Go to Home Page
Questions?
Call 1-800-572-5517
 
  Go to Home Page  
  See all products
  See price schedules
  See manuals, tutorials, articles
  Download a free 30-day trial
  See user testimonials
  About Pacific Systems Group
 
 
SMF Tools
  See SMF Record Layouts
  See Sample SMF Reports
  Learn How to Export SMF Data
  Download Free SMF Reporting Software (30 days)
 
One of the greatest SMF record parsing programming languages I've ever seen. Chief, Large Systems Services Branch, NIH
  Choose Spectrum Writer to add 4GL to your product
  Free 60-Page Book (PDF) - How to Make an SMF Report
Spectrum DCOLLECT Reporter - the 4GL DCOLLECT Report Writer.

Spectrum SMF Writer - the 4GL SMF Report Writer.

SMF Type 83 Record

This table shows the record layout for type 83 SMF records
(Security Product (RACF) Events - z/OS 1.10).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: Record type 83 is a processing record for auditing security related events. A security event can be an authentication or authorization attempt. The service detecting the event may be RACF or another z/OS component. The specific component is identified by the product section of the SMF type 83 record.

Notes:

  • 1. Subtype 1 - Record type 83 subtype 1 is a RACF processing record for auditing datasets that are affected by a RACF command (ADDSD, ALTDSD, and DELDSD) that caused the security label to be changed. These records are generated when SETROPTS MLACTIVE is in effect and a RACF command (ALTDSD, ADDSD, DELDSD) has been issued that changed the security label of a data set profile. The SMF type 83 subtype 1 record contains the names of the cataloged data sets affected by the security label change. A link value is contained in both the SMF type 80 record for the RACF command and the SMF type 83 subtype 1 record. The link value is used to connect the list of data set names affected by the security label change with the RACF command that caused the change. The event codes and qualifiers for record type 83 subtype 1 are the same as for type 80 records.
  • 2. Subtype 2 - SMF type 83 subtype 2 records contain Enterprise Identity Mapping (EIM) audit data.
  • 3. Subtype 3 - SMF type 83 subtype 3 records contain LDAP audit data.
  • 4. Subtype 4 - SMF type 83 subtype 4 records contain information from the R_auditx remote auditing service. For more information about SMF Type 83 audit records see the R_auditx (IRRSAX00 or IRRSAX64): Audit a security-related event chapter in z/OS Security Server RACF Callable Services

It's easy to report on SMF 83 data!

SMF Spectrum Writer
We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.
 
Try It FREE Now!

SMF Type 83 Record -- Security Product (RACF) Events - z/OS 1.10
Offset
(Dec.)
Offset
(Hex)
NameLengthFormatDescription
00SMF83LEN2Binary
Record length.
22SMF83SEG2Binary
Segment descriptor.
44SMF83FLG1Binary
System indicator Bit Meaning when set 0 Subsystem identification follows system identification 1 Subtypes used 2 Reserved for IBM's use 3 MVS/SP Version 4 4 MVS/SP Version 3 5 MVS/SP Version 2 6 VS2 7 Reserved for IBM's use.Note: For MVS/SP Version 4, bits 3, 4, 5, and 6 will be on.
55SMF83RTY1Binary
Record type: 83 (X'53').
66SMF83TME4Binary
Time of day, in hundredths of a second, that the record was moved to the SMF buffer.
10ASMF83DTE4EBCDIC
Date that the record was moved to the SMF buffer, in the form 0cyydddF (where F is the sign).
14ESMF83SID4EBCDIC
System identification (from the SID parameter).
1812SMF83SSI4EBCDIC
Subsystem identification – RACF.
2216SMF83TYP2Binary
Record subtype 1 See “Subtype 1” on page 108 2 See “Subtype 2 and above” on page 109
2418SMF83TRP2Binary
Number of triplets.
261ASMF83XXX2binary
Reserved for IBM's use.
281CSMF83OPD4Binary
Offset to product section.
3220SMF83LPD2Binary
Length of product section.
3422SMF83NPD2Binary
Number of product sections.
3624SMF83OD14Binary
Offset to security section.
4028SMF83LD12Binary
Length of security section.
422ASMF83ND12Binary
Number of security sections.
442CSMF83OD24Binary
Offset to relocate section.
4830SMF83LD22Binary
Length of relocate section.
5032SMF83ND22Binary
Number of relocate sections.
Product Section
The product section exists in all SMF type 83 records.
It is filled in for subtype 1 records. The product section
in the record can be located by adding the SMF83OPD field
to the beginning of the SMF record.
(Offset from beginning of record: SMF83OPD)
00SMF83RVN4EBCDIC
Product version, release, and modification level number.
44SMF83PNM4EBCDIC
Product name
Security Section - Subtype 1
The security section is common to all Record type 83 subtypes.
It identifies the specific event and the result.

The information in the security section and the relocate sections
provide additional information about the event.

  • The user identity or identities used by the product or
    component for purposes of the authentication or authorization
    request
  • The authority required for the request to succeed
  • The authority the user has
  • The reasons for logging the event
    1 includes the user identity used to determine why to log
    2 includes the resource used to determine why to log

Any authentication or authorization request may succeed or
fail because of one of several authority checks that grant
access to the system or resource. The information in the
audit record is limited to the specific authority check that
succeeded or failed. The audit record does not contain all of
the authorities the user has or all of the authorities that could
allow access to the system or resource.

The security section in the record can be located by adding the SMF83OD1 field to the beginning of the SMF record

(Offset from beginning of record: SMF83OD1)
00SMF83LNK4Binary
Same LINK value as that in the SMF type 80 record for the associated command. Connects the data set names in type 83 records with the RACF command that caused the security label change.
44SMF83DES2Binary
Descriptor flags Bit Meaning when set 0 The event is a violation 1 User is not defined to RACF 2 Record contains a version indicator (see SMF83VER) 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF83VRM) 5-15 Reserved for IBM's use.
66SMF83EVT1Binary
Event code.
77SMF83EVQ1Binary
Event code qualifier.
88SMF83USR8EBCDIC
Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
1610SMF83GRP8EBCDIC
Group to which the user was connected (stepname is used if the user is not defined to RACF).
2418SMF83REL2Binary
Offset to the first relocate section from beginning of record header.
261ASMF83CNT2Binary
Count of the number of relocate sections.
281CSMF83ATH1Binary
Authorities used for executing commands or accessing resources Bit Meaning when set 0 Normal authority check (resource access) 1 SPECIAL attribute (command processing) 2 OPERATIONS attribute (resource access, command processing) 3 AUDITOR attribute (command processing) 4 Installation exit processing (resource access) 5 Failsoft processing (resource access) 6 Bypassed-user ID = *BYPASS* (resource access) 7 Trusted attribute (resource access).
291DSMF83REA1Binary
Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning when set 0 SETROPTS AUDIT(class) – changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited because of the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing. 4 RACINIT failure 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited because of GLOBALAUDIT option.
301ESMF83TLV1Binary
Terminal level number of foreground user (zero if not available).
311FSMF83ERR1Binary
Command processing error flag Bit Meaning when set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved for IBM's use.
3220SMF83TRM8EBCDIC
Terminal ID of foreground user (zero if not available).
4028SMF83JBN8EBCDIC
Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
4830SMF83RST4Binary
Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
5234SMF83RSD4packed
Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
5638SMF83UID8EBCDIC
User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
6440SMF83VER1Binary
Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead.
6541SMF83RE21Binary
Additional reasons for logging Bit Meaning when set 0 Security level control for auditing 1 Auditing by LOGOPTIONS 2 Audited because of SETROPTS SECLABELAUDIT 3 Class being audited because of SETROPTS COMPATMODE 4-7 Reserved for IBM's use.
6642SMF83VRM4EBCDIC
FMID for RACF
2020 RACF 2.2 and OS/390 Security Server (RACF) V1 R2
2030 OS/390 Security Server (RACF) V1 R3
2040 OS/390 Security Server (RACF) V2 R4
2060 OS/390 Security Server (RACF) V2 R6
2608 OS/390 Security Server (RACF) V2 R8
7703 OS/390 Security Server (RACF) V2 R10 and z/OS Security Server (RACF) V1 R1
7705 z/OS Security Server (RACF) V1 R2
7706 z/OS Security Server (RACF) V1 R3
7707 z/OS Security Server (RACF) V1 R4
7708 z/OS Security Server (RACF) V1 R5
7709 z/OS Security Server (RACF) V1 R6
7720 z/OS Security Server (RACF) V1 R7
7730 z/OS Security Server (RACF) V1 R8
7740 z/OS Security Server (RACF) V1 R9
7750 z/OS Security Server (RACF) V1 R10
7046SMF83SEC8EBCDIC
Security label of the user.
Security Section - Subtype 2 and above
(Offset from beginning of record: SMF83OD1)
00SMF83LNK_
2
4Binary
Value used to link several SMF 83 records to a single event.
44SMF83DES_
2
2Binary
Descriptor flags Bit Meaning when set 0 The event is a violation 1 User is not defined to RACF 2 Reserved 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF83VRM_2) 5 The caller of the R_auditx service indicated always log 6-15 Reserved
66SMF83EVT_
2
1Binary
Event code.
77SMF83EVQ_
2
1Binary
Event code qualifier.
88SMF83USR_
2
8EBCDIC
Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
1610SMF83GRP_
2
8EBCDIC
Group to which the user was connected (stepname is used if the user is not defined to RACF).
2418SMF83REL_
2
2Binary
Reserved
261ASMF83CNT_
2
2Binary
Reserved
281CSMF83ATH_
2
1Binary
Authorities used for processing commands or accessing resources Bit Meaning when set 0-7 Reserved
291DSMF83REA_
2
1Binary
Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning when set 0 SETROPTS AUDIT(class) – changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited because of the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACROUTE REQUEST=AUTH exit routine, or because the operator granted access during failsoft processing. 4 RACROUTE REQUEST=VERIFY or initACEE failure. 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited because of GLOBALAUDIT option.
301ESMF83TLV_
2
1Binary
Terminal level number of foreground user (zero if not available).
311FSMF83ERR_
2
1Binary
Command processing error flag Bit Meaning when set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved
3220SMF83TRM_
2
8EBCDIC
Terminal ID of foreground user (zero if not available).
4028SMF83JBN_
2
8EBCDIC
Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
4830SMF83RST_
2
4Binary
Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
5234SMF83RSD_
2
4Packed
Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
5638SMF83UID_
2
8EBCDIC
User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
6440SMF83VER_
2
1Binary
Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead.
6541SMF83RE2_
2
1Binary
Additional reasons for logging Bit Meaning when set 0 Security level control for auditing 1 Auditing by LOGOPTIONS 2 Class being audited because of SETROPTS SECLABELAUDIT 3 Class being audited because of SETROPTS COMPATMODE 4 Audited because of SETROPTS APPLAUDIT 5 Audited because user not defined to z/OS UNIX 6 Audited because user does not have appropriate authority for z/OS UNIX 7 Reserved
6642SMF83VRM_
2
4EBCDIC
FMID for RACF
7046SMF83SEC_
2
8EBCDIC
Security Label of the User.
784ESMF83AU2_
2
1Binary
Authority used continued Bit Meaning when set 0 z/OS UNIX superuser 1 z/OS UNIX system function 2-7 Reserved
794FSMF83RSV_
2
4Binary
Reserved
8050SMF83US2_
2
8EBCDIC
Identifier of the address space user associated with this event.
8858SMF83GR2_
2
8EBCDIC
Group to which the address space user was connected.
Relocate Sections
Two types of relocate sections may be used by type 83 records-
standard relocates or extended relocates.
They are described below.

The start of the relocate sections in the record can be located
by adding the SMF83OD2 field to the beginning of the SMF record.

The relocate sections for subtype 1 use the standard relocate section
format. The data types for the relocate sections for subtype 1 are
described in the “Table of relocate section variable data”.

RACF SMF record standard relocate

(Offset from beginning of record: SMF83OD2)
00SMF83DTP1Binary
Data type
11SMF83DLN1Binary
Length of data that follows.
22SMF83DTAvariableEBCDIC
mixed Data
Relocate Sections
Two types of relocate sections may be used by type 83 records-
standard relocates or extended relocates.
They are described below.

The start of the relocate sections in the record can be located
by adding the SMF83OD2 field to the beginning of the SMF record.

The relocate sections for subtypes 2 and above use the extended
relocate section format. The data types (i.e. relocate types)
for the subtypes are documented with the product or component
that reported the security event. Data type values of 100 and
above are reserved for product or component use.

RACF SMF record extended relocate section format

(Offset from beginning of record: SMF83OD2)
00SMF83TP22Binary
Data type
22SMF83DL22Binary
Length of data that follows.
44SMF83DA2variableEBCDIC
Data

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Copyright 2017.
Pacific Systems Group.
All rights reserved.


Spectrum Writer 4GL - the economical alternative to SAS, Easytrieve, DYL-280...

Home | Products | Prices | Documentation | 30-Day Trials | Customer Reviews | Company | FAQ | Sample Reports | SMF Records
Send Your Comments or Questions