








	*SMF Tools*

SMF Type 83 Record

This table shows the record layout for type 83 SMF records
(Security Product (RACF) Events - z/OS 1.13).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: Record type 83 is a processing record for auditing security related events. A security event can be an authentication or authorization attempt. The service detecting the event may be RACF or another z/OS component. The specific component is identified by the product section of the SMF type 83 record.

Notes:

1. Subtype 1 - Record type 83 subtype 1 is a RACF processing record for auditing datasets that are affected by a RACF command (ADDSD, ALTDSD, and DELDSD) that caused the security label to be changed. These records are generated when SETROPTS MLACTIVE is in effect and a RACF command (ALTDSD, ADDSD, DELDSD) has been issued that changed the security label of a data set profile. The SMF type 83 subtype 1 record contains the names of the cataloged data sets affected by the security label change. A link value is contained in both the SMF type 80 record for the RACF command and the SMF type 83 subtype 1 record. The link value is used to connect the list of data set names affected by the security label change with the RACF command that caused the change. The event codes and qualifiers for record type 83 subtype 1 are the same as for type 80 records.
2. Subtype 2 - SMF type 83 subtype 2 records contain Enterprise Identity Mapping (EIM) audit data.
3. Subtype 3 - SMF type 83 subtype 3 records contain LDAP audit data.
4. Subtype 4 - SMF type 83 subtype 4 records contain information from the R_auditx remote auditing service. For more information about SMF Type 83 audit records see the R_auditx (IRRSAX00 or IRRSAX64): Audit a security-related event chapter in z/OS Security Server RACF Callable Services
5. Subtype 5 - SMF type 83 subtype 5 records contain WebSphere audit data.
6. Subtype 6 - SMF type 83 subtype 6 records contain TKLM audit data.

It's easy to report on SMF 83 data!

We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.

SMF Type 83 Record -- Security Product (RACF) Events - z/OS 1.13
Offset (Dec.)	Offset (Hex)	Name	Length	Format	Description
0	0	SMF83LEN	2	Binary	Record length.
2	2	SMF83SEG	2	Binary	Segment descriptor.
4	4	SMF83FLG	1	Binary	System indicator Bit Meaning when set 0 Subsystem identification follows system identification 1 Subtypes used 2 Reserved for IBM’s use 3 MVS/SP Version 4 4 MVS/SP Version 3 5 MVS/SP Version 2 6 VS2 7 Reserved for IBM’s use.Note: For MVS/SP Version 4, bits 3, 4, 5, and 6 will be on.
5	5	SMF83RTY	1	Binary	Record type: 83 (X'53').
6	6	SMF83TME	4	Binary	Time of day, in hundredths of a second, that the record was moved to the SMF buffer.
10	A	SMF83DTE	4	EBCDIC	Date that the record was moved to the SMF buffer, in the form 0cyydddF (where F is the sign).
14	E	SMF83SID	4	EBCDIC	System identification (from the SID parameter).
18	12	SMF83SSI	4	EBCDIC	Subsystem identification — RACF.
22	16	SMF83TYP	2	Binary	Record subtype 1 See “Subtype 1” on page 108 2 See “Subtype 2 and above” on page 109
24	18	SMF83TRP	2	Binary	Number of triplets.
26	1A	SMF83XXX	2	binary	Reserved for IBM’s use.
28	1C	SMF83OPD	4	Binary	Offset to product section.
32	20	SMF83LPD	2	Binary	Length of product section.
34	22	SMF83NPD	2	Binary	Number of product sections.
36	24	SMF83OD1	4	Binary	Offset to security section.
40	28	SMF83LD1	2	Binary	Length of security section.
42	2A	SMF83ND1	2	Binary	Number of security sections.
44	2C	SMF83OD2	4	Binary	Offset to relocate section.
48	30	SMF83LD2	2	Binary	Length of relocate section.
50	32	SMF83ND2	2	Binary	Number of relocate sections.
Product Section The product section exists in all SMF type 83 records. It is filled in for subtype 1 records. The product section in the record can be located by adding the SMF83OPD field to the beginning of the SMF record.(Offset from beginning of record: SMF83OPD)
0	0	SMF83RVN	4	EBCDIC	Product version, release, and modification level number.
4	4	SMF83PNM	4	EBCDIC	Product name
Security Section - Subtype 1 The security section is common to all Record type 83 subtypes. It identifies the specific event and the result. The information in the security section and the relocate sections provide additional information about the event. The user identity or identities used by the product or component for purposes of the authentication or authorization request The authority required for the request to succeed The authority the user has The reasons for logging the event 1 includes the user identity used to determine why to log 2 includes the resource used to determine why to log Any authentication or authorization request may succeed or fail because of one of several authority checks that grant access to the system or resource. The information in the audit record is limited to the specific authority check that succeeded or failed. The audit record does not contain all of the authorities the user has or all of the authorities that could allow access to the system or resource. The security section in the record can be located by adding the SMF83OD1 field to the beginning of the SMF record (Offset from beginning of record: SMF83OD1)
0	0	SMF83LNK	4	Binary	Same LINK value as that in the SMF type 80 record for the associated command. Connects the data set names in type 83 records with the RACF command that caused the security label change.
4	4	SMF83DES	2	Binary	Descriptor flags Bit Meaning when set 0 The event is a violation 1 User is not defined to RACF 2 Record contains a version indicator (see SMF83VER) 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF83VRM) 5-15 Reserved for IBM’s use.
6	6	SMF83EVT	1	Binary	Event code.
7	7	SMF83EVQ	1	Binary	Event code qualifier.
8	8	SMF83USR	8	EBCDIC	Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
16	10	SMF83GRP	8	EBCDIC	Group to which the user was connected (stepname is used if the user is not defined to RACF).
24	18	SMF83REL	2	Binary	Offset to the first relocate section from beginning of record header.
26	1A	SMF83CNT	2	Binary	Count of the number of relocate sections.
28	1C	SMF83ATH	1	Binary	Authorities used for executing commands or accessing resources Bit Meaning when set 0 Normal authority check (resource access) 1 SPECIAL attribute (command processing) 2 OPERATIONS attribute (resource access, command processing) 3 AUDITOR attribute (command processing) 4 Installation exit processing (resource access) 5 Failsoft processing (resource access) 6 Bypassed-user ID = BYPASS (resource access) 7 Trusted attribute (resource access).
29	1D	SMF83REA	1	Binary	Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning when set 0 SETROPTS AUDIT(class) — changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited because of the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing. 4 RACINIT failure 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited because of GLOBALAUDIT option.
30	1E	SMF83TLV	1	Binary	Terminal level number of foreground user (zero if not available).
31	1F	SMF83ERR	1	Binary	Command processing error flag Bit Meaning when set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved for IBM’s use.
32	20	SMF83TRM	8	EBCDIC	Terminal ID of foreground user (zero if not available).
40	28	SMF83JBN	8	EBCDIC	Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
48	30	SMF83RST	4	Binary	Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
52	34	SMF83RSD	4	packed	Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
56	38	SMF83UID	8	EBCDIC	User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
64	40	SMF83VER	1	Binary	Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead.
65	41	SMF83RE2	1	Binary	Additional reasons for logging Bit Meaning when set 0 Security level control for auditing 1 Auditing by LOGOPTIONS 2 Audited because of SETROPTS SECLABELAUDIT 3 Class being audited because of SETROPTS COMPATMODE 4-7 Reserved for IBM’s use.
66	42	SMF83VRM	4	EBCDIC	FMID for RACF 2020 RACF 2.2 and OS/390 Security Server (RACF) V1 R2 2030 OS/390 Security Server (RACF) V1 R3 2040 OS/390 Security Server (RACF) V2 R4 2060 OS/390 Security Server (RACF) V2 R6 2608 OS/390 Security Server (RACF) V2 R8 7703 OS/390 Security Server (RACF) V2 R10 and z/OS Security Server (RACF) V1 R1 7705 z/OS Security Server (RACF) V1 R2 7706 z/OS Security Server (RACF) V1 R3 7707 z/OS Security Server (RACF) V1 R4 7708 z/OS Security Server (RACF) V1 R5 7709 z/OS Security Server (RACF) V1 R6 7720 z/OS Security Server (RACF) V1 R7 7730 z/OS Security Server (RACF) V1 R8 7740 z/OS Security Server (RACF) V1 R9 7750 z/OS Security Server (RACF) V1 R10 7760 z/OS Security Server (RACF) V1 R11 7780 z/OS Security Server (RACF) V1 R13
70	46	SMF83SEC	8	EBCDIC	Security label of the user.
Security Section - Subtype 2 and above(Offset from beginning of record: SMF83OD1)
0	0	SMF83LNK_ 2	4	Binary	Value used to link several SMF 83 records to a single event.
4	4	SMF83DES_ 2	2	Binary	Descriptor flags Bit Meaning when set 0 The event is a violation 1 User is not defined to RACF 2 Reserved 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF83VRM_2) 5 The caller of the R_auditx service indicated always log 6-15 Reserved
6	6	SMF83EVT_ 2	1	Binary	Event code.
7	7	SMF83EVQ_ 2	1	Binary	Event code qualifier.
8	8	SMF83USR_ 2	8	EBCDIC	Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
16	10	SMF83GRP_ 2	8	EBCDIC	Group to which the user was connected (stepname is used if the user is not defined to RACF).
24	18	SMF83REL_ 2	2	Binary	Reserved
26	1A	SMF83CNT_ 2	2	Binary	Reserved
28	1C	SMF83ATH_ 2	1	Binary	Authorities used for processing commands or accessing resources Bit Meaning when set 0-7 Reserved
29	1D	SMF83REA_ 2	1	Binary	Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning when set 0 SETROPTS AUDIT(class) — changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited because of the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACROUTE REQUEST=AUTH exit routine, or because the operator granted access during failsoft processing. 4 RACROUTE REQUEST=VERIFY or initACEE failure. 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited because of GLOBALAUDIT option.
30	1E	SMF83TLV_ 2	1	Binary	Terminal level number of foreground user (zero if not available).
31	1F	SMF83ERR_ 2	1	Binary	Command processing error flag Bit Meaning when set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved
32	20	SMF83TRM_ 2	8	EBCDIC	Terminal ID of foreground user (zero if not available).
40	28	SMF83JBN_ 2	8	EBCDIC	Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
48	30	SMF83RST_ 2	4	Binary	Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
52	34	SMF83RSD_ 2	4	Packed	Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
56	38	SMF83UID_ 2	8	EBCDIC	User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
64	40	SMF83VER_ 2	1	Binary	Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead.
65	41	SMF83RE2_ 2	1	Binary	Additional reasons for logging Bit Meaning when set 0 Security level control for auditing 1 Auditing by LOGOPTIONS 2 Class being audited because of SETROPTS SECLABELAUDIT 3 Class being audited because of SETROPTS COMPATMODE 4 Audited because of SETROPTS APPLAUDIT 5 Audited because user not defined to z/OS UNIX 6 Audited because user does not have appropriate authority for z/OS UNIX 7 Reserved
66	42	SMF83VRM_ 2	4	EBCDIC	FMID for RACF
70	46	SMF83SEC_ 2	8	EBCDIC	Security Label of the User.
78	4E	SMF83AU2_ 2	1	Binary	Authority used continued Bit Meaning when set 0 z/OS UNIX superuser 1 z/OS UNIX system function 2-7 Reserved
79	4F	SMF83RSV_ 2	4	Binary	Reserved
80	50	SMF83US2_ 2	8	EBCDIC	Identifier of the address space user associated with this event.
88	58	SMF83GR2_ 2	8	EBCDIC	Group to which the address space user was connected.
Relocate Sections Two types of relocate sections may be used by type 83 records- standard relocates or extended relocates. They are described below. The start of the relocate sections in the record can be located by adding the SMF83OD2 field to the beginning of the SMF record. The relocate sections for subtype 1 use the standard relocate section format. The data types for the relocate sections for subtype 1 are described in the “Table of relocate section variable data”. RACF SMF record standard relocate (Offset from beginning of record: SMF83OD2)
0	0	SMF83DTP	1	Binary	Data type
1	1	SMF83DLN	1	Binary	Length of data that follows.
2	2	SMF83DTA	variable	EBCDIC	mixed Data
Relocate Sections Two types of relocate sections may be used by type 83 records- standard relocates or extended relocates. They are described below. The start of the relocate sections in the record can be located by adding the SMF83OD2 field to the beginning of the SMF record. The relocate sections for subtypes 2 and above use the extended relocate section format. The data types (i.e. relocate types) for the subtypes are documented with the product or component that reported the security event. Data type values of 100 and above are reserved for product or component use. RACF SMF record extended relocate section format (Offset from beginning of record: SMF83OD2)
0	0	SMF83TP2	2	Binary	Data type
2	2	SMF83DL2	2	Binary	Length of data that follows.
4	4	SMF83DA2	variable	EBCDIC	Data

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Spectrum SMF Writer - the 4GL SMF Report Writer.

SMF Type 83 Record

This table shows the record layout for type 83 SMF records (Security Product (RACF) Events - z/OS 1.13).

It's easy to report on SMF 83 data!

This table shows the record layout for type 83 SMF records
(Security Product (RACF) Events - z/OS 1.13).