Go to Home Page
Questions?
Call 1-800-572-5517
 
  Go to Home Page  
  See all products
  See price schedules
  See manuals, tutorials, articles
  Download a free 30-day trial
  See user testimonials
  About Pacific Systems Group
 
 
SMF Tools
  See SMF Record Layouts
  See Sample SMF Reports
  Learn How to Export SMF Data
  Download Free SMF Reporting Software (30 days)
 
One of the greatest SMF record parsing programming languages I've ever seen. Chief, Large Systems Services Branch, NIH
  Choose Spectrum Writer to add 4GL to your product
  Free 60-Page Book (PDF) - How to Make an SMF Report
Spectrum DCOLLECT Reporter - the 4GL DCOLLECT Report Writer.

Spectrum SMF Writer - the 4GL SMF Report Writer.

SMF type 119 Record - Subtype 98

This table shows the record layout for type 119 SMF records
(TCP/IP Statistics - OpenSSH Login Failure Record).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: OpenSSH writes SMF Type 119 records for file transfer activity and login failure information.

The kinds of SMF type 119 records for OpenSSH are:

  • Subtype 96 - Server transfer completion record
  • Subtype 97 - Client transfer completion record
  • Subtype 98 - Login failure record

Subtype 98 -- Login Failure Record

Login failure records are collected after each unsuccessful attempt to log into the sshd daemon. A login failure record is collected for each authentication method and attempt that fails. A login failure reason code within the SMF record provides information about the cause of the login failure. Only failures during user authentication are collected with the following exception: records are not collected for a "none" authentication failure if it is the first authentication method attempted.

The SMF type 119 records utilize a common structure. Each record is organized as follows:

  • SMF header
  • Self-defining section containing pointers to:
  • TCP/IP identification section (identifies system, stack etc)
  • Sections containing the data for the record

It's easy to report on SMF 119 data! (Jump to sample reports)

SMF Spectrum Writer
We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.
 
Try It FREE Now!

SMF Type 119 Record -- TCP/IP Statistics - OpenSSH Login Failure Record
Offset
(Dec.)
Offset
(Hex)
NameLengthFormatDescription
00SMF119S98_
LEN
2binary
Record length. This field and the next field (total of four bytes) form the RDW (record descriptor word). See “Standard SMF Record Header” on page 13-1 for a detailed description.
22SMF119S98_
SEG
2binary
Segment descriptor (see record length field).
44SMF119S98_
FLG
1binary
System indicator Bit Meaning When Set 0 New record format 1 Subtypes used 2 Reserved. 3-6 Version indicators* 7 System is running in PR/SM mode.*See “Standard SMF Record Header” on page 13-1 for a detailed description.
55SMF119S98_
RTY
1binary
Record type 119 (X'77').
66SMF119S98_
TME
4binary
Time since midnight, in hundredths of a second, that the record was moved into the SMF buffer.
10ASMF119S98_
DTE
4packed
Date when the record was moved into the SMF buffer, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description.
14ESMF119S98_
SID
4EBCDIC
System identification (from the SMFPRMxx SID parameter).
1812SMF119S98_
SSI
4EBCDIC
Subsystem identification.
2216SMF119S98_
STY
2binary
Record subtype.
Self Defining Section
2418SMF119S98_
TRN
2binary
Number of triplets in this record. A triplet is a set of three SMF fields (offset/length/number values) that defines a section of the record. The offset is the offset from the RDW.
261A--2binary
Reserved.
281CSMF119S98_
IDOff
4binary
Offset to TCP/IP identification section from RDW.
3220SMF119S98_
IDLen
2binary
Length of TCP/IP identification section.
3422SMF119S98_
IDNum
2binary
Number of TCP/IP identification sections.
3624SMF119S98_
S1Off
4Binary
Offset to first data section
4028SMF119S98_
S1Len
2Binary
Length of first data section
422ASMF119S98_
S1Num
2Binary
Number of first data sections
442CSMF119S98_
S2Off
4Binary
Offset to 2nd data section
4830SMF119S98_
S2Len
2Binary
Length of 2nd data section
5032SMF119S98_
S2Num
2Binary
Number of 2nd data sections
Common TCP/IP Identification Section for OpenSSH

Identifies the system and stack information associated with the SMF record.

(Offset from beginning of record: SMF119S98_IDOff)
00SMF119S98_
SSH_
TI_
SYSName
8EBCDIC
System name from SYSNAME in IEASYSxx
88SMF119S98_
SSH_
TI_
SysplexName
8EBCDIC
Sysplex name from SYSPLEX in COUPLExx
1610SMF119S98_
SSH_
TI_
Stack
8EBCDIC
TCP/IP stack name
2418SMF119S98_
SSH_
TI_
ReleaseID
8EBCDIC
z/OS release identifier
3220SMF119S98_
SSH_
TI_
Comp
8EBCDIC
OpenSSH subcomponent (right-padded with blanks):
  • SFTPS sftp server
  • SFTPC sftp client SCPS scp server
  • SCPC scp client
  • SSHD sshd daemon
4028SMF119S98_
SSH_
TI_
ASName
8EBCDIC
Started task qualifier or address space name of address space that writes this SMF record
4830SMF119S98_
SSH_
TI_
UserID
8EBCDIC
User ID of security context under which this SMF record is written 56 38 Reserved 2 Binary Reserved
583ASMF119S98_
SSH_
TI_
ASID
2Binary
ASID of address space that writes this SMF record
603CSMF119S98_
SSH_
TI_
Reason
1Binary
Reason for writing this SMF record
  • x'08' Event record
613DSMF119S98_
SSH_
TI_
RecordID
1Binary
Record ID
623E--2EBCDIC
Reserved
Common Security Section for OpenSSH

Identifies the security information associated with the SMF record.

When the authentication method being used is Control Socket and the ssh connection information cannot be collected from the control socket, the EBCDIC fields in this section are set to blanks and the binary fields are set to x'0000' Unknown.

(Offset from beginning of record: SMF119S98_S1Off)
00SMF119S98_
SSH_
SSHV
16EBCDIC
OpenSSH version
1610SMF119S98_
SSH_
SSLV
32EBCDIC
OpenSSL version
4830SMF119S98_
SSH_
ZlibV
16EBCDIC
zlib version
6440SMF119S98_
SSH_
ProtoV
8EBCDIC
Protocol version (right-padded with blanks):
'SSHV1' Protocol version 1
'SSHV2' Protocol version 2
7248SMF119S98_
SSH_
AuthMethod
2Binary
Authentication method being used:
x'0000' Unknown
x'0001' None
x'0002' Password
x'0003' Public key
x'0004' Host-based
x'0005' Rhosts
x'0006' RhostsRSA
x'0007' RSA
x'0008' Keyboard-interactive
x'0009' Challenge-response
x'000A' Control socket 1
744ASMF119S98_
SSH_
Cipher
2Binary
Cipher type being used:
x'0000' Unknown
x'0001' None

Possible values when protocol version 1:
x'0002' 3DES
x'0003' Blowfish
x'0004' DES

Possible values when protocol version 2:
x'0005' 3des-cbc
x'0006' blowfish-cbc
x'0007' cast128-cbc
x'0008' arcfour128
x'0009' arcfour256
x'000A' arcfour
x'000B' aes128-cbc
x'000C' aes192-cbc
x'000D' aes256-cbc
x'000E' aes128-ctr
x'000F' aes192-ctr
x'0010' aes256-ctr
x'0011' rijndael-cbc@lysator.liu.se
x'0012' acss@openssh.org

764CSMF119S98_
SSH_
MAC
2Binary
MAC algorithm being used:
x'0000' Unknown
x'0001' None (protocol version 1)
x'0002' hmac-md5
x'0003' hmac-sha1
x'0004' umac-64@openssh.com
x'0005' hmac-ripemd160
x'0006' hmac-sha1-96
x'0007' hmac-md5-96
x'0008' hmac-ripemd160openssh.com
784ESMF119S98_
SSH_
COMP
2Binary
Compression method being used:
x'0000' Unknown
x'0001' None (no)
x'0002' zlib (yes)
x'0003' zlib@openssh.com (delayed)
Subtype 98 - Login Failure Specific Section
(Offset from beginning of record: SMF119S98_S2Off)
00SMF119S98_
SSH_
LFRIP
16Binary
Remote IP address
1610SMF119S98_
SSH_
LFLIP
16Binary
Local IP address
3220SMF119S98_
SSH_
LFRPort
2Binary
Remote port number (client)
3422SMF119S98_
SSH_
LFLPort
2Binary
Local port number (server)
3624SMF119S98_
SSH_
LFUserID
8EBCDIC
User name (login name) on server
442CSMF119S98_
SSH_
LFReason
2Binary
Login failure reason:
x'0000' Unexpected authentication failure.
x'0001' Unexpected authentication change
x'0002' Password or password phrase is not valid.
x'0003' User ID has been revoked
x'0004' User does not have server access
x'0005' User's file has bad file modes or ownership
x'0006' Too many failed login attempts
x'0007' Password error
x'0008' User ID is unknown.
x'0009' Root user authentication is not allowed
x'000A' Empty passwords are not permitted
x'000B' Authentication method did not exist or was not valid
x'000C' Key did not exist or was not valid
x'000D' Host did not exist or was not valid
462E--2Binary
Reserved

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Sample Report from SMF 119 Subtype 2 Records
Showing Information about TCP Connections


The sample SMF report below was created with Spectrum SMF Writer, the low-cost 4GL SMF report writer.

In this report, we read as input the SMF file and select just the type 119 subtype 2 TCP Connection Termination records. (See SMF 119 Subtype 2 record layout.) The report shows information about terminated TCP connections, including start time, end time and computed elapsed time. It also shows the total number of bytes sent and received during the connection and the termination code. Our record layout also expands the 1-byte termination code into a readable descriptive text. The report is grouped by TCP/IP Stack and Resource. The report includes subtotals for each Resource.

All of this with just a few lines of code!
Why not install a Spectrum SMF Writer trial right now and start making your own SMF reports!

These Spectrum SMF Writer Statements:


INPUT:  SMF119 LIST(YES)

INCLUDEIF: SMF119RTY=119 AND SMF119STY=2

COMPUTE: MY_DURATION(2) = #MAKETIME(
               ((#MAKENUM(SMF119AP_TTEDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTETIME))
             - ((#MAKENUM(SMF119AP_TTSDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTSTIME))
                                   )

TITLE: 'Z/OS TCP DAILY CONNECTIONS REPORT'
TITLE: 'SYSTEM:' SMF119TI_SYSNAME
       'SYSPLEX:' SMF119TI_SYSPLEXNAME
       'STACK:' SMF119TI_STACK
TITLE: 'SORTED BY STACK AND RESOURCE NAME'

COLUMNS: SMF119AP_TTRNAME('RESOURCE')
         SMF119AP_TTSDATE('DATE/STARTED')
         SMF119AP_TTSTIME('TIME/STARTED')
         SMF119AP_TTEDATE('DATE/ENDED')
         SMF119AP_TTETIME('TIME/ENDED')
         MY_DURATION('CONNECTION/DURATION/HH:MM:SS.SS' ACCUM
                     TP'ZZ:ZZ:Z9.99')
         SMF119AP_TTINBYTES('INBOUND/BYTES')
         SMF119AP_TTOUTBYTES('OUTBOUND/BYTES')
         SMF119AP_TTTERMCODE(HEX 'TERM/CODE')
         SMF119AP_TTTERMCODE_DESC('TERM CODE DESC')

SORT:    SMF119TI_STACK
         SMF119AP_TTRNAME
         SMF119AP_TTSDATE
         SMF119AP_TTSTIME

BREAK:   SMF119AP_TTRNAME

 

Produce This SMF Report:


                                              Z/OS TCP DAILY CONNECTIONS REPORT
                                    SYSTEM: ST1      SYSPLEX: SYPROD    STACK: S01QDAS
                                             SORTED BY STACK AND RESOURCE NAME

                                                    CONNECTION
            DATE      TIME       DATE      TIME      DURATION      INBOUND        OUTBOUND    TERM
 RESOURCE STARTED    STARTED    ENDED      ENDED    HH:MM:SS.SS     BYTES          BYTES      CODE     TERM CODE DESC
 ________ ________ ___________ ________ ___________ ___________ ______________ ______________ ____ _______________________

 FTPTA5   03/21/09 14:04:06.81 03/21/09 14:04:07.46        0.65        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:05:35.59 03/21/09 14:05:45.67       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 14:12:13.81 03/21/09 14:12:14.51        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:12:27.35 03/21/09 14:12:37.42       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 15:30:34.96 03/21/09 15:30:35.64        0.68        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 15:35:13.92 03/21/09 15:35:24.00       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA5   (    6 ITEMS)                     32.26        853,740         10,143
 
 FTPTA6   03/21/09 14:05:38.03 03/21/09 14:05:38.70        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:07:23.60 03/21/09 14:07:33.68       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 14:12:29.83 03/21/09 14:12:30.50        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:17:10.02 03/21/09 14:17:20.16       10.14         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 15:35:16.45 03/21/09 15:35:17.21        0.76        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 15:36:15.10 03/21/09 15:36:25.18       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA6   (    6 ITEMS)                     32.40        853,740         10,143
 
 FTPTA7   03/21/09 14:07:26.16 03/21/09 14:07:26.86        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:08:24.36 03/21/09 14:08:34.50       10.14             70            507  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 14:17:12.60 03/21/09 14:17:13.31        0.71        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:21:40.01 03/21/09 14:21:50.08       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 15:36:17.53 03/21/09 15:36:18.17        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 15:37:11.45 03/21/09 15:37:21.53       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA7   (    6 ITEMS)                     32.34        826,767         10,321
 
 FTPTA8   03/21/09 08:09:32.96 03/21/09 15:29:02.41  7:19:29.45        274,763         15,912  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 13:17:39.42 03/21/09 14:42:50.82  1:25:11.40         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:42:57.42 03/21/09 14:43:21.38       23.96         45,921          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:43:26.45 03/21/09 15:28:27.01    45:00.56         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:50:01.00 03/21/09 15:28:26.10    38:25.10         35,513          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:51:01.03 03/21/09 14:52:28.82     1:27.79         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:05.50 03/21/09 15:28:22.53    35:17.03         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:51.74 03/21/09 14:55:51.42     1:59.68         35,306          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:56:05.98 03/21/09 15:11:31.19    15:25.21         33,066            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:12:01.80 03/21/09 15:13:30.66     1:28.86         35,266          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:13:45.48 03/21/09 15:17:09.41     3:23.93         38,223          2,199  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:18:54.59 03/21/09 15:20:07.26     1:12.67         34,273          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:20:22.01 03/21/09 15:28:20.73     7:58.72         33,118            875  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA8   (   13 ITEMS)               11:16:44.36        726,991         34,632

 
 FTPTA9   03/21/09 14:09:28.52 03/21/09 14:09:29.22        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 14:10:24.02 03/21/09 14:10:34.10       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA9   03/21/09 15:01:06.82 03/21/09 15:01:07.46        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 15:13:52.13 03/21/09 15:14:02.53       10.40         27,043            329  52  APPL ISSUED CLOSE

 ...

See other sample SMF reports.

Copyright 2017.
Pacific Systems Group.
All rights reserved.


Spectrum Writer 4GL - the economical alternative to SAS, Easytrieve, DYL-280...

Home | Products | Prices | Documentation | 30-Day Trials | Customer Reviews | Company | FAQ | Sample Reports | SMF Records
Send Your Comments or Questions