SMF 119 record subtypes for OpenSSH
OpenSSH collects SMF Type 119 records for file transfer activity and login failure information. You can control the collection of these records by using the configuration keywords ClientSMF and ServerSMF in z/OS-specific client and daemon configuration files, respectively. These keywords also indicate whether system-wide SMF record exit IEFU83 or IEFU84 receives control. For more information about those keywords, see zos_ssh_config and zos_sshd_config.
The specified SMF record exit receives control before each record is written to the SMF data set. A return code from this exit indicates whether the system is to suppress the current SMF record. The parameter passed to this exit is the SMF record to be written. See z/OS MVS System Management Facilities (SMF) for more information.
All the records described in this topic are written using record type x'77' (format 119), and record subtype values, at offset 22(x'16') in the SMF record header, are used to uniquely identify the type of record being collected as well as describing the values that will be seen in the SMF_119SSH_TI_Comp and SMF_119SSH_TI_Reason fields of the TCP/IP identification section. Table 1 correlates the subtypes collected by OpenSSH to the type of record being produced.
| Record subtype | Description | Component | Reason |
|---|---|---|---|
| 94(x’5E’) | Client connection started record | SSH | Event |
| 95(x’5F’) | Server connection started record | SSHD | Event |
| 96(x'60') | Server transfer completion record | SFTPS or SCPS | Event |
| 97(x'61') | Client transfer completion record | SFTPC or SCPC | Event |
| 98(x'62') | Login failure record | SSHD | Event |
Additional SMF Type 119 subtype records are provided by z/OS Communications Server and are described in z/OS V2R2.0 Communications Server: IP Configuration Reference.