. This is the command string that caused the audit record to be generated, complete with parameters.

OMCMD_TYPE

This field applies only to z/OS systems. The OMCMD_TYPE field indicates the Omegamon command type. Table 1 lists the possible types.

Table 1. Omegamon command types
Code	Description
I	Immediate
C	Major
M	Minor
G	Generalized Minor
S	Info line
P	Superceded command

For more information about the command types, see OMEGAMON® for MVS™ User's Guide in the IBM OMEGAMON for z/OS Management Suite documentation.

OUTBOUND_FILTER_BEHAVIOR

Outbound IP filtering behavior. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have an IP filter-specific section. The default output format of this field is FilterBehavior. This field and its values can also be used as input for filtering purposes. See INBOUND_FILTER_BEHAVIOR for the possible values of the OUTBOUND_FILTER_BEHAVIOR field, pertaining to outbound traffic. This field is missing if no outbound filter rule is associated with the connection.

OUTBOUND_FILTER_NAME

Outbound traffic IP filter rule name. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have an IP filter-specific section. The maximum length of the field is 40 characters. This field is missing if no outbound filter rule is associated with the connection.

OUTBOUND_FILTER_NAME_EXT

Outbound traffic IP filter rule name extension. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have an IP filter-specific section. The maximum length of the field is 8 characters. This field is missing if no outbound filter rule is associated with the connection, or if the outbound filter rule has no rule name extension.

OUTBOUND_FTP_IPV4

Flag field that indicates whether the security session represents IPv4 outbound data connections that are established by the FTP server to the FTP client. This field is found in zERT summary records (SMF record type 119, subtype 12).

OWNER

This field applies only to RACF systems. It specifies the RACF owner of the target profile (either a user id or a group id). This field is only found in RACF processing records (SMF record types 80 and 83 subtype 1).

To select the owner specified in a RACF command, use the RACFCMD_OWNER command field instead.

PACKETS_IN

This is the number of UDP datagrams or TCP segments that are transferred to the local system. It is present for SMF 119 subtypes 2 (TCP socket close), 10 (UDP socket close), 11 (zERT connection detail), and 12 (zERT summary).

Note:

With SMF record type 119, subtype 11 (zERT connection detail) records, PACKETS_IN reflects the count since the connection started.
For SMF record type 119, subtype 12 (zERT summary) records, PACKETS_IN reflects the count of packets that were transferred within the summary interval.

PACKETS_OUT

This is the number of UDP datagrams or TCP segments that are transferred from the local system. It is present for SMF 119 subtypes 2 (TCP socket close), 10 (UDP socket close), 11 (zERT connection detail), and 12 (zERT summary).

Note:

With SMF record type 119, subtype 11 (zERT connection detail) records, PACKETS_OUT reflects the count since the connection started.
For SMF record type 119, subtype 12 (zERT summary) records, PACKETS_OUT reflects the count of packets that were transferred within the summary interval.

PCI_HSM_2016_COMPL_MODE

This flag field is true if the PCI-HSM compliance mode of the cryptographic coprocessor is 2016. This field is included in SMF record type 82, subtype 18.

PCI_HSM_COMPLIANCE_MODE

This flag field is true if the PCI-HSM compliance mode of the cryptographic coprocessor is active. This field is included in SMF record type 82, subtype 18.

PCI_HSM_COMPL_MIGR_MODE

This flag field is true if the PCI-HSM compliance migration mode of the cryptographic coprocessor is active. The migration mode is a temporary sub-state of the PCI-HSM compliance mode when existing keys are transformed into compliant-tagged keys. This field is included in SMF record type 82, subtype 18.

PKCS11_TOKEN

This field applies only to RACF systems. It is found in RACF processing records (SMF record type 80) for the RACDCERT event, and corresponds with RACF_SECTION(399). It is present for the token manipulation subcommands of this event (ADDTOKEN, BIND, DELTOKEN, IMPORT, and UNBIND) and contains the name of the token that is affected by the command. This field is also found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82) with subtypes 42 and 46, where it reflects the CKA_LABEL attribute from the object, and in Security Label Change records (SMF record type 83, subtype 1).

PRIORITY

This field is only found in z/OS® Firewall Technologies records (SMF record type 109). It indicates the priority of a record, which can range from Debug (lowest priority) to Emergency (highest priority). Its value can be Debug, Informational, Notice, Warning, Error, Critical, Alert, or Emergency.

PRIVILEGES

This field lists security attributes that are associated with the RACF or ACF2-defined user ID. The possible attributes are documented in the table below. Any applicable attributes are printed as blank-separated values, in the order of appearance in the table. If no attributes or privileges apply, the field is left blank.

Table 2. Possible values of the PRIVILEGES field
Value	For a RACF or ACF2-defined user ID	With attribute or privilege
`special`	RACF	SPECIAL
`operations`	RACF	OPERATIONS
`auditor`	RACF	AUDITOR
`grpspec`	RACF	GROUP-SPECIAL
`grpoper`	RACF	GROUP-OPERATIONS
`grpaudit`	RACF	GROUP-AUDITOR
`superuser`	RACF	UNIX UID=0 Or when the user ID has READ access to FACILITY profile BPX.SUPERUSER.
`Acc`	ACF2	ACCOUNT
`Mnt`	ACF2	MOUNT
`nCn`	ACF2	NONCNCL
`Sec`	ACF2	SECURITY
`STC`	ACF2	STC
`superuser`	ACF2	UNIX UID=0 Or when the logonid is allowed access to FACILITY resource BPX.SUPERUSER.

For Top Secret-defined user IDs, no security attributes or privileges are recognized. The PRIVILEGES field is left blank.

This field is derived using information in the security database; in the absence of an applicable source, the field is empty.

PRIV_USER_GROUPS

This repeating field returns privileged group names for the user ID. These are the connect groups for USER that are also present in a

SIMULATE
PRIV_USER_GROUPS

command. The field returns no more than 4,000 group names. If the number of privileged groups exceeds 4,000, they will be the alphabetically first 4,000 privileged groups. In principle, the field can be filled in for any SMF record type that returns a value in the field USER that exists in the security database of the system.

This field is derived using information in the security database; in the absence of an applicable source, the field is empty.

PROCNAME

JCL procedure name. This field is only found in Accounting records (SMF record type 30).

PRODUCT

This value identifies the product from which the record was obtained. Table 3 lists the supported record types and value returned for each type.

Table 3. SMF NEWLIST PRODUCT field - possible values
Record type	Value returned
IBM® WebSphere Application Server audit records (SMF record type 83, subtype 5)	WAS-zOS
IBM Security Key Lifecycle Manager audit records (SMF record type 83, subtype 6)	TKLM-zOS
IBM Db2 performance and audit records (SMF record types 100, 101, and 102)	Db2
Customer Information Control System (CICS®) performance monitoring records (SMF record type 110)	CICS
IBM z/OS Connect (SMF record type 123, subtype 1, layout version 2)	z/OS Connect

PRODUCT_FMID

This value identifies the FMID or version for the product that generated the SMF event record. The product name is returned in the PRODUCT field. This field is supported for the following record types:

Security audit event records (SMF record type 83)
Db2 performance and audit records (SMF record types 100, 101, and 102)
z/OS Connect (SMF record type 123, subtype 1, layout version 2)

PROFILE

This field applies only to RACF systems. It specifies the RACF profile name. The type of the profile is dependent on the record type described. For common address space work records, this field describes the userid that started the job. For data set and ICF catalog records, it will be the profile for the data set described in the record. For RACF records, it might be any type of profile. For RACF commands on a user or group, the profile describes the target user or group.

The PROFILE field is found in RACF processing and R_auditx records (SMF record types 80 and 83). The field is derived using information in the security database for SMF record types 14, 15, 17, 18, 30, 42, 60, 61, 62, 64, 65, 66, and 90. In the absence of an applicable source, the field is empty. To derive profile names for VSAM data set activity records (SMF record types 62 and 64), a CKFREEZE file with catalog information must be available for the system.

The field is also derived for Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82 subtypes 40, 41, 42, 44, 45, and 46).

With SMF record type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records, each subrecord contains one PROFILE field. With SMF type 42 (DFSMS Statistics and Configuration) subtype 27 (VTOC change) records, the PROFILE field is missing.

If BYPASS is true, the PROFILE field can be missing.

PROFILE is a repeated field, though most records contain only one profile.

The default output length of the PROFILE field is 44, which is sufficient for all profiles in class DATASET. General resource profiles might have a length of up to 255 characters

Warning: Unlike NEWLIST TYPE=RACF, using a generic value with the PROFILE field means that pattern match selection is used, for example, PROFILE=SYS1.** matches all profiles and resources that match the pattern SYS1.**. To select a specific generic resource, enclose the profile name in quotes, for example, PROFILE='SYS1.**'.

PROGRAM

Program name. This field is only found in the following record types:

(ACF2 only) ACF2 data set/resource use records (system-dependent SMF record type)
Step Termination (SMF record type 4)
Data set activity record types 14 and 15
Common Address Space Work (SMF record type 30)
TSO/E User Work Accounting (SMF record type 32)
TS-Step Termination (SMF record type 34)
ICF Catalog (SMF record type 36)
(Top Secret only) TSS processing records (SMF record type 80)
Security audit event records from IBM WebSphere Application Server (SMF record type 83, subtype 5) and Security Key Lifecycle Manager (SMF record 83, subtype 6)
Db2® SMF record type 102 subtype/IFCid 22, 145, 177, and 183

The default field length is 8, but the length can be up to 128 for DB2® SMF records. The default output format for this field shows the first 8 characters of the program name which can result in truncating file names. To include the full program name, use the following format specification in CARLa scripts: program(0,wrap).

QUAL

This field applies only to RACF systems. The RACF QUAL field is equal to the HLQ of the data set, or the QUAL field of a naming convention table and/or exit. It defines the default owner of a data set. RACF allows access without additional access checking.

This field is derived for RACF processing records (SMF record types 80 and 83 subtype 1), ICF catalog activity records and common address space work records (SMF record types 14, 15, 17, 18, 42, 60, 61, 62, 64, 65 and 66), and HSM function statistic records.

With SMF record type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records, each subrecord contains one QUAL field.

Note that when you have a naming convention table you must use a CKFREEZE for correct processing. When you have a naming convention exit you must run the program on the local system.

Note that RACF processing records will contain the resource names instead of the data set names when SETROPTS NOREALDSN is in effect. Consequently, it is not generally possible to deduce the correct QUAL from the record contents. In this case, the HLQ of the resource will be returned. If you have a naming convention table or exit that may change the QUAL to a value different from the HLQ of the resource name, this may occasionally be incorrect.

R_ACCESS

The R_ACCESS field is found in IBM WebSphere Application Server security audit records (SMF record type 83, subtype 5) and is set from relocate section 119 (accPermGrant) in the record.

R_ACTION

Contains the action which caused the record to be created on the remote system. This field is found in the following records:

Remote auditing service (SMF record type 83, subtype 4). The value is taken from the RESOURCE field.
IBM WebSphere Application Server security audit records (SMF record type 83 subtype 5). The value is taken from relocate section 111 (accAction) of the record.
IBM Security Key Lifecycle Manager security audit records (SMF record type 83 subtype 6). The value is taken from the text following action= in relocate section 114 of the record.
IBM z/OS Connect request subrecords (SMF record type 123 subtype 1). The value is taken from field SMF123S1_SERVICE_NAME of the record.

R_EVENT

The R_EVENT field contains the event type that generated the log record. This field applies to audit security records associated with Security Key Lifecycle Manager events (SMF record type 83, subtype 6) as indicated by the field PRODUCT. (See PRODUCT.)

The R_EVENT field can also be found in the IBM WebSphere Application Server audit records (SMF record type 83, subtype 5), for which Table 4 lists the event information that can be displayed.

Table 4. SMF record 83, subtype 5: WebSphere Application Server events
Event and Meaning	Qualifier and Meaning
1 - Authentication	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
2 - Authentication termination	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
3 - Authentication mapping	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
4 - Authorization	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
5 - Policy modification	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
6 - Registry modification	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
7 - Run-time	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
8 - Configuration management	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
9 - Provisioning	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
10 - Resource management	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
11 - Key run-time	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
12 - Key management	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
13 - Audit configuration	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
14 - Resource access	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
15 - Signing	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
16 - Encryption	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
17 - Authentication delegation	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)
18 - Credential modification	0 (Success), 1 (Info), 2 (Warning), 3 (Failure), 4 (Redirect), 5 (Denied)

Table 5 lists the event information that can be displayed.

Table 5. SMF record 83, subtype 6: Security Key Lifecycle Manager events
Key Lifecycle Manager Security Audit Event	Description	Event Code	Event Name
-- unknown --	Unknown events	1	`KLMUNKN`
`SECURITY_AUTHN`	Authentication events	2	`KLMAUTN`
`SECURITY_AUTHN_TERMINATE`	Authentication termination events	3	`KLMAUTT`
`SECURITY_AUTHZ`	Authorization checks	4	`KLMAUTZ`
`SECURITY_DATA_SYNC`	Data synchronization events	5	`KLMSYNC`
`SECURITY_MGMT_AUDIT`	Management operations of the audit subsystem	6	`KLMAUDI`
`SECURITY_MGMT_CONFIG`	Configuration operations for a security server	7	`KLMCONF`
`SECURITY_RUNTIME_KEY`	Runtime operations for certificates/keystores	8	`KLMKEYR`
`SECURITY_MGMT_RESOURCE`	Resource management	9	`KLMRESM`
`SECURITY_RUNTIME`	Runtime starting and stopping of security servers.	10	`KLMRUNT`

R_INTENT

The R_INTENT field specifies the type of access requested when this event record was logged. This field applies to IBM WebSphere Application Server security audit records (SMF record type 83 subtype 5). In these records, the value is taken from relocate section 118 (accPermCheck) of the record.

R_LOGDATA

This repeated field returns information about a security audit event from a zLinux system (SMF record type 83, subtype 4 event records). The information is provided in a fieldname=value format with a separate entry for each value returned. The values are found in the relocate 114 field of the SMF record and depend on the type of event that was logged.

SMF record type 83, subtype 4 event records are only created for zLinux systems that have been set up for remote monitoring using either the audispd plugin or the JZOS toolkit. For additional information about these records and setting up remote auditing, see the Enterprise Multiplatform Auditing, IBM Redbook available at www.redbooks.ibm.com/abstracts/sg247472.html.

For RACF systems only, also see the RACF_LINK_AUDIT and RACF_LINK_EVENT fields.

R_LOGRECORD

The R_LOGRECORD fields contains the native Java™ log record for use by zSecure Adapters for SIEM. This field applies to security audit records (SMF record type 83 subtype 6 event records). This field has a maximum length of 1024.

R_MGMT_ATTR

The R_MGMT_ATTR field provides information about one or more secondary objects involved in the operation that generated this record. This field can be found in security audit records from IBM WebSphere Application Server (SMF record type 83, subtype 5). The value is taken from relocate section 155 (mgmtAttr) of the record.

R_MGMT_CMD

The R_MGMT_CMD field identifies the application-specific command that was being performed during the event that generated this record. This field can be found in security audit event records from IBM WebSphere Application Server (SMF record type 83, subtype 5). The value is taken from relocate section 154 (mgmtCmd).

It is present for SMF 118 (70, 71,72,73,74) and SMF 119. For both FTP server (118 (70, 71, 72, 73, 74), 119-70, 96) and client (118-3, 119(3,97)) SMF records, this field returns the 4 character RFC-compliant FTP command.

R_MGMT_TYPE

The R_MGMT_TYPE field indicates the type of management operation that was being performed during the event that generated this record. This field can be found in security audit event records from IBM WebSphere Application Server (SMF record type 83, subtype 5). The value is taken from relocate section 153 (mgmtType) of the record.

R_RESOURCE

The R_RESOURCE field contains the name of the resource in the context of the application that generated the event record. This field applies to IBM Security Key Lifecycle Manager audit records (SMF record type 83, subtype 6). The value is taken from relocate section 150 (resource=[name=) of the record.

This field can also be found in the following records:

Security audit event records from IBM WebSphere Application Server (SMF record 83, subtype 5). In these records, the value is taken from relocate section 114 (accApplName) of the record.
z/OS Connect request subrecords (SMF record 123, subtype 1). In these records, the value is taken from the System Of Record Resource name field (SMF123S1_SOR_RESOURCE).

This field has a default length of 64 and a maximum length of 128. The actual length might be longer than the default length.

R_RESULT

The R_RESULT field This field is found in security audit event records from IBM WebSphere Application Server (SMF record 83, subtype 5). The value is taken from relocate section 114 (accDecision) of the record.

R_ROLECHECK

The R_ROLECHECK field indicates the roles that were checked when the event record was generated. This field is found in security audit records from IBM WebSphere Application Server (SMF record 83, subtype 5). The value is taken from relocate section 120 (accRoleCheck) of the record.

R_ROLEGRANT

The R_ROLEGRANT field indicates the roles that were granted when the event record was generated. This field is found in security audit records from IBM WebSphere Application Server (SMF record 83, subtype 5). The value is taken from relocate section 121 (accRoleGrant) of the record.

R_USER

Contains the user ID that the product or component uses for the purpose of authenticating or authorizing the request that generated this record. This field is found in the following records:

IBM Security Key Lifecycle Manager audit records (SMF record type 83, subtype 6). The value is taken from the relocate section 150 (user=[name=name]) of the record.
IBM WebSphere Application Server (SMF record 83, subtype 5) security record. The value is taken from relocate section 113 (accApplUser) of the record.
Remote auditing service (SMF record type 83, subtype 4). The value is taken from the last relocate section 114 (uid=[r_user=userid]) of the record.
For FTP and SSH client (118-3, 119-3, 119-94, 119-97) SMF records, this field returns the remote user identification that is used to log on to the remote FTP server.
For the TCP socket close (119-2) SMF record, this field returns the AT-TLS partner user ID that is part of the partner digital certificate.
IBM Multi-Factor Authentication records (SMF record type 83, subtype 7). The value is taken from the relocate section 100 (user id) of the record.
RACF processing records (SMF record type 80). The value is taken from the relocate section 445, subfield Userid of CICS Client of the record.
SMF 123 subtype 1 for z/OS Connect request subrecords.

RACF_AUTH_INFO

This field describes the multi-factor authentication information flags found in some SMF record type 80 and 83 records pertaining to RACINIT events.

Because many flags can be set at the same time, the default output of this bitfield is in a condensed format; full output split into several lines can be requested using the EXPLODE output modifier and an overriding length of 30; for example, RACF_AUTH_INFO(EXPLODE,30). The following table lists sample RACF_AUTH_INFO bit mask values that can be used for SELECT/EXCLUDE processing, the condensed output, the exploded output, and the meaning.

Table 6. RACF_AUTH_INFO values
Select/Exclude	Condensed	Exploded	Meaning
'1.......'	V......	Authenticated from VLF	Authenticated from VLF
'.1......'	.A.....	User has active MFA factor	User has active MFA factor(s)
'..1.....'	..F....	MFA fallback allowed	MFA user allowed to fall back when no MFA decision can be made
'...1....'	...N...	No MFA decision	No MFA decision for MFA user
'....1...'	....X..	MFA requests pw-expired RC	MFA requested that RACROUTE REQUEST=VERIFY return the password-expired return code
'.....1..'	.....I.	MFA requests new-pw-invalid RC	MFA requested that RACROUTE REQUEST=VERIFY return the new-password-invalid return code
'......1.'	......P	MFA partially successful	MFA only partially succeeded

RACF_AUTH_USED

This field describes the multi-factor authentication flags that show which authenticators were used. The flags are found in some SMF record type 80 and 83 records pertaining to RACINIT events.

Because many flags can be set at the same time, the default output of this bitfield is in a condensed format; full output split into several lines can be requested using the EXPLODE output modifier and an overriding length of 21, RACF_AUTH_USED(EXPLODE,21) for example. The following table lists sample RACF_AUTH_USED bit mask values that can be used for SELECT/EXCLUDE processing, the condensed output, the exploded output, and the meaning.

Table 7. RACF_AUTH_USED values
Select/Exclude	Condensed	Exploded	Meaning
'1.......'	E.......	Password evaluated	Password evaluated
'.1......'	.S......	Password successful	Password authentication successful
'..1.....'	..E.....	Phrase evaluated	Password phrase evaluated
'...1....'	...S....	Phrase successful	Password phrase authentication successful
'....1...'	....E...	Passticket evaluated	Passticket evaluated
'.....1..'	.....S..	Passticket successful	Passticket authentication successful
'......1.'	......S.	MFA successful	Multifactor authentication successful
'.......1'	.......U	MFA unsuccessful	Multifactor authentication unsuccessful

RACFAUTH, AUTHORITY

This field applies only to RACF systems. It specifies the RACF authority used. This field is only found in RACF processing records (SMF record type 80), Security Label Change records (SMF record type 83, subtype 1), and EIM Processing records (SMF record type 83, subtype 2). It is used to select records by the RACF authority used for executing commands or accessing resources, for example, SPECIAL or OPERATIONS. When used for output, the default output is condensed; full output split into several lines can be requested using the EXPLODE output modifier and an overriding length of 10, for example RACFAUTH(EXPLODE,10). The table ¹ Table 8 shows the RACFAUTH values and their meanings.

Table 8. SMF RACFAUTH and AUTHORITY fields - values for output processing
SELECT/EXCLUDE value	Output code	Exploded output	Meaning
AUDITOR	A	Auditor	AUDITOR or ROAUDIT attribute
BYPASS BYPASSED	B	Bypass	Bypassed-user id = BYPASS
EXIT	X	Exit	Installation exit processing
FAILSOFT	F	Failsoft	Failsoft processing
NORMAL	N	Normal	Normal authority check
OPERATIONS	O	Operations	OPERATIONS attribute
SPECIAL	S	Special	SPECIAL attribute
SUPER SUPERUSER	Su	Superuser	OpenEdition MVS super-user (uid 0)
SYSTEM	Sy	System	OpenEdition MVS system function
TRUSTED	T	Trusted	Trusted/Privileged attribute

Note: For SELECT/EXCLUDE processing, only the =, <>, and ¬= relational operators can be used.

RACFCMD

This field applies only to RACF systems. It specifies the RACF logged command. This field is found in RACF processing records (SMF record types 80 and 83 subtype 1) for events dealing with RACF commands. To find all records with a RACFCMD field, select either EXISTS(RACFCMD) or EVENT=ALLCOMMAND.

To select specific RACF commands you can do a field compare on the RACFCMD field or use the EVENT field. To select the target profile (data set, general resource, user, or group), use the PROFILE field. To select the target user of a command, use the RACFCMD_USER field. To select the target group of a command, use the RACFCMD_GROUP field. To select RACF commands where specific keywords or options were used, use the RACFCMD_KEYWORDS field.

The RACFCMD field is a repeated field; the first entry prints the RACF command name; each following entry prints a logged command parameter, appended by <Ignored> for parameters ignored because of insufficient authority, and <Error> for parameters ignored because of a processing error. Passwords, which are not logged in SMF records, are indicated by the string <Password>.

The default output length of the RACFCMD field is 64 characters; the full length may be up to 32000 characters for SETROPTS commands. To print the command in one string, use the output modifier HORIZONTAL, e.g. RACFCMD(HORIZONTAL). To print long commands in a column, use the output modifiers HORIZONTAL and WRAP, e.g. RACFCMD(WRAP,HORIZONTAL,60).

Note: The RACFCMD field cannot be used for forward recovery (by reissuing the RACF commands), because the command result depends on the issuer, and with forwarded recovery the issuer is generally someone else. RACF does log some implied default parameters, but not all implied parameters (e.g. the current user as owner). The RACFCMD field may therefore not correspond exactly to the command typed, but it will be equivalent.

RACFCMD_AUTH

This field applies only to RACF systems. It contains the (new) group authority specified in a RACF logged command. This field is found in RACF processing records (SMF record types 80 and 83 subtype 1) for events dealing with RACF commands.

The RACFCMD_AUTH field is defined for ADDUSER, ALTUSER, and CONNECT commands. Possible RACFCMD_AUTH values are documented in the following table (increasing sort order).

Table 9. SMF record RACFCMD_AUTH field - possible values and descriptions
RACFCMD_AUTH value
USE
CREATE
CONNECT
JOIN

RACFCMD_CONNECT

This non-repeating field is filled for SMF 80 RACF command event types CONNECT, REMOVE, and ADDUSER from the current RACF database for the complex assigned to the SMF record based on the SYSID. This field is missing if the connect created or removed according to the SMF record (fields RACFCMD_USER and RACFCMD_GROUP) does not exist in the RACF database. The field can be used with overriding formats relating to connect type fields like CONNECTKEY and CONNECTID. It can also be used as the source of a lookup to connect attributes, for example RACFCMD_OWNER:GRPSPEC to see whether the user in field RACFCMD_USER has the group-special attribute in the group in field RACFCMD_GROUP according to the allocated RACF database.

This field is derived using information in security database; in the absence of an applicable source, the field is empty.

RACFCMD_EFFECTIVE

This field applies only to RACF systems. It contains the RACF logged command, without ignored and erroneous keywords and values. This field is found in RACF processing records (SMF record types 80 and 83 subtype 1) for events dealing with RACF commands. It can be used for output and SELECT/EXCLUDE processing.

The RACFCMD_EFFECTIVE field is a repeated field; the first entry prints the RACF command name; each following entry prints a logged command parameter. Parameters ignored because of insufficient authority, and parameters ignored because of a processing error is not shown. Passwords, which are not logged in SMF records, are indicated by the string <Password>.

RACFCMD_GROUP

This field applies only to RACF systems. It contains the target group of a RACF logged command. This field is found in RACF processing records (SMF record types 80 and 83 subtype 1) for the ADDUSER, ALTUSER, ADDGROUP, ALTGROUP, CONNECT, DELGROUP, REMOVE, and PERMIT commands.

For ADDGROUP, ALTGROUP and DELGROUP this field reports the group that is defined or altered; it is equal to the RESOURCE and PROFILE fields.

For ADDUSER, ALTUSER, CONNECT and REMOVE, this field reports the group that is used to define, alter or remove a connect. The value corresponds to the value of the DFLTGRP keyword for ADDUSER and the GROUP keyword for ALTUSER, CONNECT and REMOVE. (The RESOURCE and PROFILE fields describe the target user.)

For PERMIT this field reports all PERMIT ids known to be groups. Note that this requires access to a RACF database or unload, with the group present in the DB, because the SMF records contain the IDs specified on the PERMIT commands, without the indication whether they are users or groups.

RACFCMD_KEYWORDS

This repeated field applies only to RACF systems. The field contains the keywords used with a logged RACF command.

This field contains one repeat-group entry for each keyword used in a RACF command. The RACF command itself, and the values used with the keywords, are not included. So, for the command CONNECT XX GROUP(YY) NOSPECIAL AUTHORITY(USE), the RACFCMD field would contain the values GROUP, NOSPECIAL, and AUTHORITY.

The main use of this field is to select or exclude commands that use specific keywords that are allowed or disallowed. For instance, to select all CONNECT commands that use any parameter other than GROUP, use SELECT EVENT=CONNECT RACFCMD_KEYWORDS<>GROUP. A list of keywords, as well as substrings and generic values, may be specified as with any other character field.

RACFCMD_KEYWORDS_EFF

This repeated field applies only to RACF systems. The field contains the effective (not erroneous or ignored) keywords used with a logged RACF command. It can be used for output and SELECT/EXCLUDE processing.

This field contains one repeat-group entry for each keyword used in a RACF command. The RACF command itself, and the values used with the keywords, are not included. So, for the command CONNECT XX GROUP(YY) SPECIAL AUTHORITY(USE), the RACFCMD_KEYWORDS_EFF field would contain the values GROUP, SPECIAL, and AUTHORITY. If the issuing user did not have authority to issue the SPECIAL keyword for this connect, the field would only contain the values GROUP and AUTHORITY.

The main use of this field is to select or exclude commands that use specific keywords that are allowed or disallowed. For instance, to select all CONNECT commands that use any parameter (that actually got executed) other than GROUP, use SELECT EVENT=CONNECT RACFCMD_KEYWORDS_EFF<>GROUP. A list of keywords, as well as substrings and generic values, may be specified as with any other character field.

RACFCMD_OWNER

This field applies only to RACF systems. It contains the (new) owner specified in a RACF logged command. This field is found in RACF processing records (SMF record types 80 and 83 subtype 1) for events dealing with RACF commands.

The RACFCMD_OWNER field is defined for ADDGROUP, ADDSD, ADDUSER, ALTDSD, ALTGROUP, ALTUSER, CONNECT, RALTER, RDEFINE, and REMOVE commands.

RACFCMD_USER

This field applies only to RACF systems. It contains the target user of a RACF logged command. This field is found in RACF processing records (SMF record types 80 and 83 subtype 1) for events dealing with RACF commands.

The RACFCMD_USER field is defined for ADDUSER, ALTUSER, CONNECT, DELUSER, PASSWORD, REMOVE, RACDCERT, RACLINK and PERMIT commands.

For all events except PERMIT RACDCERT and RACLINK, it is equal to the RESOURCE and PROFILE fields.

For the PERMIT command, it reports all PERMIT ids known to be users. Note that this requires access to a RACF database or unload, with the user present in the DB, because the SMF records contain the IDs specified on the PERMIT commands, without the indication whether they are users or groups.

For the RACLINK commands the target user is reported.

For RACDCERT the userid associated with the certificate is reported.

RACF_FAILING_JOBNAME

This field applies only to RACF systems. It shows the name of the job that the user is not authorized to submit because of a restriction that is imposed by a JESJOBS profile. The value is obtained from relocate section 47 that might be present in SMF record type 80.

RACF_LINK_AUDIT

This field applies only to RACF systems. It returns a link value for connecting security audit event records related to the same event. This value applies to RACF processing and remote audit event records (SMF record type 80 and SMF record type 83). Records that have the same value for the RACF_LINK_AUDIT and RACF_LINK_EVENT fields are connected to the same event.

See also RACF_LINK_EVENT.

RACF_LINK_EVENT

This field applies only to RACF systems. It returns the event serial number for a security audit event from a zLinux system. This field applies to SMF record type 83, subtype 4 event records created through remote monitoring of a Linux® system. Records with the same RACF_LINK_EVENT value are associated with the same event. Application-specific information about the security audit event is returned in the R_LOGDATA field.

You can use the RACF_LINK_EVENT value in combination with the RACF_LINK_AUDIT value for identifying the RACF command processing that caused the security audit event to be logged. Records that have the same RACF_LINK_EVENT and RACF_LINK_AUDIT values are associated with the same event.

SMF record type 83, subtype 4 event records are only created for zLinux systems that have been set up for remote monitoring using either the audispd plug-in or the JZOS toolkit. For additional information about these records and setting up remote auditing, see the Enterprise Multiplatform Auditing, IBM Redbook available at www.redbooks.ibm.com/abstracts/sg247472.html.

RACF_SECTION

This field applies only to RACF systems. This pseudo-field can be used to create user-defined SMF fields, to select and display values not provided for by the existing, built-in fields. It can be used for values described by a RACF relocate section within the SMF record. For a full description and examples of use, see Defining fields in SMF records.

RCS_GEO

This field is present in SMF record type 82, subtype 43 records. It indicates the geography represented by a regional cryptographic server. The maximum length of this field is 15 characters.

RCS_STATUS

This field is present in SMF record type 82, subtype 43 records. It indicates the status of a regional cryptographic server. A field value of ONLINE means the regional cryptographic server was brought online. A field value of OFFLINE means the regional cryptographic server was taken offline. The maximum length of this field is 7 characters.

READER_DATETIME

This sortable field contains the date and time (in centiseconds) that the job was processed by a JES reader. This is part of the key for a job tag; see section The job tag system in the zSecure (Admin and) Audit User Reference Manual.

REASON

This field applies only to RACF systems. It specifies the RACF reason for logging. This field is only found RACF processing and R_auditx records (SMF record type 80 and 83). This field is used to select records by the RACF reason for logging, for example, SPECIAL users being audited or logging due to SETROPTS LOGOPTIONS. When used for output, the default output is condensed; full output split into several lines can be requested using the EXPLODE output modifier and an overriding length of 15, for example, REASON(EXPLODE,15).

The REASON field shows the information that RACF logged. When no REASON value has been specified by the issuer of the log record, the value is shown as blanks. You may select or exclude such records by using the value NONE. This value cannot be combined with other values in a list specification.

The following table shows the REASON values and their meanings.

Table 10. SMF record REASON field - values for output processing
SELECT/EXCLUDE	Output code	Exploded output	Meaning
ACCESS RESOURCE	Ac	Resource	Access to the resource is being audited due to the AUDIT option, a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing
APPLAUDIT	Ap	Applaudit	Entity audited due to SETROPTS APPLAUDIT. Starting with z/OS 3.1, this audit can be extended to z/OS UNIX applications by defining a discrete profile APPLAUDIT.FOR.UNIX in the OPTAUDIT class
CLASS	Cl	Class	SETROPTS AUDIT(class) - Changes to this class of profile are being audited
CMDVIOL	Vi	CmdViol	Violation detected in command and CMDVIOL is in effect
COMMAND ALWAYS	Cm	Command	RVARY or SETROPTS command issued: these commands are always audited
COMPATMODE COMPAT	Co	Compatmode	Entity audited due to SETROPTS COMPATMODE
GLOBALAUDIT GLOBAL AUDITOR	G	Global audit	Access to entity being audited due to GLOBALAUDIT option
LOGOPTIONS	O	Logoptions	Class being audited due to SETROPTS LOGOPTIONS
NONE	blank	blank	No REASON value present in SMF record
OMVS_AUTHORITY	Oa	OMVS authority	Audited because user does not have appropriate authority in OpenEdition MVS
OMVS_UNDEFINED	Ou	OMVS undefined	Audited because user not defined to OpenEdition MVS
RACINIT	R	Racinitfailure	RACINIT failure
SECLABELAUDIT SECLABEL	Sl	Seclabel	Entity audited due to SETROPTS SECLABELAUDIT
SECLEVEL SECAUDIT	L	Seclevel	Entity audited due to SETROPTS SECLEVELAUDIT
SPECIAL	Sp	Special	SPECIAL or OPERATIONS users being audited (due to SETROPTS SAUDIT or SETROPTS OPERAUDIT)
USER	U	User	User being audited (due to ALTUSER UAUDIT)
VMEVENTVMAUDIT	Vm	VM event	VMEVENT auditing

Note: For SELECT/EXCLUDE processing, only the =, <>, and ¬= relational operators can be used.

RECNO

Record number of the current record within its input file (not overall). The RECNO field applies to the number of complete logical records within a single input file, counting the first record as 1. Found in all record types. Note: For SELECT/EXCLUDE processing, only the =, <>, and ¬= relational operators can be used.

RECORD

The RECORD field contains a single full record. It is designed to be used with a DUMP format, or in the DEFINE command. For information, see DEFINE, in combination with field-value manipulation functions in Field value manipulation..

Note: This field has format ASIS by default, which has been built specifically to keep trailing spaces and nulls intact. This format is also inherited by fields defined with RECORD as base. When trailing spaces should be trimmed, the overriding format CHAR can be used.

RECORD_DECOMPRESSED

If SMF record of type 100, 101, or 102 produced by Db2, or SMF record type 110 (subtype 1) produced by CICS is compressed, then this field contains a full decompressed record. If the record is not compressed, then this field is the same as SMF field RECORD. The default output format for RECORD_DECOMPRESSED is DUMP. The default output length is 72.

RECORDDESC

A descriptive string summarizing the record. This field is found in all predefined record types and is for output only. For most record types, a stock description is printed; for some record types, notably Accounting, Data set and Catalog activity, RACF/ACF2/TSS processing, and HSM function statistics, the description prints a string summarizing the record, often including the userid or data set name. The default length of the field is 150. The maximum length is 32760.

Note:

The values printed by the RECORDDESC field are subject to change. Do not write applications that are dependent on the output of this field.
For path names to appear in the RECORDDESC fields of Unix File System activity records (SMF record type 92) with subtypes 10 (open file), 11 (close file), 16 (close socket and character special file), and 17 (number of times a file is accessed throughout the life of an open), a CKFREEZE needs to be present in the input files of your setup.

RECORDLENGTH, RECORD_LENGTH

This field describes the length of the SMF record in bytes, including the SMF record header and the RDW. The given length is the one of the logical record. It is a decimal number of up to 32767. This field is available in all record types.

REGION_USER

This is an alias of TN_REGION_USER, TN_REGION_USERID, REGION_USER.

RELOCATE

This field applies only to RACF systems. It is meant for debugging purposes. It is only found in RACF processing and R_auditx records (SMF record types 80 and 83) , and in RACF initialization records (SMF record type 81). It can be used to select records containing specific relocate section codes; when used for output, all relocate sections contained in the record are printed. This is a repeated field, with one entry for each relocate section type found.

Older RACF relocate section codes are in the range 0 to 255; relocate section codes produced by OMVS auditing and Certificate processing are in the range 256 and upwards.

Note: For SELECT/EXCLUDE processing, only the = relational operator can be used.

REQUEST_ID

Contains the request ID (simple sequence number). This field is found in SMF record type 123. The default width is 6.

REQUEST_PASSED_FIPS

Flag field which reflects whether the request passed FIPS evaluation. This field is found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82) with subtypes 42, 46, and 47.

RESET_ENFORCED

This flag field is true if a zERT policy-based enforcement action reset the connection. This can happen only when the value of the ACTION field is TERM or COMPLETE, denoting a connection termination or a short connection termination.

The RESET_ENFORCED field is reported missing if the event type is neither a connection termination nor a short connection termination. The value is reported missing for z/OS 2.4 or earlier. The default width is 3.

RESLEVEL

This numeric field specifies the level number of the DATASET or general resource. It is found in RACF processing records (SMF record type 80) that contain a resource. The default width is 2.

RACF processing does not use this field; an organization can use this field for any purpose.

RESOURCE

This field specifies the SAF resource name. This field is found in the following record types:

RACF processing and R_auditx records (SMF record types 80 and 83)
ACF2 processing records (only subtypes for data set use, resource use, and resource change)
TSS processing records (SMF record type 80)

This field is derived using information in the CKFREEZE data set for the following records:

Data set, ICF catalog activity records, common address space work records (SMF record types 14, 15, 17, 18, 30, 42, 60, 61, 62, 64, 65 and 66). To derive resource names for VSAM data set activity records (SMF record types 62 and 64), a CKFREEZE file with catalog information must be available for the system.
ICSF records (SMF record type 82, subtypes 9, 13, 23, 40, 41, 42, 44, 45, and 46).
To derive resource names for ICSF key labels (SMF record type 82 subtypes 40, 41, 44, 45), a CKFREEZE file with ICSF settings must be available for the system.
APF list change records (SMF record type 90, subtype 37)

In the absence of an applicable CKFREEZE or a matching SIMULATE statement, the field is empty.

With SMF record type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records, each subrecord contains one RESOURCE field. With SMF type 42 (DFSMS Statistics and Configuration) subtype 27 (VTOC change) records, the RESOURCE field is missing.

If BYPASS is true, the RESOURCE field can be missing.

This is a repeated field. However, most records contain only one resource.

The default output length of the RESOURCE field is 44, which is sufficient for all resource names in the DATASET class. General resource names can have a length of up to 255 characters.

RTOKEN

This field applies only to RACF systems. It is an output only field that contains a string describing the contents of the Resource Security Token included in some RACF processing records (SMF record types 80 and 83 subtype 1) with EVENT=ACCESS. Because the RTOKEN value contains many fields–many that need not be set, the output has the format field1: value1; field2: value2.

To select all records with an RTOKEN field, use SELECT RELOCATE=54. To select on values contained in the RTOKEN field, use the derived field RTOKEN_FLAGS.

Note: The values printed by the RTOKEN field are subject to change. Do not write applications that are dependent on the output of this field.

RTOKEN_FLAGS

This field applies only to RACF systems. It describes the flags found in the Resource Security Token, which is included in some RACF processing records (SMF record types 80 and 83 subtype 1) with EVENT=ACCESS. It can be used for SELECT/EXCLUDE processing and for output; however, in most cases the RTOKEN field is more convenient for output. See the UTOKEN_FLAGS field for a description of the values in this field.

Note: The values printed by the RTOKEN_FLAGS field are subject to change. Do not write applications that are dependent on the output of this field.

R_URI

Shows a Uniform Resource Identifier. It is returned for z/OS connect request subrecords (SMF123, subtype 1).

SA_ACTIVE_CONN_CNT_BEG

Number of active connections for the life of the security session at the beginning of the summary interval. This field is found in zERT summary records (SMF record type 119, subtype 12).

SA_ACTIVE_CONN_CNT_END

Number of active connections for the life of the security session at the end of the summary interval. This field is found in zERT summary records (SMF record type 119, subtype 12).

SA_CONNECTION_CNT_BEG

Number of connections for the life of the security session at the beginning of the summary interval. This field is found in zERT summary records (SMF record type 119, subtype 12).

SA_CONNECTION_CNT_END

Number of connections for the life of the security session at the end of the summary interval. This field is found in zERT summary records (SMF record type 119, subtype 12).

SA_EVENT_TYPE

Security Association (SA) event type. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12). The default output format of this field is SAEventType. This field and its values can also be used as input for filtering purposes.

Following are the possible values of this field in case of SMF record type 119, subtype 11:

Connection_initiation
Cryptographic_attributes_change
Connection_termination
Short_connection_termination
zERT_enabled
zERT_disabled
zERT_enforcement_action

When the value is Short_connection_termination, the connection terminates within 10 seconds of being established. No associated connection initiation record is written.

Following are the possible values of this field in case of SMF record type 119, subtype 12:

Summary_interval
zERT_aggregation_enabled
zERT_aggregation_disabled

SA_PARTIAL_CONN_CNT_BEG

Number of partial connections for the life of the security session at the beginning of the summary interval. This field is found in zERT summary records (SMF record type 119, subtype 12). A connection is considered to be a partial connection if either or both of the following conditions is met:

The connection was in existence before it was associated with the security session.
The security session stopped being associated with the connection, but the connection continued to exist.

SA_PARTIAL_CONN_CNT_END

Number of partial connections for the life of the security session at the end of the summary interval. This field is found in zERT summary records (SMF record type 119, subtype 12). A connection is considered to be a "partial connection" if either or both of the following conditions is met:

The connection was in existence before it was associated with the security session.
The security session stopped being associated with the connection, but the connection continued to exist.

SA_SESSION_ID

Unique identifier of a security session based on the server and client endpoints plus the significant security attributes for the session. This field is found in zERT summary records (SMF record type 119, subtype 12). The length of the field is 42 hexadecimal digits. Note that SA_SESSION_ID is in the form p-value, where:

p represents the cryptographic protocol. The following list shows the possible values for p:
- C: Clear text
- I: IPSec
- T: TLS/SSL
- S: SSH

value is a 40-digit hexadecimal string.

SA_SHORT_CONN_CNT_BEG

Number of short connections for the life of the security session at the beginning of the summary interval. The field has a value only if IP_PROTOCOL is TCP. This field is found in zERT summary records (SMF record type 119, subtype 12). Short connections are connections that last less than 10 seconds.

SA_SHORT_CONN_CNT_END

Number of short connections for the life of the security session at the end of the summary interval. The field has a value only if IP_PROTOCOL is TCP. This field is found in zERT summary records (SMF record type 119, subtype 12). Short connections are connections that last less than 10 seconds.

SECLABEL

This field applies only to RACF systems. It contains the security label for the user. This field is found in the following record types:

RACF processing and R_auditx records (SMF record types 80 and 83) if your installation has activated the SECLABEL class through a SETROPTS CLASSACT(SECLABEL) command.
Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82, subtype 40, 41, 42, 44, 45, 46, and 47).
System status records (SMF record type 90, subtypes 37 and 38)
Db2 records (SMF record type 102) with subtypes/IFCids 83, 87, 140, 142, 269, and 314 if nonblank and nonnull.
CSSMTP client records (SMF record type 119) with subtype 48 if nonblank and nonnull.
TCP/IP profile event records (SMF record type 119, subtype 4)

SECURITY_EVENT

Identifies a high-level security event. zSecure Admin and Audit supports this field for the following record types only:

(Top Secret only) CA-Top Secret processing records (SMF record type 80).
Db2 audit records (SMF record type 102) with subtype/IFCid 4, 5, 6, 7, 8, 9, 10, 22, 23, 24, 25, 33, 34, 35, 36, 37, 38, 39, 40, 41, 55, 63, 83, 87, 90, 91, 92, 97, 104, 106, 107, 114, 115, 116, 118, 119, 120, 140, 141, 142, 143, 144, 145, 169, 177, 219, 220, 258, 269, 270, 271, 314, 319, 350, 361, 362 if nonblank and nonnull.
z/OS UNIX File System Activity, security attribute audit records (SMF record type 92, subtype 15).
z/OS SSH records (SMF 119 subtypes 94, 95, 96, 97, 98).

Note: The values printed by the SECURITY_EVENT field are subject to change. Do not write applications that are dependent on the default output of this field. You can use the overriding output format dec to use this field as a programming interface.

Table 11. SMF record SECURITY_EVENT field - output formats
Default output format	"dec" format	Explanation
Logon user success	1	Successful user logon
Logon user warning	2	Warning user logon
Logon user failure	3	Failed user logon
Logoff user	4	User logoff
Session start success	5	Successful batch/started task start
Session start warning	6	Warning batch/started task start
Session start failure	7	Failed batch/started task start
Session end	8	Batch/started task end
Access success	9	Successful access attempt
Access warning	10	Warning access attempt
Access failure	11	Failed access attempt

SECURITY_PROTOCOL_IPSEC

Flag field that indicates whether IPsec is a cryptographic security protocol for the connection. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12).

SECURITY_PROTOCOL_SSH

Flag field that indicates whether SSH is a cryptographic security protocol for the connection. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12).

SECURITY_PROTO_TLS_SSL

Flag field that indicates whether TLS or SSL is a cryptographic security protocol for the connection. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12).

SENSTYPE, SENSITIVITY

Sensitivity for the object. This field is 11 characters wide. It has a value for any record type that has a non-blank DSNAME and RESOURCE. The SENSTYPE field is a repeating field that shows an alphabetically ordered list of the following items:

The main sensitivity type as shown in the field SENSTYPE in the SENSDSN newlist, where the following values match: data set name, volume serial, SMF ID, complex, and version.
The multiple sensitivity types as shown in the field PRIV_SENSTYPE in the SENSDSN newlist type, where the following values match: data set name, volume serial, SMF ID, complex, and version.
Simulated sensitivity types based on SIMULATE SENSITIVE or SIMULATE CLASS=DATASET (but not for temporary data sets).

See Predefined sensitivity types related to newlists for a list of built-in sensitivities. For this field to be properly filled in, a CKFREEZE file with data set information must be present, like for the SENSDSN newlist.

This field is derived using information in the CKFREEZE data set; in the absence of an applicable CKFREEZE or a matching SIMULATE statement, the field is empty.

SERVAUTH_POE

This field applies only to RACF systems. It shows the contents of relocate section 386 that might be present in SMF records types 80 and 83. The field contains a SERVAUTH port of entry name or the name of the profile that protects the SERVAUTH resource if the resource name itself is unavailable.

SERVER_BEGIN_PORT

Starting value for the server port range. This field is found in zERT summary records (SMF record type 119, subtype 12).

SERVER_END_PORT

Ending value for the server port range. This field is found in zERT summary records (SMF record type 119, subtype 12). Note that, in case of a security session representing a single-server port, the SERVER_END_PORT and SERVER_BEGIN_PORT fields have the same value.

SET_MK_NO_CHANGE_MK

This flag field is true if a new master key is promoted to current master key outside of a change master key. This field is included in ICSF master key to current promotion event records (SMF record type 82 subtype 49).

SIG_DATE

Text field that specifies the date that the module was signed.

SIG_ENTITY_DN

Text field that provides the program signer (End Entity) certificate subject's distinguished name.

SIG_EXPIRATION

Text field that specifies the date when the module certificate chain expires.

SIG_PROGRAM_LOADED

Flag field that indicates whether the Signature Verification program was loaded for this event record.

SIG_ROOT_DN

Text field contains the distinguished name for the root signing certificate subject's distinguished name.

SIG_TIME

Text field that specifies the time that the module was signed.

SMF_ACTREC

This repeating field is present only in subrecords of SMF record type 90 subtypes 5, 9, 13, and 15 (initializing or configuring SMF parameters). It contains the SMF record types for which SMF recording is enabled, for the sub-system that the subrecord is about. The default width is 4. See SUBRECORD.

SMFDD

Contains the ddname of the IBM Security zSecure SMF input file. The value can be SMF or in the range SMF00-SMF99. Supported for all SMF record types.

SMF_FIELD

This pseudo-field can be used to create user-defined SMF fields, to select and display values not provided for by the existing, built-in fields. It can be used for values at a constant offset within the SMF record. For a full description and examples of use, see Defining fields in SMF records.

SMF_INACTREC

This repeating field is present only in subrecords of SMF record type 90 subtypes 5, 9, 13, and 15 (initializing or configuring SMF parameters). It contains the SMF record types for which SMF recording is disabled, for the sub-system that the subrecord is about. The default width is 4. See SUBRECORD.

SMF_SECTION

This pseudo-field can be used to create user-defined SMF fields, in order to select and display values that the existing built-in fields do not support. It can be used for values that are described by a so-called self-defining section or triple within the SMF record. For a full description and examples of use, see Defining fields in SMF records.

SMF_SECTION_INDEX

These pseudo-fields can be used for SELECT/EXCLUDE processing and in DEFINE commands. They can be used to create user-defined SMF fields, to select and display values not provided for by the existing, built-in fields. See RACF_SECTION, SMF_FIELD, or SMF_SECTION.

SMF_SECTION12_INDEX

SMFUSERID, SMFUSER

The user identification field from the SMF common exit parameter area.

In RACF and ACF2 systems, this field is found in most process record types. If your installation has an exit that writes a user ID in the common exit area, the value represents the user ID. Otherwise, the value is 0. In Top Secret systems, this field is found in all SMF processing records (SMF record type 80) and Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82, subtype 40, 41, 42, 44, 45, 46, and 47). The value is always blank unless your installation has an exit that writes a user ID in the common exit area. If such an exit exists, the value can be the user ID, *, or *MISSING. For VMXEVENT audit records, when used, this field contains the alternate user ID.

SPECIALTYPE

This field is an identifier for records that cannot be uniquely recognized from their numerical TYPE alone, either because the SMF record number for a specific application is not static (field values ACF2, AIM, HSM0, HSM1, OMEG, RMMAUD, RMMSEC, SECURPASS, SUPSESS, TLMS, and TPX) or because an application reuses a number that is officially assigned to another application (field value TSS). The SMF record numbers that correspond to each SPECIALTYPE are determined based on the CKFREEZE file for a system, or based on SIMULATE SMF commands (see SIMULATE).

SRCHOST

The SRCHOST field contains the port number of the remote host for this event record. This field is found in relocate section 108 (sessRemHost) of security audit records from IBM WebSphere Application Server (SMF record 83, subtype 5). The field is also found in NFS audit statistics records (SMF record type 42 subtype 26).

SRCIP

Source IP address. This field is found in the following record types:

SMF record type 42, subtype 26 (NFS audit statistics)
SMF record type 83, subtype 5 (audit records from IBM WebSphere Application Server)
SMF record type 102, subtype/IFCid 269 and 319
SMF record type 109 (z/OS Firewall Technologies records)
SMF record type 110, subtype 1 (CICS performance monitoring record)
SMF record type 118 (IPv4)
SMF record type 119 (IPv4 or IPv6)

For other record types, or if the field value is not contained in the SMF record, the value is obtained using the LU name in the TERMINAL field. The TERMINAL field can be part of the record itself or can be extracted from the job tag. The SCRIP value might be missing if it cannot be resolved using this process. See section The job tag system in the zSecure (Admin and) Audit User Reference Manual.

Note:

For WebSphere Application Server audit records (SMF record type 83, subtype 5), the value is taken from relocate section 106 (sessRemAddr) of the record.
In case of zERT summary (SMF record type 119, subtype 12) SMF records, SRCIP and DSTIP field values depend on the field IP_PROTOCOL and flag field LOCAL_SOCKET_SERVER or LOCAL_SOCKET_CLIENT.
For TCP connections:
- If LOCAL_SOCKET_SERVER is Yes, DSTIP reflects the server IP address and SRCIP reflects the client IP address.
- If LOCAL_SOCKET_SERVER is No, DSTIP reflects the client IP address and SRCIP reflects the server IP address.
For UDP connections, DSTIP reflects the server IP address and SRCIP reflects the client IP address.
For the following SMF type 119 records, DSTIP is on the local z/OS system writing the SMF record, and SRCIP is the possible remote communication partner:
- TCP connection initiation (119-1) and termination (119-2)
- FTP client transfer completion (119-3)
- UDP socket close (119-10)
- zERT connection detail (119-11)
- TN3270 server SNA session initiation (119-20) and termination (119-21)
- FTP server transfer completion (119-70)
- FTP server login failure (119-72)
- IPsec tunnel (119-73, 119-74, 119-75, 119-76, 119-77, 119-78, 119-79, 119-80)
For TSO telnet client connection initiation (119-22) and termination (119-23) SMF records, DSTIP reflects the remote (server) IP address, and SRCIP reflects the local IP address.
In case of SSH records (SMF 119, subtypes 94, 95, 96, 97, 98) SRCIP reflects what the record calls the remote IP address.

SRCPORT

Source port number. This field is found in the following record types:

SMF record type 109 (z/OS Firewall Technologies records)
SMF record type 118 (IPv4)
SMF record type 119 (IPv4 or IPv6)
SMF record type 83 subtype 5 (audit records from IBM WebSphere Application Server)

For WebSphere Application Server audit records, the value is taken from relocate section 107 (sessRemPort) of the record.

SSH_*

For the descriptions of the ACF2_* fields, see SMF field descriptions: SSH_*.

START_TOD

Start date and time of the interval. This field is found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82) with subtypes 31, 44, 45, 46, and 47.

STEPNAME

Step name. This field is found in the following record types:

ACF2 data set use records.
Step Termination and Accounting records (SMF record types 4, 30, 32, 33, and 34).
Data set activity record types 14 and 15.
System status records (SMF record type 90, subtypes 37 and 38)
DFSMS Statistics and Configuration records (SMF record type 42, several subtypes).
Dynamic APF records (SMF record type 90 subtype 37).
DB2 audit and performance records (SMF record type 102).
z/OS UNIX File System Activity, security attribute audit records (SMF record type 92, subtype 15).

STORCLAS

The SMS storage class for the data set. The field is potentially found in types 14, 15, 42, and 62. With SMF record type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records, each subrecord contains one STORCLAS field.

SUBRECNO

This field returns the value of the current subrecord number within the full SMF record. This field is supported in the following records:

SMF record type 42 (DFSMS Statistics and Configuration), subtype 6 (Job Header (data set statistics) records)
SMF record type 90, subtype 5, 9, 13, 15 (initializing or configuring SMF parameters)
SMF record type 110, subtype 1, class 3 (CICS monitoring performance records)
SMF 123 subtype 1, version 2 (layout) records

See SUBRECORD.

SUBRECORD

SMF record type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records can contain several data set header sections. These repeated sections are processed as if they are single ordinary SMF records. The SUBRECORD field contains the full data set header subrecord.

SMF record type 90 subtype 5, 9, 13, and 15 (initializing or configuring SMF parameters) can contain several subsystem record sections for each subsystem. These subsystem record sections are processed as if they are single ordinary SMF records. The SUBRECORD field contains one of the subsystem record sections.

SMF record type 110, subtype 1, class 3 (CICS monitoring performance records) contain many Performance Data sections, relating to separate CICS events. These repeated sections are processed as if they are single ordinary SMF records. This field contains the full Performance subrecord.

SMF record type 123 subtype 1 (z/OS Connect audit data) can contain several request sections in its version 2 layout. These request sections are processed as if they are single ordinary SMF records. The SUBRECORD field contains one of the request sections as defined by the request triplet.

The complete SMF record can be found in the RECORD field.

SUBSYS

This field contains the 4 character subsystem name. The SMF standard header has an architected place for a subsystem name under the control of a bit in the SMF header. If one is present, it is returned, unless it is always empty (type 41) or the flag is on by accident (type 118). In addition, some record types report a subsystem name even though the header flag says not. This applies to type 59, 99, 100, 101, and 102.

SUBSYS_TYPE

This field describes the subsystem type that generated the SMF record. It is populated only if a CKFREEZE file is used. This field recognizes only JES2 and JES3 subsystems. For other subsystems, or SMF records not created by a subsystem, this field is missing. You can select this field by using its byte-value. Table 12 shows the possible values:

Table 12. SMF record SUBSYS_TYPE field values
Subsys value	Description
X'02'	JES2
X'03'	JES3

This field is derived using information from a CKFREEZE data set. In the absence of an applicable CKFREEZE or a matching SIMULATE statement, the field is empty.

SUBTYPE

This field contains the SMF record subtype and can only be used for output; for SELECT/EXCLUDE processing, it is selected implicitly with the TYPE field. This field is found in all records that have subtypes, for example SMF record types 24, 30, 32, 33, 41, 42, 83 and 110. The SMF record header is examined to determine whether subtypes are present; as a result, subtypes are also found in record types for which only basic support is available.

The following tables show supported subtype values and their meaning:

Table 13 SMF record type 24: JES2 Spool Offload SUBTYPEs
Table 14 SMF record type 29: IMS ODBM accounting
Table 15 SMF record type 30: Common Address Space Work SUBTYPEs
Table 16 SMF record type 32: TSO/E User Work Accounting SUBTYPEs
Table 17 SMF record type 33: APPC/MVS TP Accounting SUBTYPEs
Table 18 SMF record type 41: DIV ACCESS/UNACCESS SUBTYPEs
Table 19 SMF record type 42: DFSMS Statistics and Configuration
Table 20 SMF record type 70: RMF CPU Activity SUBTYPEs
Table 21 SMF record type 72: RMF Workload Activity and Storage Data SUBTYPEs
Table 22 SMF record type 74: RMF Device and XCF Activity SUBTYPEs
Table 23 SMF record type 78: RMF Monitor I Activity SUBTYPEs
Table 24 SMF record type 79: RMF Monitor II Activity
Table 25 SMF record type 82: ICSF Integrated Cryptographic Facility SUBTYPEs
Table 26 SMF record type 83: Security events SUBTYPEs
Table 27 SMF record type 84: JES3 Monitoring Facility (JMF) Data SUBTYPEs
Table 28 SMF record type 85: OAM Object Access Method SUBTYPEs
Table 29 SMF record type 87: GRS Monitoring
Table 30 SMF record type 88: System Logger Data SUBTYPEs
Table 31 SMF record type 89: Product Usage Data SUBTYPEs
Table 32 SMF record type 90: System Status SUBTYPEs
Table 33 SMF record type 91: Batch Pipes/MVS Statistics SUBTYPEs
Table 34 SMF record type 92: Unix File System Activity SUBTYPEs
Table 35 SMF record type 94: IBM Tape Library Dataserver Statistics SUBTYPEs
Table 36 SMF record type 96: The Integrated Reasoning System TIRS statistics SUBTYPEs
Table 37 SMF record type 99: System Resource Manager decision SUBTYPEs
Table 38 SMF record type 100, 101, and 102: Db2 Performance and Audit SUBTYPEs
Table 39 SMF record type 103: IBM HTTP Server SUBTYPEs
Table 40 SMF record type 106: Base Control Program internal interface (BCPii) activity
Table 41 SMF record type 110: CICS Records SUBTYPEs
Table 42SMF record type 115: MQSeries Statistics SUBTYPEs
Table 44 SMF record type 119: Connectivity Statistics SUBTYPEs
Table 45 SMF record type 120: WebSphere AS Performance Statistics SUBTYPEs
Table 46 SMF record type 121: JZOS batch launcher Java runtime statistics

Table 13. SMF record type 24: JES2 Spool Offload SUBTYPEs
Subtype	Meaning
1	Job Transmitted
2	Job Received
3	SYSOUT Transmitted
4	SYSOUT Received

Table 14. SMF record type 29: IMS ODBM accounting
Subtype	Meaning
1	IMS ODBM accounting
2	IMS JVM CPU usage

Table 15. SMF record type 30: Common Address Space Work SUBTYPEs
Subtype	Meaning
1	Job start
2	Interval
3	Step termination
4	Step total
5	Job termination
6	System address space

Table 16. SMF record type 32: TSO/E User Work Accounting SUBTYPEs
Subtype	Meaning
1	TSO/E User Interval
2	TSO/E User Session End
3	TSO/E User Detail Interval Record
4	TSO/E User Detail Session End

Table 17. SMF record type 33: APPC/MVS TP Accounting SUBTYPEs
Subtype	Meaning
1	APPC/MVS Transaction
2	APPC/MVS Conversation

Table 18. SMF record type 41: DIV ACCESS/UNACCESS SUBTYPEs
Subtype	Meaning
1	DIV ACCESS
2	DIV UNACCESS
3	VLF Statistics

Table 19. SMF record type 42: DFSMS Statistics and Configuration SUBTYPEs
Subtype	Meaning
1	BMF Cache Summary
2	Control Unit Cache
3	SMS Configuration Changed
4	System Data Mover Session statistics
5	Storage Class VTOC and VVDS I/O statistics
6	Data Set Level I/O statistics
7	NFS File Usage statistics
8	NFS User Session statistics
9	B37/D37/E37 Abend Data
10	Volume Selection Failure
11	Extended Remote Copy (XRC) Session
14	ADSM Session Resource Usage
15	VSAM RLS CF Storage Class Response Time
16	VSAM RLS CF Data Set Response Time
17	VSAM RLS CF Lock Structure Usage
18	VSAM RLS CF Cache Partition Usage
19	VSAM RLS buffer manager LRU activity
20	STOW Initialize
21	Member Delete
22	DFSMSrmm Audit Records
23	DFSMSrmm Security Records
24	Member Add/Replace
25	Member Rename
26	NFS Create/Delete/Rename statistics
27	VTOC Change Audit Record

Table 20. SMF record type 70: RMF CPU Activity SUBTYPEs
Subtype	Meaning
1	RMF CPU, PR/SM, and ICF Activity
2	RMF Cryptographic Hardware Activity

Table 21. SMF record type 72: RMF Workload Activity and Storage Data SUBTYPEs
Subtype	Meaning
1	RMF Workload Activity (compatibility mode)
2	RMF Storage data (compatibility mode)
3	RMF Workload Activity (goal mode)
4	RMF Storage data (goal mode)
5	RMF System suspend lock and GRS data

Table 22. SMF record type 74: RMF Device and XCF Activity SUBTYPEs
Subtype	Meaning
1	RMF Device Activity
2	RMF XCF Activity
3	RMF OMVS Facility Activity
4	RMF Coupling Facility Activity
5	RMF Cache Subsystem Activity
6	RMF HFS Statistics
7	RMF FICON® Director Statistics

Table 23. SMF record type 78: RMF Monitor I Activity SUBTYPEs
Subtype	Meaning
1	RMF I/O Queuing Activity (4381)
2	RMF Virtual Storage Activity
3	RMF I/O Queuing Activity

Table 24. SMF record type 79: RMF Monitor II Activity
Subtype	Meaning
1	RMF Address Space State Data
2	RMF Address Space Resource Data
3	RMF Storage/Processor Data
4	RMF Paging Activity
5	RMF Address Space SRM Data
6	RMF Reserve Data
7	RMF Enqueue Contention Data
8	RMF Transaction Activity
9	RMF Device Activity
10	RMF Domain Activity
11	RMF Page Data Set Activity
12	RMF Channel Path Activity
13	RMF I/O Queuing Activity (4381)
14	RMF I/O Queuing Activity
15	RMF IRLM Long Lock Detection

Table 25. SMF record type 82: ICSF Integrated Cryptographic Facility SUBTYPEs
Subtype	Meaning
1	ICSF start
3	ICSF crypto processor added/removed
4	ICSF crypto failure or tampering
5	ICSF change to special security mode
6	ICSF key part entered through KEU
7	ICSF key part entered through KEU
8	ICSF in-storage CKDS copy refreshed
9	ICSF CKDS dynamically updated
10	ICSF PKA master key part entered
11	ICSF clear master key part entered
12	ICSF key loaded from TKE workstation
13	ICSF CKDS dynamically updated
14	ICSF PCI Cryptographic Coprocessor clear master key entry
15	ICSF PCI Cryptographic Coprocessor retained key create/delete
16	ICSF PCI Cryptographic Coprocessor TKE
17	ICSF PCI Cryptographic Coprocessor timing
18	ICSF PCI Cryptographic Coprocessor configuration
19	ICSF PCI X Cryptographic Coprocessor timing
20	ICSF Cryptographic Coprocessor performance
21	ICSF Sysplex group change
22	ICSF Trusted block create callable services
23	ICSF Token data set updated
24	ICSF Duplicate tokens found
25	ICSF Key store policy activated
26	ICSF Public key data set refreshed
27	ICSF PKA key management extension information
28	ICSF High performance encrypted key information
29	ICSF TKE workstation audit record
30	ICSF Use of archived key
31	ICSF cryptographic statistics data
40	ICSF CCA symmetric key lifecycle event
41	ICSF CCA asymmetric key lifecycle event
42	ICSF PKCS#11 object lifecycle event
43	ICSF Regional cryptographic server information
44	ICSF CCA symmetric key usage event
45	ICSF CCA asymmetric key usage event
46	ICSF PKCS#11 key usage event
47	ICSF PKCS#11 no key usage event
48	ICSF compliance warning event
49	ICSF new MK promoted to current

Table 26. SMF record type 83: Security events SUBTYPEs
Subtype	Meaning
1	RACF Processing Record for Auditing Data Sets: Security Label Change
2	EIM Processing
3	LDAP audit data
4	R_auditx remote auditing service
5	IBM WebSphere Application Server audit data
6	Security Key Lifecycle Manager audit data
7	IBM Multi-Factor Authentication audit data

Table 27. SMF record type 84: JES3 Monitoring Facility (JMF) Data SUBTYPEs
Subtype	Meaning
1	JES3 FCT analysis
2	JES3 FCT summary and highlight
3	JES3 Spool data management
4	JES3 Resqueue cellpool and control block utilization
5	JES3 Job analysis
6	JES3 hot spot analysis
7	JES3 internal reader DSP analysis
8	JES3 SSI response time analysis
9	JES3 SSI destination queue analysis
10	JES3 Workload Manager Analysis
21	JES2 resource usage section

Table 28. SMF record type 85: OAM Object Access Method SUBTYPEs
Subtype	Meaning
1	OAM OSREQ Access
2	OAM OSREQ Store
3	OAM OSREQ Retrieve
4	OAM OSREQ Query
5	OAM OSREQ Change
6	OAM OSREQ Delete
7	OAM OSREQ Unaccess
32	OAM Storage Group Processing
33	OAM DASD space management
34	OAM Optical Disk Recovery Utility
35	OAM MOVEVOL Utility
36	OAM Single Object Recovery Utility
37	OAM OSMC Space Management
64	OAM LCS Optical Drive Vary Online
65	OAM LCS Optical Drive Vary Offline
66	OAM LCS Optical Library Vary Online
67	OAM LCS Optical Library Vary Offline
68	OAM LCS Optical Cartridge Eject
69	OAM LCS Optical Cartridge Entry
70	OAM LCS Optical Cartridge Label
71	OAM LCS Optical Volume Audit
72	OAM LCS Optical Volume Mount
73	OAM LCS Optical Volume Demount
74	OAM LCS Optical Write request
75	OAM LCS Optical Read request
76	OAM LCS Optical Logical Delete Request
77	OAM LCS Optical Physical Delete Request
78	OAM LCS Object Tape Write Request
79	OAM LCS Object Tape Read Request
87	OAM LCS Object Tape Volume Demount
88	OAM LCS Object Tape Logical Delete
90	OAM LCS File System Write Request
91	OAM LCS File System Read Request
92	OAM LCS File System Physical Delete
93	OAM LCS File System Delete-Store Cleanup
100	OAM LCS Cloud Write Request
101	OAM LCS Cloud Read Request
102	OAM LCS Cloud Physical Delete Request
103	OAM LCS Cloud Delete-Store Cleanup

Table 29. SMF record type 87: GRS Monitoring
Subtype	Meaning
1	GRS global generic queue scan issuers info
2	GRS ENQ/DEQ/ISGENQ/RESERVE request details

Table 30. SMF record type 88: System Logger Data SUBTYPEs
Subtype	Meaning
1	System log: Stream Activity
11	System log: CF Alter Activity

Table 31. SMF record type 89: Product Usage Data SUBTYPEs
Subtype	Meaning
1	Product Usage Data
2	Product State Data

Table 32. SMF record type 90: System Status SUBTYPEs
Subtype	Meaning
1	SET TIME
2	SET DATE
3	SET DMN
4	SET IPS
5	SET SMF
6	SWITCH SMF
7	HALT EOD
8	IPL PROMPT
9	IPL SMF
10	IPL SRM
11	SET OPT
12	SET ICS
13	SETSMF
14	SET MPF
15	RESTART SMF
16	SET DAE
17	SET PFK
18	SET GRSNRL
19	SET APPC
20	SET SCHPRM
21	SET SCH
22	SET CNGRP
23	WLM Service Definition Install
24	WLM Service Policy Activation
25	Workload Management Mode Change
26	IPL LOGREC
27	ARM restarts enabled
28	ARM restarts disabled
29	SET PROG (LNKLST set activation)
30	RESET command completed
31	SET PROG (LPA Set Activation)
32	Scheduling Environment Information
33	SET AUTOR
34	Processor capacity change occurred
36	SET CON (Console Configuration)
37	Changes to APF list

Table 33. SMF record type 91: Batch Pipes/MVS Statistics
Subtype	Meaning
1	Batch pipe Subsystem Start
2	Batch pipe Subsystem Interval Expiration
3	Batch pipe Subsystem Stop
11	Batch pipe Open-Connection
12	Batch pipe Interval Expiration
13	Batch pipe Close-Connection
14	Batch pipe Creation
15	Batch pipe Deletion

Table 34. SMF record type 92: Unix File System Activity SUBTYPEs
Subtype	Meaning
1	UNIX File System mounted
2	UNIX File System suspended
4	UNIX File System resumed
5	UNIX File System unmounted
6	UNIX File System remounted
7	UNIX File System moved
10	UNIX file opened
11	UNIX file closed
12	UNIX mmap service
13	UNIX munmap service
15	UNIX security attributes (APF authorization, program control, or shared library) changed
16	UNIX socket or character special files is closed
17	Number of times a UNIX file is accessed throughout the life of an open

Table 35. SMF record type 94: IBM Tape Library Dataserver Statistics SUBTYPEs
Subtype	Meaning
1	34xx Library Statistics

Table 36. SMF record type 96: The Integrated Reasoning System TIRS statistics SUBTYPEs
Subtype	Meaning
1	The Integrated Reasoning System detail statistics
2	The Integrated Reasoning System summary statistics

Table 37. SMF record type 99: System Resource Manager decision SUBTYPEs
Subtype	Meaning
1	SRM system level data
2	SRM service class data
3	SRM service class period plot data
4	SRM device cluster data
5	SRM monitored address space data
6	SRM next interval resource settings
7	SRM PAV device data
8	SRM WLM LPAR partition data
9	SRM IOS subsystem data

The subtypes for SMF record types 100, 101, and 102: DB2 Performance and Audit represent the IFCid. Its meaning can be printed with format DB2_IFCid. Table 38 shows the subtypes, whether they use or define numeric Data Base IDs, Object IDs, or Data Set IDs (DBIDs, OBIDs, and DSIDs), and what fields are filled in with detailed information from the subtype relocate sections.

Table 38. SMF record type 100, 101, and 102: Db2 Performance and Audit SUBTYPEs
Subtype	Meaning	Specific Field Support	Trace Class or IFCID
0	Normal trace record		GLOB(3)
1	System statistics		STAT(1), MON(1), PERF(1)
2	Database statistics		STAT(1), MON(1), PERF(1)
3	Accounting		ACCT(1), PERF(2)
4	Start/modify trace	DB2_COMMAND, RECORDDESC	All
5	Stop trace	DB2_COMMAND, RECORDDESC	All
6	Read I/O start	DB2_OBJECT*, INTENT, RECORDDESC, SECURITY_EVENT	ACCT(3,8), MON(3,8), PERF(4)
7	Read I/O completion	DB2_OBJECT*, INTENT, RECORDDESC, SECURITY_EVENT	ACCT(3,8), MON(3,8), PERF(4)
8	Write I/O start	DB2_OBJECT*, INTENT, RECORDDESC, SECURITY_EVENT	ACCT(3,8), MON(3,8), PERF(4)
9	Write I/O completion	INTENT, RECORDDESC, SECURITY_EVENT	ACCT(3,8), MON(3,8), PERF(4)
10	Synchronous write I/O start	DB2_OBJECT*, INTENT, RECORDDESC, SECURITY_EVENT	PERF(4)
11	Validation exit call results		PERF(13)
12	Encode exit call results		PERF(13)
13	Hash scan input		PERF(8)
14	End of hash scan		PERF(8)
15	Index scan input		PERF(8)
16	Insert input		PERF(8)
17	Sequential scan input		PERF(8)
18	Exit from index scan, sequential scan, or insert		PERF(8) and IFCID(15) or IFCID(16) or IFCID(17)
19	Decode exit call results		PERF(13)
20	Lock summary		PERF(6)
21	Lock detail		PERF(7)
22	Optimizer mini-plan generation	DB2_OBJECT*, PROGRAM, RECORDDESC, SECURITY_EVENT	PERF(3)
23	Start utility	DB2_OBJECT*, RECORDDESC, SECURITY_EVENT	AUDIT(8), PERF(10)
24	Change utility	DB2_OBJECT*, RECORDDESC, SECURITY_EVENT	AUDIT(8), PERF(10)
25	End utility	DB2_OBJECT*, RECORDDESC, SECURITY_EVENT	AUDIT(8), PERF(10)
26	Sort work file obtained		PERF(3,9)
27	Sort new run		PERF(3,9)
28	Sort runs created		PERF(3,9)
29	EDM I/O start	SECURITY_EVENT	PERF(4)
30	EDM I/O end	SECURITY_EVENT	PERF(4)
31	EDM pool not large enough		PERF(1)
32	Start wait for log manager	INTENT	ACCT(3,8), MON(3,8), PERF(5)
33	End wait for log manager	RECORDDESC	ACCT(3,8), MON(3,8), PERF(5)
34	Log manager read I/O start	DSN, INTENT, RECORDDESC, SECURITY_EVENT	PERF(5)
35	Log manager read I/O completion	INTENT, RECORDDESC, SECURITY_EVENT	PERF(5)
36	Start wait for log manager non-I/O	RECORDDESC	PERF(5)
37	End wait for log manager non-I/O	RECORDDESC	PERF(5)
38	Log manager write active log I/O start	DSN, INTENT, RECORDDESC, SECURITY_EVENT	PERF(5), GLOB(3)
39	Log manager write active log I/O completion	DSN, INTENT, RECORDDESC, SECURITY_EVENT	PERF(5)
40	Log manager write archive log I/O start	DSN, INTENT, RECORDDESC	PERF(5)
41	Log manager write archive log I/O completion	INTENT, RECORDDESC	PERF(5)
42	Checkpoint start		PERF(1)
43	Checkpoint completion		PERF(1)
44	IRLM suspend entry		ACCT(3,8), MON(3,8), PERF(6)
45	IRLM suspend exit		ACCT(3,8), MON(3,8), PERF(6)
46	Synchronous EU switch		PERF(11), GLOB(3)
47	SRB execution unit started		PERF(11), GLOB(3)
48	SRB execution unit completed		PERF(11), GLOB(3)
49	TCB execution unit started		PERF(11), GLOB(3)
50	TCB execution unit completed		PERF(11), GLOB(3)
51	Shared latch resume		ACCT(3,8), MON(3,8), PERF(11), GLOB(3)
52	Shared latch suspend entry		ACCT(3,8), MON(3,8), PERF(11), GLOB(3)
53	End describe		PERF(3)
54	Lock contention information
55	Set current SQLid	DB2_SQLID, RECORDDESC	AUDIT(7), PERF(3)
56	Exclusive latch suspend		ACCT(3,8), MON(3,8), PERF(11), GLOB(3)
57	Exclusive latch resume		ACCT(3,8), MON(3,8), PERF(11), GLOB(3)
58	SQL call completion		PERF(3)
59	SQL fetch		PERF(3)
60	SQL select		PERF(3)
61	SQL del/insert/update	SECURITY_EVENT	PERF(3)
62	SQL auth/ddl/lock	DB2_OBJECT*, INTENT, RECORDDESC, SECURITY_EVENT	PERF(3)
63	SQL statement bind	DB2_COMMAND, RECORDDESC, SECURITY_EVENT	PERF(3)
64	SQL prepare		PERF(3)
65	SQL open cursor		PERF(3)
66	SQL close cursor		PERF(3)
67	Accounting collection beginning		PERF(14)
68	Abort entry		PERF(2), GLOB(3)
69	Abort exit		PERF(2), GLOB(3)
70	Commit entry		PERF(2), GLOB(3)
71	Commit exit		PERF(2), GLOB(3)
72	Create thread entry		PERF(2), GLOB(3)
73	Create thread exit		PERF(2), GLOB(3)
74	Terminate thread entry		PERF(2), GLOB(3)
75	Terminate thread exit		PERF(2), GLOB(3)
76	End of memory entry		PERF(1), GLOB(3)
77	End of memory exit		PERF(1), GLOB(3)
78	End of task entry		PERF(1)
79	End of task exit		PERF(1)
80	Establish exits entry		PERF(2), GLOB(3)
81	Establish exits exit		PERF(2), GLOB(3)
82	Identify entry		PERF(2), GLOB(3)
83	Identify request	DB2_SECAUTHID, DB2_SQLID, SECURITY_EVENT, USER, GROUP, RECORDDESC, SECLABEL, UTOKEN*	AUDIT(7), PERF(2), GLOB(3)
84	Prepare entry		PERF(2), GLOB(3)
85	Prepare exit		PERF(2), GLOB(3)
86	Signon entry		PERF(2), GLOB(3)
87	Signon request	DB2_SECAUTHID, DB2_SQLID, SECURITY_EVENT, USER, GROUP, RECORDDESC, SECLABEL, UTOKEN*	AUDIT(7). PERF(2), GLOB(3)
88	Sync start		PERF(2), GLOB(3)
89	Sync start		PERF(2), GLOB(3)
90	Db2 command start	DB2_COMMAND, RECORDDESC	PERF(10)
91	Db2 command completion	RECORDDESC	PERF(10)
92	AMS command start	DB2_COMMAND, RECORDDESC	PERF(3)
93	Suspend		PERF(11), GLOB(3)
94	Resume		PERF(11), GLOB(3)
95	Sort entry		PERF(3,9)
96	Sort exit		PERF(3,9)
97	AMS command completion	DB2_COMMAND, RECORDDESC	PERF(3)
98	Getmain/freemain entry		PERF(12)
99	Getmain/freemain exit		PERF(12)
100	Pool expansion/contraction entry		PERF(12)
101	Pool expansion/contraction exit		PERF(12)
102	Short on storage on		PERF(1)
103	Short on storage off		PERF(1)
104	Log data set DSID lookup info for other records	DSN, RECORDDESC	PERF(5)
105	DBID/OBID lookup info needed for other records	DB2_OBJECT*	STAT(1), PERF(1,4,6,7, 8,10,13)
106	System parameters at startup	RECORDDESC	STAT(1), ACCT(1), MON(1), PERF(1,2,3,4, 5,6,7,8,9, 10,11,12,13, 14), GLOB(1,2,3,4)
107	Open/close table space	DB2_OBJECT*, RECORDDESC, SECURITY_EVENT	PERF(1,4,6,7, 8,10,13)
108	Bind/rebind start		PERF(10)
109	Bind/rebind completion		PERF(10)
110	Free beginning		PERF(10)
111	Free end		PERF(10)
112	Successful plan allocation allied threads		PERF(3)
113	Successful allocation system agents		PERF(11)
114	Begin read I/O archive	DSN, INTENT, RECORDDESC	PERF(5), GLOB(3)
115	End read I/O archive DASD	INTENT, RECORDDESC	PERF(5), GLOB(3)
116	End read I/O archive tape	INTENT, RECORDDESC	PERF(5), GLOB(3)
117	Start archive read		INTENT
118	Archive read completion	INTENT, RECORDDESC	ACCT(3,8), MON(3,8), PERF(5), GLOB(3)
119	Start BSDS write	DSN, INTENT, RECORDDESC	PERF(5)
120	BSDS write completion	INTENT, RECORDDESC	PERF(5)
121	Thread level entry into Db2		PERF(14)
122	Thread level exit from Db2		PERF(14)
123	SRV generated records		IFCID(123)
124	SQL statement record via IFI		MON(1,9)
125	Multiple index access path selection		PERF(8)
126	Buffer log writes		PERF(30)
127	Begin wait for I/O by another agent		ACCT(3,8), MON(3,8), PERF(4)
128	End wait for I/O by another agent		ACCT(3,8), MON(3,8), PERF(4)
129	Log CI record via reads request of ifi		MON(1)
130	Index logging		GLOB(4)
131	Used by utilities		GLOB(2)
132	DBET Changes		GLOB(1)
133	EDM service		GLOB(2)
134	EDM service		GLOB(1)
135	Work file alloc/delete block		GLOB(5)
136	SQL parse		GLOB(5)
137	Path		GLOB(5)
138	EDM service		GLOB(1)
139	EDM service		GLOB(2)
140	Authorization failed	DB2_COMMAND, DB2_OBJECT, INTENT, SECURITY_EVENT, USER, GROUP, RECORDDESC, SECLABEL, UTOKEN	AUDIT(1)
141	Grant/revoke	DB2_COMMAND, DB2_OBJECT_TYPE, RECORDDESC, SECURITY_EVENT	AUDIT(2)
142	Create/drop/alter audited table	DB2_COMMAND, DB2_OBJECT, USER, GROUP, INTENT, RECORDDESC, SECLABEL, SECURITY_EVENT, UTOKEN	AUDIT(3)
143	First change (write) audited object	DB2_OBJECT*, INTENT, RECORDDESC, SECURITY_EVENT	AUDIT(4)
144	First access (read) audited object	DB2_OBJECT*, INTENT, RECORDDESC, SECURITY_EVENT	AUDIT(5)
145	DML audit log	DB2_COMMAND, DB2_OBJECT*, INTENT, PROGRAM, RECORDDESC, SECURITY_EVENT	AUDIT(6)
146	Installation audit record		AUDIT(9)
147	Active thread snapshot		MON(1)
148	Active thread detail		MON(1)
149	All lock holders of a resource		MON(1)
150	All locks for a user		MON(1)
151	Installation accounting information		ACCT(4)
152	Installation statistics		STAT(2)
153	Installation performance exception		PERF(1)
154	Installation performance		PERF(15)
155	Installation monitoring		MON(4)
156	Installation serviceability		GLOB(6)
157	DRDS requesting site data		PERF(16)
158	DRDS responding site data		PERF(16)
159	DRDS conversation mgr interactions		PERF(16)
160	DC requesting agent data		PERF(16)
161	DC responding agent data		PERF(16)
162	DTM requesting agent data		PERF(16)
163	DTM responding agent data		PERF(16)
164	VTAM® exits to DB2		GLOB(7)
165	VTAM macro calls/returns		GLOB(7)
166	Buffer sent/received		GLOB(7)
167	Conversation allocation request		PERF(16)
168	Distributed SQL statement		GLOB(8)
169	Distributed authid translation	RECORDDESC	AUDIT(7)
170	Begin wait for EU switch		ACCT(3,8), MON(3,8)
171	End wait for EU switch		ACCT(3,8), MON(3,8)
172	Deadlock data		STAT(3), PERF(6)
173	Dynamic SQL exceeds ASUTIME	RECORDDESC	PERF(3), STAT(4)
174	Begin archive log mode(quiesce) wait		ACCT(3,8), MON(3,8), PERF(2), GLOB(3)
175	End archive log mode(quiesce) wait		ACCT(3,8), MON(3,8), PERF(2), GLOB(3)
177	Successful package allocation	DB2_OBJECT*, PROGRAM, RECORDDESC, SECURITY_EVENT	PERF(3)
178	Start DSNJW117 exit routine		STAT(30,31,32), PERF(30,31,32), GLOB(30,31,32), ACCT(30,31,32), AUDIT(30,31,32), MON(30,31,32)
179	End DSNJW117 exit routine		STAT(30,31,32), PERF(30,31,32), GLOB(30,31,32), ACCT(30,31,32), AUDIT(30,31,32), MON(30,31,32)
180	DSS communication buffers		GLOB(9)
181	DDM level 6B objects		GLOB(9)
182	DDM RDS/SCC interface data		GLOB(9)
183	DRDS RDS/SCC interface data	DB2_OBJECT*, PROGRAM, RECORDDESC	PERF(16)
184	Decrypted communication buffers		GLOB(9)
185	Changed data capture		MON(6)
186	MEPL trace		IFCID(186)
187	Accounting class 5 flag		ACCT(5), MON(5)
188	CDC performance record		STAT(30,31,32), PERF(30,31,32), GLOB(30,31,32), ACCT(30,31,32), AUDIT(30,31,32), MON(30,31,32)
189	Activate 5FAC diagnostic logrec
190	Hybrid join overflows		GLOB(5)
191	DDM level		STAT(4)
192	DDM header error		STAT(4)
193	COMMIT/ROLLBACK mismatch		STAT(4)
194	Invalid SNA FMH-5 received		STAT(4)
195	DRDS exception		STAT(4)
196	Lock timeout		STAT(3), PERF(6)
198	Buffer mgr getpage/setwrite trace		IFCID(198)
199	Buffer mgr data set lstats trace		STAT(8), MON(1)
200	Accounting - nesting		None
201	Alter buffer pool command		PERF(10)
202	Dynamic zparm bufferpool information		STAT(1), MON(1)
203	Heuristic decision		STAT(4)
204	Partner cold start detected		STAT(4)
205	Incorrect logname or sync parms on warm start		STAT(4)
206	SNA Compare States protocol error		STAT(4)
207	Heuristic damage detected during SNA exchange		STAT(4)
208	SNA Synchpoint protocol error		STAT(4)
209	Synchpoint communication failure		STAT(4)
210	LOGNAME changed on WARM START		STAT(4)
211	Make/Release/Change Claim request information		PERF(17)
212	Drain/Release Claim request information		PERF(17)
213	Begin wait for a drain lock		ACCT(3,8), MON(3,8), PERF(6,17)
214	End wait for a drain lock		ACCT(3,8), MON(3,8), PERF(6,17)
215	Begin wait for claim count to go to zero		ACCT(3,8), MON(3,8), PERF(17)
216	End wait for claim count to go to zero		ACCT(3,8), MON(3,8), PERF(17)
217	Storage Pool Detail		GLOB(10)
218	Commit_LSN summary record		PERF(6)
219	Utility LISTDEF	RECORDDESC	AUDIT(8), PERF(10)
220	Utility data set close	DSN, INTENT, RECORDDESC, SECURITY_EVENT	AUDIT(8), PERF(10)
221	Degree of parallelism of a parallel group		PERF(8)
222	Number of rows processed by a parallel group		PERF(8)
223	Commit_LSN detail record		PERF(7)
224	Data Manager Select Procedure bypass trace		IFCID(224)
225	Storage Pool Summary		STAT(6)
226	Begin Wait due to page latch contention		ACCT(3,8), MON(3,8), PERF(4)
227	End Wait due to page latch contention		ACCT(3,8), MON(3,8), PERF(4)
228	Start archive tape unit deallocation wait		PERF(5), GLOB(3)
229	End archive deallocation wait		PERF(5), GLOB(3)
230	Data sharing global statistics		STAT(5), MON(1)
231	Parallel tasks detail record		PERF(8)
232	Accounting class 2 ifcid		ACCT(2,7), MON(1,7)
233	Start/end call to user routine		PERF(3)
234	Calling agent authorization id		DB startup
235	Conditional restart data loss		STAT(4)
236	XLN protocol error		STAT(4)
237	Set current degree		PERF(3)
238	Error detected during Db2 restart		STAT(4)
239	Package/dbrm accounting overflow information		ACCT(1)
240	Accounting class 7 IFCid		ACCT(7), MON(7)
241	Accounting class 8 IFCid		ACCT(8), MON(8)
242	Begin wait for a stored procedure		ACCT(3,8), MON(3,8)
243	End wait for a stored procedure		ACCT(3,8), MON(3,8)
244	Stored Procedure Parameter List		PERF(32)
245	Stored Procedure Parameter List		PERF(32)
246	Stored Procedure Cache Table		PERF(32)
247	Input host variable tracing		GLOB(5)
248	Output host variable tracing		GLOB(5)
249	EDM pool invalidate dbd		PERF(20), GLOB(5)
250	Connect/disconnect of a group buffer pool		STAT(3), PERF(20)
251	Pageset/partition P-lock(negotiation) request		PERF(20)
252	Beginning of XES request		GLOB(3)
254	Backing cache structure stats		STAT(5), MON(2)
255	Buffer refresh due to cross-invalidation		PERF(21)
256	Alter group bufferpool command		PERF(10,20)
257	IRLM notify request detail		PERF(20)
258	Extend data set	DB2_OBJECT*, DSN, INTENT, RECORDDESC, SECURITY_EVENT	STAT(3)
259	Page P-lock request(or negotiation) request		PERF(21)
260	End of XES request		GLOB(3)
261	Group buffer pool checkpoint		STAT(3), PERF(20)
262	Group buffer pool castout threshold		STAT(3), PERF(20)
263	Pageset and partition castout statistics		PERF(21)
265	SCA access request begin		GLOB(3)
266	SCA access request end		GLOB(3)
267	CF rebuild start event		STAT(4), PERF(20), GLOB(3)
268	CF rebuild end event		STAT(4), PERF(20), GLOB(3)
269	Trusted connection established/reused	GROUP, RECORDDESC, SECLABEL, SRCIP, USER, UTOKEN*	AUDIT(10)
270	Trusted context created/altered	DB2_COMMAND, RECORDDESC	AUDIT(10)
271	Row and column access control	DB2_COMMAND, DB2_OBJECT_TYPE, RECORDDESC
272	Associate locators statement info		PERF(3)
273	Allocate cursor statement info		PERF(3)
274	Input SQLDA/host variable ctrl blk		PERF(32)
275	Output SQLDA/host variable ctrl blk		PERF(32)
276	Input SQLDA/transition variable		PERF(32)
277	Routine get storage		PERF(32)
278	Routine free storage		PERF(32)
280 - 298	Error simulation
299	DRDA exception
300 - 304	Error simulation
305	Check constraint		PERF(8)
306	Log records via IFI reads		MON(2)
307 - 310	Error simulation
311	Global temporary tables		PERF(3,8)
312	DCE authorization (obsolete)		PERF(8)
313	Long running URs at checkpoint		STAT(3)
314	Authorization exit access control action	USER, GROUP, RECORDDESC, SECLABEL, SECURITY_EVENT, UTOKEN*	PERF(22)
316	Prepared statement cache stats		MON(1)
317	Prepared statement cache statement		MON(1)
318	Prepared statement cache switch		None
319	Kerberos identity	RECORDDESC, SRCIP	AUDIT(7)
320	Debug messages
321	Begin force-at-commit		PERF(2)
322	End force-at-commit		PERF(2)
323	Predictive governor serviceability
324	Function resolution trace		PERF(3)
325	End of trigger activation		PERF(3)
326	EU switch dump trigger-internal only		None
327	LE runtime diagnosis		PERF(23)
328	Built in function service trace
329	Asynch IXLCACHE/IXLFCOMP requests		ACCT(3), MON(3), PERF(21)
330	Active log shortage situation		STAT(3)
331	Locator service		PERF(32)
332	TransCSO service		PERF(32)
333	Traverse CSO		PERF(32)
334	DRDA exceptions for scrollable cursor		PERF(32)
335	System event stalled notification		STAT(3)
336	Output CCSID cntl block
337	Lock escalation occurrences		PERF(6), STAT(3)
338	Storage analysis
339	Package detail switch
340	SQLCODE trace
341	Incremental bind for special register
342	WF/TD usage per agent		PERF(32)
343	MAXTEMPS zparm limit for agent is exceeded	RECORDDESC	PERF(3), STAT(4)
344	SP/UDF function entry/exit point	RECORDDESC	GLOB(11)
345	SP/UDF function data point	RECORDDESC	GLOB(11)
346	Active package detail	RECORDDESC
347 - 349	Serviceability IFI trace
350	SQL bind full statement	DB2_COMMAND, RECORDDESC, SECURITY_EVENT	PERF(3,32)
351	Begin TCP/IP LOB materialization	RECORDDESC	ACCT(3,8)
352	End TCP/IP LOB materialization	RECORDDESC	ACCT(3,8)
357	Begin index I/O parallelism		PERF(4)
358	End index I/O parallelism		PERF(4)
359	Index page split		PERF(4)
360	Incrementally bound queries		PERF(3,10)
361	Audit administrative authorities	DB2_COMMAND, DB2_OBJECT_TYPE, INTENT, and RECORDDESC	AUDIT(11)
362	Begin audit trace with AUDITPOLICY	DSN, RECORDDESC	AUDIT(11)
363	Parallel group straw model trace		PERF(8)
364	Address space creation/termination		GLOBAL(3)
365	DDF stats record		STAT(7)
367	XML Storage Manager
368	Serviceability IFCid
369	Aggregated Accounting Statistics		STAT(9)
370	Data set open	DSN, RECORDDESC	PERF(19)
371	Data set close	DSN, RECORDDESC	PERF(19)
372	Advanced Triggers
373	DECP and ZPARM settings
374	Auth cache serviceability trace
375	Serviceability trace
376	Agent serviceability trace
377	Agent serviceability trace
380	SP detail record		PERF(24)
381	UDF detail record
384	Statistics feedback recommendation
385	Statistics feedback externalization
386	Auth ENF signal serviceability trace
387	Profile table SET statements
388	Serviceability TRACE for global vars
389	Index Manager memory management(FTB)		STAT(8)
390	Serviceability UDF caching
391	Block fetch statistics
397	RLF predictive gov for dynamic stmt
398	RLF reactive gov for dynamic stmt
399	SQLPL ASUTime track
400	Collect static stmt stats		MON(29)
401	Static stmt stats external		MON(29)
402	Profile stats		STAT(4)
403	Reserved for SAO/DWA
404	Auth serviceability trace	DB2_OBJECT, DB2_OBJECT_TYPE, RECORDDESC
405	APREUSE failure serviceability
413	Record a pipe wait suspend time		MON(3,8)
414	Resumption of pipe wait suspend time		MON(3,8)
477	Index FTB create/ free		PERF(4)
497	Non SP/UDF stmt execution detail
498	UDF stmt execution detail
499	SP stmt execution detail		PERF(4)
500	Used to control DIRTY STORAGE
501	Used to control COUNTPAGES
502	Used to control sync dumping
511	Serviceability trace

Table 39. SMF record type 103: IBM HTTP Server SUBTYPEs
Subtype	Meaning	Specified field support
1	IBM HTTP Server configuration data
2	IBM HTTP Server performance data
13	IBM HTTP Server operational statistics
14	IBM HTTP Server request and response

Table 40. SMF record type 106: Base Control Program internal interface (BCPii) activity
Subtype	Meaning
1	BCPii HWISET data
2	BCPii HWICMD data

Table 41. SMF record type 110: CICS Records SUBTYPEs
Subtype	Meaning
0	CICS Journaling data
1	CICS Monitoring data. The CICS monitoring records have four subclasses: Dictionary Performance Exception Transaction resource
2	CICS Statistics
3	CICS Shared temporary queue server
4	CICS Coupling facility data server
5	CICS Named counter sequence number

Table 42. SMF record type 115: MQSeries Statistics SUBTYPEs
Subtype	Meaning
1	MQSeries® log statistics
2	MQSeries performance information

Table 43. SMF record type 118: TCP/IP Statistics SUBTYPEs
Subtype	Meaning
1	TCP Connection Initiation
2	TCP Connection Termination
3	FTP Client Transfer Completion
4	TN3270 Client
5	TCP/IP Statistics
20	TN3270 Server SNA Session Initiation
21	TN3270 Server SNA Session Termination
70	FTP Server Appending
71	FTP Server Deleting
72	FTP Server Logon Failure
73	FTP Server Renaming
74	FTP Server Retrieving
75	FTP Server Storing

Table 44. SMF record type 119: Connectivity Statistics SUBTYPEs
Subtype	Meaning
1	TCP Connection Initiation
2	TCP Connection Termination
3	FTP Client Transfer Completion
4	TCP/IP profile event record
5	TCP/IP Statistics
6	Interface Statistics
7	Server Port Statistics
8	TCP/IP Stack Start/Stop
10	UDP Socket Close
11	zERT Connection Detail
12	zERT Summary
20	TN3270 Server SNA Session Initiation
21	TN3270 Server SNA Session Termination
22	TSO Telnet Client Connection Initiation
23	TSO Telnet Client Connection Termination
24	TN3270 Server Profile Event
48	CSSMTP Configuration
49	CSSMTP Connection
50	CSSMTP Mail
51	CSSMTP Spool
52	CSSMTP Statistics
70	FTP Server Transfer Completion
71	FTP Daemon Configuration
72	FTP Server Login Failure
73	IPsec IKE Tunnel Activation/Refresh
74	IPsec IKE Tunnel Deactivate/Expire
75	IPsec Dynamic Tunnel Activation/Refresh
76	IPsec Dynamic Tunnel Deactivation
77	IPSec Dynamic Tunnel Added
78	IPsec Dynamic Tunnel Remove
79	IPsec Manual Tunnel Activation
80	IPsec Manual Tunnel Deactivation
81	VTAM 3270 Intrusion Detection Services event record
94	SSH client connection started
95	SSH server connection started
96	SSH server transfer completion
97	SSH client transfer completion
98	SSH login failure record
100-104	Note: NMI only, not available in SMF.

Table 45. SMF record type 120: WebSphere AS Performance Statistics SUBTYPEs
Subtype	Meaning
1	WebSphere AS Server Activity
2	WebSphere AS Container Activity
3	WebSphere AS Server Interval
4	WebSphere AS Container Interval

Table 46. SMF record type 121: JZOS batch launcher Java runtime statistics
Subtype	Meaning
1	JZOS batch launcher Java runtime statistics

Table 47. SMF record type 123: z/OS Connect EE audit interceptor
Subtype	Meaning
1	z/OS Connect EE audit interceptor

Table 48. SMF record type 1153: JES2 resource limit and usage information
Subtype	Meaning
1	JES2 resource limit and usage information

Table 49. SMF record type 1154: z/OS Compliance Evidence
Subtype	Meaning
1	TCP/IP stack compliance evidence
2	FTP daemon compliance evidence
3	TN3270 compliance evidence
4	CSSMTP compliance evidence
49	ICSF compliance evidence
50	Console compliance evidence
51	DFSMSdfp compliance evidence
52	DFSMSrmm compliance evidence
53	DFSMShsm compliance evidence
54	DFSMSdss compliance evidence
78	SSH daemon compliance evidence
79	INET daemon compliance evidence
80	CICS compliance evidence
81	Db2 compliance evidence
82	MQ compliance evidence
83	RACF compliance evidence
84	zACM compliance evidence
85	IMS and OTMA compliance evidence
86	IMS OM compliance evidence
87	IMS Connect compliance evidence
96	SMF system-level compliance evidence
97	SMF subsystem compliance evidence
113	XCF CF encryption compliance evidence
114	JES2 subsystem compliance evidence
128	Processor activity compliance evidence

SUMMARY_INTERVAL

Duration of the summary interval specified in hours, minutes, and seconds. This field is found in zERT summary records (SMF record type 119, subtype 12).

SYSNAME

The name of the system that wrote the SMF record. This field is included in ICSF master key to current promotion event records (SMF record type 82 subtype 49).

SYSPLEX

The name of the sysplex the SYSTEM is a part of (if applicable). This field is derived using information from a CKFREEZE data set. In the absence of an applicable CKFREEZE or a matching SIMULATE statement, the field is empty.

SYSTEM

The name of the system (the SMF system ID, which is four characters long). Found in all record types.

SYSTYPE

Operating system type. This field is found in all record types.

Note: The output values for this field are not identical to the SELECT/EXCLUDE values; also, the default output size of this field is three characters; use an overriding length of nine to get the full output.

Table 50 lists the possible SYSTYPE values (in increasing sort order).

Table 50. SMF record SYSTYPE field - SELECT/EXCLUDE and Output values
SELECT/EXCLUDE value	Output value	Meaning
VM	VM	VM
VS2	VS2	OS/VS2
SP2 XA	SP2 (XA)	MVS/XA
SP3 ESA	SP3 (ESA)	MVS/ESA SP3
SP4 SP5	SP4 (ESA)	MVS/ESA SP4 or SP5

TERMINAL

Terminal ID of foreground user (zero if not available). This field is found in the following record types:

RACF processing and R_auditx records (SMF record types 80 and 83)
TSS (Top Secret Security) processing records (SMF record type 80)
Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82, subtype 30, 40, 41, 42, 44, 45, 46, 47)
Db2 performance and audit records (SMF record types 100, 101, and 102). TERMINAL shows the (remote) location where the unit-of-work originated. The value of TERMINAL is obtained from the QWHSLUNM field.
CICS subrecords (SMF record type 110, subtype 1, class 3)
Telnet server TCP/IP records (SMF record types 118 and 119)
HSM function statistics records
OMEGAMON security audit records

The value of TERMINAL is derived using the job tag system for data set, Job Initiation and Accounting records, ICF catalog activity records, and UNIX file system activity records (SMF record types 14, 15, 17, 18, 20, 30, 32, 60, 61, 62, 64, 65, 66, and 92). Note that, for SMF record types 20, 30, and 32, the field INITIAL_TERMINAL contains the information from the SMF record.

TIME

Time of day the record was written. For detailed instructions about how to use this field in SELECT/EXCLUDE specifications, see Time fields.

TLS_*

For the descriptions of the TLS_* fields, see SMF field descriptions: TLS_*.

TN_*

For the descriptions of the TN_* fields, see SMF field descriptions: TN_*.

TOKEN_FORMAT

The format of the token. This field is found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82, subtype 40 and 44).

The input format and default output format of the field is TokenFormat. The following table lists the possible values:

Value	Meaning
Fixed	Fixed length CCA
Var	Variable length CCA
TR-31	TR-31 key block
RKX	RKX token

TOKEN_VALIDATION_VALUE

This field contains a checksum to detect a potential corruption in the token. ICSF uses it to verify that the token is valid. This field is included in SMF record type 82, subtypes 40 and 44 as Token Identification Value. It is present only if the value of the TOKEN_FORMAT field is Fixed, meaning that the token is a fixed-length CCA token. The default length of the field is 8 characters.

TRACKING_TOKEN

A readable representation of a z/OS Connect CICS/IMS Tracking Token. The tracking token is formatted as multiple parts that are separated by a dot: the prefix (BAQ), the version ('1'), the correlator, and a list of one-character stakeholder identifiers. The correlator itself for the CICS and IMS token is formatted as the sysplex name, sysname, and request initiation time stamp (8-byte TOD clock formatted in a form that is compatible with the Java time format). The accuracy of the clock is in microseconds.

Warning: When thinking about qualifiers in the name, be aware that the fraction of seconds in the time stamp starts with a dot as well.

Example: BAQ.1.TECPLEX.TEC2.2020-10-30T16:51:46.532052

TRANSACTION

For Db2 performance and audit records (SMF record types 100, 101, and 102), the value is obtained from the QWHCEUTX field. TRANSACTION shows the transaction name at the (remote) location where the unit-of-work originated. The field contains the value of the application name from the client information that is specified for the connection in the CURRENT CLIENT_APPLNAME Db2 special register.

For CICS monitoring performance subrecords (SMF 110, subtype 1, class 3), this field shows the name of the transaction that was run. If this information is not available, this field is not reported.

For RACF processing records (SMF record type 80), the value is taken from the relocate section 445, subfield CICS Transaction ID of the record.

TRANSPORT_LAYER_CONN_ID

Transport layer connection ID. This field is found in zERT connection detail records (SMF record type 119, subtype 11). The length of the field is 8 hexadecimal digits.

TSOCMD

A string containing a TSO command name. This repeated field is only found in SMF record type 32 (TSO/E User Work Accounting), and only contains those TSO commands accounted by the installation; all other commands are collected as ***OTHER. This field can be combined with the TSOCMDCNT field.

TSOCMDCNT

A repeated field containing the number of times a given TSO command was executed. This field can only be used for output and should be combined with the TSOCMD field.

TSS_*

For the descriptions of the TLS_* fields, see SMF field descriptions: TSS_*.

TYPE

SMF numerical record type. This field is found in all record types. When used in SELECT/EXCLUDE processing, this field is used to select types and subtypes; for output, these fields are separated in TYPE and SUBTYPE.

For SELECT/EXCLUDE processing, each record type can be further specified by a list of subtypes, as shown in the following examples:

SELECT TYPE=(20, 30, 32, 80, 83)
SELECT TYPE=(20, 30(1, 3, 4, 6), 80, 83(1))
SELECT TYPE<>(20 30(5) 80)

For SELECT/EXCLUDE processing, only the =, <>, and ¬= relational operators can be used.

Starting with z/OS 2.3 SMF record types greater than 255 are supported. The default width of field TYPE is 4.

UNITTYPE

This field can be used to select or output the device type used. It is found in data set activity records (SMF record types 14, 15, 62 and 64), ICF Catalog Activity records (SMF record type 61, 65, and 66), and Accounting records (SMF record type 30). In SMF record type 30, the unit type is not available in all subtypes, and is only available for started tasks if detail recording is on. This value can be verified using the DETAIL field of NEWLIST TYPE=SMFOPT.

Table 51 lists the possible UNITTYPE values.

Table 51. SMF record UNITTYPE field - possible values
UNITTYPE value	Meaning
3350	3350 DASD Unit
3380	3380 DASD Unit
3390	3390 DASD Unit
3400	3400 Tape Unit
3480	3480 Tape Unit
3490	3490 Tape Unit
9345	9345 DASD Unit
DASD	Unknown (output) or any (SELECT) type of DASD Unit
TAPE	Unknown (output) or any (SELECT) type of Tape Unit
????	Unknown unit type (not tape or DASD) (output-only)

Note: There is a slight difference between SELECT/EXCLUDE processing and output values: TAPE and DASD match any tape or DASD unit in SELECT/EXCLUDE processing, but is only output for an unknown type of tape or DASD unit; the value '????' cannot be used for SELECT/EXCLUDE processing, but is output-only. For SELECT/EXCLUDE processing, only the =, <>, and ¬= relational operators can be used.

Note: UNITTYPE is a repeated field. In the current version of IBM Security zSecure, this repeated field can contain duplicate unit types for some record types.

UNIX_*

For the descriptions of the ACF2_* fields, see SMF field descriptions: UNIX_*.

UOWID

This field contains a unique value that fully identifies the network unit of work. It is a concatenation of the fully qualified netname and a name by which the network unit of work is known in the originating system. This name is derived from the system clock of the originating system. The netname is the name by which the remote system or terminal is known to the network. The default width is 30.

For Db2 performance and audit records (SMF record types 100, 101, and 102), the value is derived from the QWHCTOKN field.

For CICS monitoring records (SMF record type 110, subtype 1), the value is derived from the fields NETUOWPX and NETUOWSX.

The default format of this field displays the value in networkid.LUname.hex format. This field can also be displayed in hexadecimal format.

USAGE_COUNT

This repeating field is found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82) with subtypes 31, 44, 45, 46, and 47. The field is also found in processor activity compliance evidence records (SMF record type 1154, subtype 128), where it is called SMF1154_128_CrypCtrs_Count, as indicated in the IFAS4128 macro. The default output length of the USAGE_COUNT field is 20 characters.

With SMF 82 subtypes 44, 45, 46, and 47, the field contains a single value: the number of usages accounted for in the record at hand. With SMF 82 subtype 31, the field lies in a repeat group with the USAGE_COUNT_ID, USAGE_COUNT_TYPE, and USAGE_COUNT_TYPE_ID fields, and the meaning of the USAGE_COUNT field depends on the USAGE_COUNT_TYPE and USAGE_COUNT_ID field values, as shown in the following table.

USAGE_COUNT_TYPE value	USAGE_COUNT meaning
ALG	Crypto algorithm usage count
CARD	Crypto card usage count
CPACF	CPACF usage count
RCS	Regional Cryptographic Server (RCS) usage count
SOFTW	Crypto software usage count
SRV	ICSF callable service usage count
UDX	UDX service usage count

With SMF 1154 subtype 128, the field lies in a repeat group with the USAGE_COUNT_ID, USAGE_COUNT_TYPE, and USAGE_COUNT_TYPE_ID fields. The meaning of the USAGE_COUNT field depends on the USAGE_COUNT_TYPE and USAGE_COUNT_TYPE_ID field values, as shown in the following table.

Table 52. Meaning USAGE_COUNT field
Counter number	USAGE_ COUNT_ TYPE	USAGE_COUNT_ID	Processor activity counted
1	KM	DEA	KM-DEA function ending with CC=0
2	KM	TDEA-128	KM-TDEA-128 function ending with CC=0
3	KM	TDEA-192	KM-TDEA-192 function ending with CC=0
4	KM	Enc-DEA	KM-Encrypted-DEA function ending with CC=0
5	KM	Enc-TDEA-128	KM-Encrypted-TDEA-128 function ending with CC=0
6	KM	Enc-TDEA-192	KM-Encrypted-TDEA-192 function ending with CC=0
7	KM	AES-128	KM-AES-128 function ending with CC=0
8	KM	AES-192	KM-AES-192 function ending with CC=0
9	KM	AES-256	KM-AES-256 function ending with CC=0
10	KM	Enc-AES-128	KM-Encrypted-AES-128 function ending with CC=0
11	KM	Enc-AES-192	KM-Encrypted-AES-192 function ending with CC=0
12	KM	Enc-AES-256	KM-Encrypted-AES-256 function ending with CC=0
13	KM	XTS-AES-128	KM-XTS-AES-128 function ending with CC=0
14	KM	XTS-AES-256	KM-XTS-AES-256 function ending with CC=0
15	KM	XTS-Enc-AES-128	KM-XTS-Encrypted-AES-128 function ending with CC=0
16	KM	XTS-Enc-AES-256	KM-XTS-Encrypted-AES-256 function ending with CC=0
17	KMC	DEA	KMC-DEA function ending with CC=0
18	KMC	TDEA-128	KMC-TDEA-128 function ending with CC=0
19	KMC	TDEA-192	KMC-TDEA-192 function ending with CC=0
20	KMC	Enc-DEA	KMC-Encrypted-DEA function ending with CC=0
21	KMC	Enc-TDEA-128	KMC-Encrypted-TDEA-128 function ending with CC=0
22	KMC	Enc-TDEA-192	KMC-Encrypted-TDEA-192 function ending with CC=0
23	KMC	AES-128	KMC-AES-128 function ending with CC=0
24	KMC	AES-192	KMC-AES-192 function ending with CC=0
25	KMC	AES-256	KMC-AES-256 function ending with CC=0
26	KMC	Enc-AES-128	KMC-Encrypted-AES-128 function ending with CC=0
27	KMC	Enc-AES-192	KMC-Encrypted-AES-192 function ending with CC=0
28	KMC	Enc-AES-256	KMC-Encrypted-AES-256 function ending with CC=0
29	KMC	PRNG	KMC-PRNG function ending with CC=0
30	KMA	GCM-AES-128	KMA-GCM-AES-128 function ending with CC=0
31	KMA	GCM-AES-192	KMA-GCM-AES-192 function ending with CC=0
32	KMA	GCM-AES-256	KMA-GCM-AES-256 function ending with CC=0
33	KMA	GCM-Enc-AES-128	KMA-GCM-Encrypted-AES-128 function ending with CC=0
34	KMA	GCM-Enc-AES-192	KMA-GCM-Encrypted-AES-192 function ending with CC=0
35	KMA	GCM-Enc-AES-256	KMA-GCM-Encrypted-AES-256 function ending with CC=0
36	KMF	DEA	KMF-DEA function ending with CC=0
37	KMF	TDEA-128	KMF-TDEA-128 function ending with CC=0
38	KMF	TDEA-192	KMF-TDEA-192 function ending with CC=0
39	KMF	Enc-DEA	KMF-Encrypted-DEA function ending with CC=0
40	KMF	Enc-TDEA-128	KMF-Encrypted-TDEA-128 function ending with CC=0
41	KMF	Enc-TDEA-192	KMF-Encrypted-TDEA-192 function ending with CC=0
42	KMF	AES-128	KMF-AES-128 function ending with CC=0
43	KMF	AES-192	KMF-AES-192 function ending with CC=0
44	KMF	AES-256	KMF-AES-256 function ending with CC=0
45	KMF	Enc-AES-128	KMF-Encrypted-AES-128 function ending with CC=0
46	KMF	Enc-AES-192	KMF-Encrypted-AES-192 function ending with CC=0
47	KMF	Enc-AES-256	KMF-Encrypted-AES-256 function ending with CC=0
48	KMCTR	DEA	KMCTR-DEA function ending with CC=0
49	KMCTR	TDEA-128	KMCTR-TDEA-128 function ending with CC=0
50	KMCTR	TDEA-192	KMCTR-TDEA-192 function ending with CC=0
51	KMCTR	Enc-DEA	KMCTR-Encrypted-DEA function ending with CC=0
52	KMCTR	Enc-TDEA-128	KMCTR-Encrypted-TDEA-128 function ending with CC=0
53	KMCTR	Enc-TDEA-192	KMCTR-Encrypted-TDEA-192 function ending with CC=0
54	KMCTR	AES-128	KMCTR-AES-128 function ending with CC=0
55	KMCTR	AES-192	KMCTR-AES-192 function ending with CC=0
56	KMCTR	AES-256	KMCTR-AES-256 function ending with CC=0
57	KMCTR	Enc-AES-128	KMCTR-Encrypted-AES-128 function ending with CC=0
58	KMCTR	Enc-AES-192	KMCTR-Encrypted-AES-192 function ending with CC=0
59	KMCTR	Enc-AES-256	KMCTR-Encrypted-AES-256 function ending with CC=0
60	KMO	DEA	KMO-DEA function ending with CC=0
61	KMO	TDEA-128	KMO-TDEA-128 function ending with CC=0
62	KMO	TDEA-192	KMO-TDEA-192 function ending with CC=0
63	KMO	Enc-DEA	KMO-Encrypted-DEA function ending with CC=0
64	KMO	Enc-TDEA-128	KMO-Encrypted-TDEA-128 function ending with CC=0
65	KMO	Enc-TDEA-192	KMO-Encrypted-TDEA-192 function ending with CC=0
66	KMO	AES-128	KMO-AES-128 function ending with CC=0
67	KMO	AES-192	KMO-AES-192 function ending with CC=0
68	KMO	AES-256	KMO-AES-256 function ending with CC=0
69	KMO	Enc-AES-128	KMO-Encrypted-AES-128 function ending with CC=0
70	KMO	Enc-AES-192	KMO-Encrypted-AES-192 function ending with CC=0
71	KMO	Enc-AES-256	KMO-Encrypted-AES-256 function ending with CC=0
72	KIMD	SHA-1	KIMD-SHA-1 function ending with CC=0
73	KIMD	SHA-256	KIMD-SHA-256 function ending with CC=0
74	KIMD	SHA-512	KIMD-SHA-512 function ending with CC=0
75	KIMD	SHA3-224	KIMD-SHA3-224 function ending with CC=0
76	KIMD	SHA3-256	KIMD-SHA3-256 function ending with CC=0
77	KIMD	SHA3-384	KIMD-SHA3-384 function ending with CC=0
78	KIMD	SHA3-512	KIMD-SHA3-512 function ending with CC=0
79	KIMD	SHAKE-128	KIMD-SHAKE-128 function ending with CC=0
80	KIMD	SHAKE-256	KIMD-SHAKE-256 function ending with CC=0
81	KIMD	GHASH	KIMD-GHASH function ending with CC=0
82	KLMD	SHA-1	KLMD-SHA-1 function ending with CC=0
83	KLMD	SHA-256	KLMD-SHA-256 function ending with CC=0
84	KLMD	SHA-512	KLMD-SHA-512 function ending with CC=0
85	KLMD	SHA3-224	KLMD-SHA3-224 function ending with CC=0
86	KLMD	SHA3-256	KLMD-SHA3-256 function ending with CC=0
87	KLMD	SHA3-384	KLMD-SHA3-384 function ending with CC=0
88	KLMD	SHA3-512	KLMD-SHA3-512 function ending with CC=0
89	KLMD	SHAKE-128	KLMD-SHAKE-128 function ending with CC=0
90	KLMD	SHAKE-256	KLMD-SHAKE-256 function ending with CC=0
91	KMAC	DEA	KMAC-DEA function ending with CC=0
92	KMAC	TDEA-128	KMAC-TDEA-128 function ending with CC=0
93	KMAC	TDEA-192	KMAC-TDEA-192 function ending with CC=0
94	KMAC	Enc-DEA	KMAC-Encrypted-DEA function ending with CC=0
95	KMAC	Enc-TDEA-128	KMAC-Encrypted-TDEA-128 function ending with CC=0
96	KMAC	Enc-TDEA-192	KMAC-Encrypted-TDEA-192 function ending with CC=0
97	KMAC	AES-128	KMAC-AES-128 function ending with CC=0
98	KMAC	AES-192	KMAC-AES-192 function ending with CC=0
99	KMAC	AES-256	KMAC-AES-256 function ending with CC=0
100	KMAC	Enc-AES-128	KMAC-Encrypted-AES-128 function ending with CC=0
101	KMAC	Enc-AES-192	KMAC-Encrypted-AES-192 function ending with CC=0
102	KMAC	Enc-AES-256	KMAC-Encrypted-AES-256 function ending with CC=0
103	PCC	CLB-CMAC-Using-DEA	PCC-Compute-Last-Block-CMAC-Using-DEA function ending with CC=0
104	PCC	CLB-CMAC-TDEA-128	PCC-Compute-Last-Block-CMAC-Using-TDEA-128 function ending with CC=0
105	PCC	CLB-CMAC-TDEA-192	PCC-Compute-Last-Block-CMAC-Using-TDEA-192 function ending with CC=0
106	PCC	CLB-CMAC-Enc-DEA	PCC-Compute-Last-Block-CMAC-Using-Encrypted-DEA function ending with CC=0
107	PCC	CLB-CMAC-Enc-TDEA-128	PCC-Compute-Last-Block-CMAC-Using-Encrypted-TDEA-128 function ending with CC=0
108	PCC	CLB-CMAC-Enc-TDEA-192	PCC-Compute-Last-Block-CMAC-Using-Encrypted-TDEA-192 function ending with CC=0
109	PCC	CLB-CMAC-AES-128	PCC-Compute-Last-Block-CMAC-Using-AES-128 function ending with CC=0
110	PCC	CLB-CMAC-AES-192	PCC-Compute-Last-Block-CMAC-Using-AES-192 function ending with CC=0
111	PCC	CLB-CMAC-AES-256	PCC-Compute-Last-Block-CMAC-Using-AES-256 function ending with CC=0
112	PCC	CLB-CMAC-Enc-AES-128	PCC-Compute-Last-Block-CMAC-Using-Encrypted-AES-128 function ending with CC=0
113	PCC	CLB-CMAC-Enc-AES-192	PCC-Compute-Last-Block-CMAC-Using-Encrypted-AES-192 function ending with CC=0
114	PCC	CLB-CMAC-Enc-AES-256A	PCC-Compute-Last-Block-CMAC-Using-Encrypted-AES-256 function ending with CC=0
115	PCC	C-XTS-Parm-AES-128	PCC-Compute-XTS-Parameter-Using-AES-128 function ending with CC=0
116	PCC	C-XTS-Parm-AES-256	PCC-Compute-XTS-Parameter-Using-AES-256 function ending with CC=0
117	PCC	C-XTS-EParm-AES-128	PCC-Compute-XTS-Parameter-Using-Encrypted-AES-128 function ending with CC=0
118	PCC	C-XTS-EParm-AES-256	PCC-Compute-XTS-Parameter-Using-Encrypted-AES-256 function ending with CC=0
119	PCC	Scalar-Mult-P256	PCC-Scalar-Multiply-P256 function ending with CC=0
120	PCC	Scalar-Mult-P384	PCC-Scalar-Multiply-P384 function ending with CC=0
121	PCC	Scalar-Mult-P521	PCC-Scalar-Multiply-P521 function ending with CC=0
122	PCC	Scalar-Mult-Ed25519	PCC-Scalar-Multiply-Ed25519 function ending with CC=0
123	PCC	Scalar-Mult-Ed448	PCC-Scalar-Multiply-Ed448 function ending with CC=0
124	PCC	Scalar-Mult-X25519	PCC-Scalar-Multiply-X25519 function ending with CC=0
125	PCC	Scalar-Mult-X448	PCC-Scalar-Multiply-X448 function ending with CC=0
126	PRNO	SHA-512-DRNG	PRNO-SHA-512-DRNG function ending with CC=0
127	PRNO	TRNG-QRTC-Ratio	PRNO-TRNG-Query-Raw-to-Conditioned-Ratio function ending with CC=0
128	PRNO	TRNG	PRNO-TRNG function ending with CC=0
129	KDSA	ECDSA-Verify-P256	KDSA-ECDSA-Verify-P256 function ending with CC=0 or CC=2
130	KDSA	ECDSA-Verify-P384	KDSA-ECDSA-Verify-P384 function ending with CC=0 or CC=2
131	KDSA	ECDSA-Verify-P521	KDSA-ECDSA-Verify-P521 function ending with CC=0 or CC=2
132	KDSA	ECDSA-Sign-P256	KDSA-ECDSA-Sign-P256 function ending with CC=0
133	KDSA	ECDSA-Sign-P384	KDSA-ECDSA-Sign-P384 function ending with CC=0
134	KDSA	ECDSA-Sign-P521	KDSA-ECDSA-Sign-P521 function ending with CC=0
135	KDSA	Enc-ECDSA-Sign-P256	KDSA-Encrypted-ECDSA-Sign-P256 function ending with CC=0
136	KDSA	Enc-ECDSA-Sign-P384	KDSA-Encrypted-ECDSA-Sign-P384 function ending with CC=0
137	KDSA	Enc-ECDSA-Sign-P521	KDSA-Encrypted-ECDSA-Sign-P521 function ending with CC=0
138	KDSA	EdDSA-Verify-Ed25519	KDSA-EdDSA-Verify-Ed25519 function ending with CC=0 or CC=2
139	KDSA	EdDSA-Verify-Ed448	KDSA-EdDSA-Verify-Ed448 function ending with CC=0 or CC=2
140	KDSA	EdDSA-Sign-Ed25519	KDSA-EdDSA-Sign-Ed25519 function ending with CC=0
141	KDSA	EdDSA-Sign-Ed448	KDSA-EdDSA-Sign-Ed448 function ending with CC=0
142	KDSA	Enc-EdDSA-Sign-Ed25519	KDSA-Encrypted-EdDSA-Sign-Ed25519 function ending with CC=0
143	KDSA	Enc-EdDSA-Sign-Ed448	KDSA-Encrypted-EdDSA-Sign-Ed448 function ending with CC=0
144	PCKMO	Enc-DEA-key	PCKMO-Encrypt-DEA-key function
145	PCKMO	Enc-TDEA-128-key	PCKMO-Encrypt-TDEA-128-key function
146	PCKMO	Enc-TDEA-192-key	PCKMO-Encrypt-TDEA-192-key function
147	PCKMO	Enc-AES-128-key	PCKMO-Encrypt-AES-128-key function
148	PCKMO	Enc-AES-192-key	PCKMO-Encrypt-AES-192-key function
149	PCKMO	Enc-AES-256-key	PCKMO-Encrypt-AES-256-key function
150	PCKMO	Enc-ECC-P256-key	PCKMO-Encrypt-ECC-P256-key function
151	PCKMO	Enc-ECC-P384-key	PCKMO-Encrypt-ECC-P384-key function
152	PCKMO	Enc-ECC-P521-key	PCKMO-Encrypt-ECC-P521-key function
153	PCKMO	E-ECC-Ed25519-key	PCKMO-Encrypt-ECC-Ed25519-key function
154	PCKMO	E-ECC-Ed448-key	PCKMO-Encrypt-ECC-Ed448-key function

USAGE_COUNT_ID

This repeating field is found in Integrated Cryptographic Service Facility (ICSF) records holding cryptographic statistics data (SMF record type 82, subtype 31). The field is also found in processor activity compliance evidence records (SMF record type 1154, subtype 128). The default output length of the USAGE_COUNT_ID field is 22 characters.

The field lies in a repeat group with the USAGE_COUNT, USAGE_COUNT_TYPE, and USAGE_COUNT_TYPE_ID fields. With SMF 82 subtype 31, the contents of the USAGE_COUNT_ID field depend on the USAGE_COUNT_TYPE field value, as shown in the following table.

USAGE_COUNT_TYPE value	USAGE_COUNT_ID contents
ALG	Algorithm name. Algorithm names and their descriptions are listed in the SMF82STAT_ALG algorithm names table in the z/OS ICSF System Programmer's Guide.
CARD	Crypto card identifier, a forward slash character (`/`) and a crypto card serial number. The serial number can be `N/A`.
CPACF	No identifier -- just a single space character (' ').
RCS	Regional Cryptographic Server (RCS) identifier, a forward slash character (`/`), and an RCS serial number.
SOFTW	No identifier -- just a single space character (' ').
SRV	ICSF callable service name. Service names and their descriptions are listed in the Service names used in SMF records table in the z/OS ICSF System Programmer's Guide.
UDX	UDX service name.

With SMF 1154, subtype 128, the possible combinations of USAGE_COUNT_TYPE and USAGE_COUNT_ID are documented in Table 52.

USAGE_COUNT_TYPE

Each field value is a usage count type and the field lies in a repeat group with the USAGE_COUNT, USAGE_COUNT_ID, and USAGE_COUNT_TYPE_ID fields. The following table lists the possible USAGE_COUNT_TYPE values and their meaning.

Value	Meaning
ALG	Crypto algorithm
CARD	Crypto card
CPACF	CP Assist for Cryptographic Functions
KDSA	Compute Digital Signature Authentication
KIMD	Compute intermediate message digest
KLMD	Compute last message digest
KM	Cipher message
KMA	Cipher message with authentication
KMAC	Compute Message Authentication Code
KMC	Cipher message with chaining
KMCTR	Cipher message with counter
KMF	Cipher message with cipher feedback
KMO	Cipher message with output feedback
PCC	Perform cryptographic computation
PCKMO	Perform cryptographic key management operations
PRNO	Perform random number operation
RCS	Regional Cryptographic Server
SOFTW	Crypto software
SRV	ICSF callable service
UDX	UDX service

USAGE_COUNT_TYPE_ID

The field USAGE_COUNT_TYPE_ID is a combination of values from the repeat group USAGE_COUNT, USAGE_COUNT_TYPE, and USAGE_COUNT_ID fields respectively.

USERID, USER, LOGONID

SAF userid. This field is found in the following record types:

(ACF2 only) ACF2 records (all subtypes except ACF2 event)
HSM function statistics records
DFSORT records (SMF record type 16)
Job Initiation and Accounting records (SMF record types 20, 30 and 32)
NFS audit statistics records (SMF record type 42 subtype 26)
(Top Secret only) TSS processing records (SMF record type 80)
RACF processing and R_auditx records (SMF record types 80 and 83)
Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82 subtypes 8, 9, 13, 22, 23, 28, 29, 30, 31, 40, 41, 42, 44, 45, 46, and 47)
System status records (SMF record type 90, subtypes 37 and 38)
Db2 records (SMF record type 102) with subtypes/IFCids 83, 87, 140, 142, 269, and 314 if nonblank and nonnull
z/OS Firewall Technologies records (SMF record type 109)
CICS records (SMF record type 110)
For CICS subrecords, USER returns the RACF userid that performed the CICS transaction.
SMF record type 118 subtypes 1, 2, 3, 70, 72, 73, 74, 75, 76
SMF record type 119 subtypes for sockets (1, 2, and 10), zERT connection detail (11), zERT summary (12), configuration (4), CSSMTP client (48, 50, and 51), FTP client (3), FTP server (70, 72), statistics (6, 7, 8), tunnels (73-80) if non-blank and not null. With SSH connection records (subtypes 94, 95, 98), this field specifies the user ID subject to authentication (login name on server), if the 'login and failure' section is present in the SMF record and not hex zero or blank.

It is derived using the job tag system for data set and ICF catalog activity records (SMF record types 14, 15, 17, 18, 60, 61, 62, 64, 65 and 66) and using information in the following sources:

CKFREEZE data set; in the absence of an applicable CKFREEZE or a matching SIMULATE statement, the field is empty.
Security database; in the absence of an applicable source, the field is empty (SMF record type 119).

Note:

Some HSM function statistics records may contain the user ID **HSM*** or *H*S*M* (the second pseudo-userid starts with a leading zero). These are not SAF userids, but pseudo-userids generated by the HSM software.
If a zERT summary record represents an aggregation of FTP data connections and the local socket of the session is acting as the server, the value of the USERID field is *FTPUSR*.

To select a userid that is the target of a RACF command, use one of the RACFCMD_USER, RESOURCE or PROFILE fields instead. To select a userid that is the target of an ACF2 command, use ACF2_RULEKEY instead. The USER field describes the command-issuing user, not the target user.

USER_GROUPS

This repeating field returns group names for the user ID. For RACF, these are the connect groups for USER. For ACF2, these are the source groups for the LOGONID, as used by the default Db2 signon exit shipped with ACF2. The field returns no more than 4,000 group names. If the number of groups exceeds 4,000, they will be the alphabetically first 4,000 groups. The field is filled in for any record type that returns a USER that exists in the security database of the system.

This field is derived using information in security database; in the absence of an applicable source, the field is empty.

UTOKEN

This text field applies only to RACF systems. For output, in most cases, using the UTOKEN field is more convenient than the individual UTOKEN_* fields.

A string describing the contents of the User Security Token that is included in all RACF processing records (SMF record types 80 and 83 subtype 1), system status records (SMF record type 90, subtypes 37 and 38), and in several DB2 subtypes (SMF record type 102). Since the UTOKEN contains many fields, of which many need not be set, the output has the format: field1: value1; field2: value2

This field can be used for output only; to select all records with a UTOKEN field, use SELECT RELOCATE=53. To select on values contained in the UTOKEN field, use the derived fields UTOKEN_FLAGS, UTOKEN_SESSION, UTOKEN_POE, UTOKEN_POECLASS, UTOKEN_SUSER, UTOKEN_SGROUP, UTOKEN_SNODE, and UTOKEN_XNODE.

Note: The values printed by the UTOKEN field are subject to change in future releases. Do not write applications that are dependent on the output of this field.

UTOKEN_FLAGS

This field applies only to RACF systems. It describes the flags found in the User Security Token, which is included in the following record types:

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output. However, in most cases the UTOKEN field is more convenient for output.

Because many flags can be set at the same time, the default output of this field is in a condensed format; full output split into several lines can be requested using the EXPLODE output modifier, for example, UTOKEN_FLAGS(EXPLODE). The following table lists the UTOKEN_FLAGS values that can be used for SELECT/EXCLUDE processing; the condensed output; the exploded output; and the meaning.

Table 53. SMF record UTOKEN_FLAGS field - values for output processing
SELECT/EXCLUDE	Condensed	Exploded	Meaning
DEFAULT	... .D. ...	Default	Default user
ENCRYPTED	... ... C..	Encrypted	Token is encrypted
ERROR	... ... ..E	Error	Token in error
LOG, LOGUSER	..L ... ...	Log user	User is logged (UAUDIT)
NJEUNKNOWN	... .N. ...	NJE Unknown	NJE unknown user
PRE19	... ... .<.	Pre 1.9	Created by pre 1.9 call
PRIVILEGED	P.. ... ...	Privileged	Privileged user
PROPAGATE	... P.. ...	Propagate	Propagated ID values
REMOTE	... ..R ...	Remote	Remote job
SPECIAL	.S. ... ...	Special	User has special attribute
SURROGATE	... S.. ...	Surrogate	Surrogate job
TRUSTED	T.. ... ...	Trusted	Trusted user
UNDEFINED	... .U. ...	Undefined	Undefined user
WRITEDOWN	... ...W ...	WriteDown	MLS WriteDown

For SELECT/EXCLUDE processing, a list of values may be specified, for example, SELECT UTOKEN_FLAGS=(SURROGATE,REMOTE,PROPAGATE). Only the =, <>, and ¬= relational operators can be used. With the = relational operator, the SELECT/EXCLUDE expression is true if any record's UTOKEN flags type matches any of the values specified; with the <> and ¬= relational operators, the SELECT/EXCLUDE expression is true if all of the record's UTOKEN flags types match none of the values specified.

Note:

The condensed output is split into three parts: user attributes, job attributes, and token attributes.
The values printed by the UTOKEN_FLAGS field are subject to change. Do not write applications that are dependent on the output of this field.

UTOKEN_POE

This text field applies only to RACF systems. The UTOKEN_POE field describes the Port-Of-Entry contained in the User Security token, which is included in the following record types:

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

If the UTOKEN_POECLASS is SERVAUTH, then, when possible, this value is resolved to a SERVAUTH profile using the current RACF source. If the value cannot be resolved, the hexadecimal value of the IPLOOK is shown. UTOKEN_POE can be used for SELECT/EXCLUDE processing and for output. However, in most cases the UTOKEN field is more convenient for output. The Port-Of-Entry class is described with the UTOKEN_POECLASS field.

UTOKEN_POECLASS

This text field applies only to RACF systems. The UTOKEN_POECLASS field describes the Port-Of-Entry class type contained in the User Security token, which is included in the following record types:

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output. However, in most cases the UTOKEN field is more convenient for output. The Port-Of-Entry is described with the UTOKEN_POE field.

The following list shows the possible UTOKEN_POECLASS values:

APPCPORT
CONSOLE
JESINPUT
SERVAUTH
TERMINAL

For SELECT/EXCLUDE processing, a list of values may be specified, for example, SELECT UTOKEN_POECLASS=(TERMINAL,JESINPUT). The numeric value of the Port-Of-Entry class can be specified as well. Only the =, <>, and ¬= relational operators can be used. With the = relational operator, the SELECT/EXCLUDE expression is true if the record's Port-Of-Entry class matches any of the values specified; with the <> and ¬= relational operators, the SELECT/EXCLUDE expression is true if the record's Port-Of-Entry class matches none of the values specified.

UTOKEN_POE_NETWORK

This text field applies only to RACF systems. It describes the Port-Of-Entry Network contained in the User Security token, which is included in the following record types.

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output; however, in most cases the UTOKEN field will be more convenient for output.

UTOKEN_SESSION

This field applies only to RACF systems. It describes the session type contained in the User Security token, which is included in the following record types.

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output; however, in most cases the UTOKEN field is more convenient for output.

The following table lists the UTOKEN_SESSION values that can be used for SELECT/EXCLUDE processing; the output values; and the meaning (XBM=eXternal Batch Monitor; NJE=Network Job Entry; RJE=Remote Job Entry).

Table 54. SMF record UTOKEN_SESSION field - values for output processing
SELECT/EXCLUDE	Output	Meaning
APPC	APPC	APPC
COMMAND	Command	Command
CONSOLE	Console	Console operator
EXTJOBEXTRDRJOB	Extrdr job	External reader job
EXTXBM EXTRDRXBM	Extrdr XBM	External reader XBM
INTJOBINTRDRJOB	Intrdr job	Internal reader job
INTXBMINTRDRXBM	Intrdr XBM	Internal reader XBM
MOUNT	Mount	Mount
NJEJOB	NJE job	NJE job
NJEOPER	NJE operator	NJE operator
NJESYSOUT	NJE sysout	NJE sysout
NJEUNKNOWN	NJE unknown user	NJE unknown user
NJEXBM	NJE XBM	NJE XBM
OMVSSRV OMVS	OMVSSRV	OMVSSRV
RJEJOB	RJE job	RJE job
RJEOPER	RJE operator	RJE operator
RJEXBM	RJE XBM	RJE XBM
STC	STC	Started procedure
SYSTEM	System	System address space
TSO	TSO	z/OS: TSO logon z/VM: Guest virtual machine logon

For SELECT/EXCLUDE processing, a list of values may be specified, e.g. SELECT UTOKEN_SESSION=(NJEXBM,NJESYSOUT,NJEJOB). Only the =, <>, and ¬= relational operators can be used. With the = relational operator, the SELECT/EXCLUDE expression is true if the record's session type matches any of the values specified; with the <> and ¬= relational operators, the SELECT/EXCLUDE expression is true if the record's session types matches none of the values specified.

UTOKEN_SGROUP, UTOKEN_SGRP

This text field applies only to RACF systems. It describes the connect group of the submitting user contained in the User Security token, which is included in the following record types.

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output; however, in most cases the UTOKEN field is more convenient for output. See also the UTOKEN_SUSER, UTOKEN_SNODE, and UTOKEN_XNODE fields.

UTOKEN_SNODE

This text field applies only to RACF systems. It describes the submitting node contained in the User Security token, which is included in the following record types.

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output; however, in most cases the UTOKEN field is more convenient for output. See also the UTOKEN_SGROUP, UTOKEN_SUSER, and UTOKEN_XNODE fields.

UTOKEN_SUSER, UTOKEN_SUSR

This text field applies only to RACF systems. It describes the submitting user contained in the User Security token, which is included in the following record types.

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output; however, in most cases the UTOKEN field is more convenient for output. See also the UTOKEN_SGROUP, UTOKEN_SNODE, and UTOKEN_XNODE fields.

UTOKEN_XNODE

This text field applies only to RACF systems. It describes the execution node contained in the User Security token, which is included in the following record types.

In several DFSMS Statistics and Configuration subtypes (SMF record type 42).
All RACF processing records (SMF record types 80 and 83 subtype 1).
In Dynamic APF records (SMF record type 90 subtype 37).
System status records (SMF record type 90, subtypes 37 and 38)
In several Db2 subtypes (SMF record type 102).
In TCP/IP profile event records (SMF record type 119 subtype 4).
In CSSMTP configuration records (SMF record type 119 subtype 48).

It can be used for SELECT/EXCLUDE processing and for output; however, in most cases the UTOKEN field is more convenient for output. See also the UTOKEN_SGROUP, UTOKEN_SUSER, and UTOKEN_SNODE fields.

VALIDITY_END_DATE

End date of the key crypto period. This field is found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82) with subtypes 40, 41, and 42.

VALIDITY_START_DATE

Start date of the key crypto period. This field is found in Integrated Cryptographic Service Facility (ICSF) records (SMF record type 82) with subtypes 40, 41, and 42.

VM_ACIEVENT

This field applies to RACF systems only. It contains the z/VM event for which logging took place. This is normally the Diagnose number, CP command, or CP QUERY or CP SET subcommand. This field is found in RACF processing records (SMF record type 80).

VOLSER, VOLUME

Volume serial. This field is found in most data set and volume records (SMF record types 14, 15, 17, 18, 19, 21, 36, 42, 60, 62, 64, 69, and 90 subtype 37), ICF Define Activity records (SMF record type 61), ICF Alter Activity records (SMF record type 66), HSM function statistics records, RACF processing records (SMF record types 80 and 83 subtype 1) for class=DATASET, ACF2 data set use records, and TSS processing records (SMF record type 80) for class=DATASET.

Note: VOLSER is a repeated field. In the current version of IBM Security zSecure, this repeated field may contain duplicate volume serials for some record types.

With SMF record type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records, each subrecord contains one VOLSER field.

VOLSER_OR_SMS

Volume serial or, if the volume is SMS-managed, *SMS*. This field is found in most data set and volume records (SMF record types 14, 15, 17, 18, 19, 21, 36, 42, 60, 62, 64, 69, and 90 subtype 37), HSM function statistics records, RACF processing records (SMF record types 80 and 83 subtype 1) for class=DATASET, ACF2 data set use records, and TSS processing records (SMF record type 80) for class=DATASET.

Note: VOLSER_OR_SMS is a repeated field. In the current version of IBM Security zSecure, this repeated field may contain duplicate volume serials for some record types.

With SMF record type 42 (DFSMS Statistics and Configuration) subtype 6 (Job Header (data set statistics)) records, each subrecord contains one VOLSER_OR_SMS field.

VTAMNETID

For Db2 performance and audit records (SMF record types 100, 101, and 102), the value is obtained from the QWHSNID field. This field shows the network ID of the (remote) location where the unit-of-work originated.

For CICS monitoring performance subrecord (SMF record type 110, subtype 1, class 3), this field returns the name by which the network unit-of-work ID is known within the originating system. This name is assigned at transaction attach time using either a STCK-derived token created by the originating system, or the network unit-of-work ID passed as part of an IRC (MRO) or ISC (APPC) attach function management header (FMH).

VTAMNET_IS_REMOTE

VTAMNET_IS_REMOTE is a flag field that indicates whether the VTAM network ID associated with a CICS transaction is from a remote network. The value is TRUE if it is remote. If the VTAM net ID information is not available, this field is not reported. This field is supported on CICS monitoring subrecords.

WEEKDAY

Day of the week the record was written. For SELECT/EXCLUDE processing, either specify the weekday name in full or use the first three characters of the weekday name (for example, SUNDAY or SUN for Sunday). The default output is also three characters long; specify an overriding output length of 9 characters to output the full weekday. This field is found in all SMF record types. For SELECT/EXCLUDE processing, a range of weekdays separated by a colon (:) is allowed, as indicated in the following examples. A range of MON:WED is inclusive; for example, Monday, Tuesday, and Wednesday. For use with the relational operators <, <=, >, and >=, the sort order has been defined as Sunday < Monday < ... < Saturday.

SELECT WEEKDAY=MON                        /* One day */
SELECT WEEKDAY=(MON, FRI)                 /* Two days */
SELECT WEEKDAY>=TUE WEEKDAY<=SAT          /* Day range */
SELECT WEEKDAY=TUE:SAT                    /* Day range */
SELECT WEEKDAY>=FRI OR WEEKDAY<=MON       /* Day range */
SELECT WEEKDAY=FRI:MON                    /* Day range */

YEAR

Year the record was written. For SELECT/EXCLUDE processing, a YEAR value in the range 0 to 99 is only allowed if you suppress message CKR051I and then implies a year the 20th century. For example, YEAR=94 is equal to YEAR=1994. This field is found in all SMF record types. For SELECT/EXCLUDE processing, a range of years separated by a colon (:) is allowed, as indicated in the following examples.

SELECT YEAR=1994                            /* One year */
SELECT YEAR=(1994, 1988, 1989)              /* Three years */
SELECT YEAR>=1992 YEAR<=1996                /* Year range */
SELECT YEAR=1992:1996                       /* Year range */

¹ Bypass appears for actions on operator consoles where no operator is logged on (and is not required to logon), and success auditing has been requested for OPERCMDS profiles.