On 5 July 2016 at 11:43, Charles Mills <charl...@mcn.org> wrote: > I am looking at an SMF 80 record from a customer that I am having trouble > making sense of. The customer is definitely a RACF user, not a TSS user. The > customer I believe is on z/OS V2R1. > > It is a valid SMF 80 record. The event.qualifier is 2.0. There are three > relocatable sections: a 49 (User Name) that says "Detection Status", a 17 > (Class name) that says "EK$CLASS" and a 1 (Resource Name) that says > "EKCA.SECURITY.DETECTION". The record is 2959 bytes long, long for a RACF > SMF record. > > So what's odd about it? > > 1. It is missing the RACF version SMF80VRM at offset 80 that was added to > RACF around OS/390 V1R2. That leads me to believe the record was not > produced by RACF.
Yup. We've encountered a handful of ISV products over the years that write "RACF" SMF records on their own initiative. None of them is fully "correct", either in that the record itself would never be written by RACF, or that it wouldn't be written in the context it is. > Does anyone have an idea what might be producing this record and where its > format might be documented? >From the names I'd guess it to be an EKC product. I'm not aware if they have product(s) that work with RACF rather than ACF2 (I understand the company was founded by one of the ACF2 initial developers), but it seems likely. http://www.ekcinc.com Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN