Hi Joe

SMF 14 (and 15) do not contain the RACF user ID, only the jobname, job number and RDR time.  zSecure tries to find the corresponding user ID by using SMF records, along with their jobname, job number, RDR time and user ID, from all record types that contain these.  Obvious candidates is SMF 30, but there are more record types used.  This mechanism of supplementing missing fields from other SMF record is called job tag system or smfcache.  See the Problem Determination chapter in the manual.

If there are no SMF 30 records available for the same jobname and RDR time value, the user ID in SMF 14 will be missing.  This happens when the SMF 14 is produced by a very long running task (so the SMF 30 may have been written a week ago, way before the CKQRADAR job started), or there was an overflow of SMF 30s and the relevant job tag was flushed from the job tag cache.  Or... more likely, the data feed omitted SMF 30s.

By the way, you also need SMF 30 records if you wanted to track TSO logons in CKQRADAR.  SMF 80 won't show the majority of TSO logons.

------------------------------
Rob van Hoboken
------------------------------

Hello - yes, that was it !  I needed to add SMF type 30 to my CKQEXSMF member in cust.  I am now seeing what i wanted to see in the SMF 14 and also 15.

Are there other enrichment opportunities available with the LEEF format ? I am not seeing much in the manual about this.

THANKS !!!

Hi Joe

SMF 14 (and 15) do not contain the RACF user ID, only the jobname, job number and RDR time.  zSecure tries to find the corresponding user ID by using SMF records, along with their jobname, job number, RDR time and user ID, from all record types that contain these.  Obvious candidates is SMF 30, but there are more record types used.  This mechanism of supplementing missing fields from other SMF record is called job tag system or smfcache.  See the Problem Determination chapter in the manual.

If there are no SMF 30 records available for the same jobname and RDR time value, the user ID in SMF 14 will be missing.  This happens when the SMF 14 is produced by a very long running task (so the SMF 30 may have been written a week ago, way before the CKQRADAR job started), or there was an overflow of SMF 30s and the relevant job tag was flushed from the job tag cache.  Or... more likely, the data feed omitted SMF 30s.

By the way, you also need SMF 30 records if you wanted to track TSO logons in CKQRADAR.  SMF 80 won't show the majority of TSO logons.

------------------------------
Rob van Hoboken
------------------------------

Hi Joe,

This enrichment is not specifically tied to the LEEF output format. Instead, it is a general property of the SMF report type.

You can read about it in the section "SMF processing - background" in the Problem Determination chapter of the User Reference Manual.

Specifically, the relevant record types for enrichment can be found in the section about "The job tag system".

I hope this helps.

Regards,

Hello - yes, that was it !  I needed to add SMF type 30 to my CKQEXSMF member in cust.  I am now seeing what i wanted to see in the SMF 14 and also 15.

Are there other enrichment opportunities available with the LEEF format ? I am not seeing much in the manual about this.

THANKS !!!

Hi Joe

SMF 14 (and 15) do not contain the RACF user ID, only the jobname, job number and RDR time.  zSecure tries to find the corresponding user ID by using SMF records, along with their jobname, job number, RDR time and user ID, from all record types that contain these.  Obvious candidates is SMF 30, but there are more record types used.  This mechanism of supplementing missing fields from other SMF record is called job tag system or smfcache.  See the Problem Determination chapter in the manual.

If there are no SMF 30 records available for the same jobname and RDR time value, the user ID in SMF 14 will be missing.  This happens when the SMF 14 is produced by a very long running task (so the SMF 30 may have been written a week ago, way before the CKQRADAR job started), or there was an overflow of SMF 30s and the relevant job tag was flushed from the job tag cache.  Or... more likely, the data feed omitted SMF 30s.

By the way, you also need SMF 30 records if you wanted to track TSO logons in CKQRADAR.  SMF 80 won't show the majority of TSO logons.

------------------------------
Rob van Hoboken
------------------------------

Glad to be of help.

You may want to limit subtypes for SMF type 30, the interval recording and resource reporting subtypes may result in large records, i.e., heavy buffer usage. You could limit your selection to subtype 5 (job/step termination) which has the return code, or subtype 1, which shows the actual logon time but not the session duration.  The general recommendation is 30(5), but that may confuse the job tag mechanism, so:

addsmf(rectype(30) subtype(1))
addsmf(rectype(30) subtype(5))

SMF 42 can give you update reporting for PDSE (and PDS) at the member level.

If you're interested in VSAM data set activity, check the record type 60:69.

Telnet and FTP access to z/OS, look at SMF type 119.

------------------------------
Rob van Hoboken
------------------------------

Hi Rob,

Why would 30(5) be the general recommendation?

Note that some types, such as type 80, are not cached, and will only get the information completed when it is seen before the record is encountered.

As to SMF type 42, only subtype 6 is relevant to the job tag mechanism. 

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM Security zSecure
Delft

Original Message:
Sent: Tue May 27, 2025 03:20 AM
From: Rob van Hoboken
Subject: LEEF SMF14 Enrichment data missing

Glad to be of help.

You may want to limit subtypes for SMF type 30, the interval recording and resource reporting subtypes may result in large records, i.e., heavy buffer usage. You could limit your selection to subtype 5 (job/step termination) which has the return code, or subtype 1, which shows the actual logon time but not the session duration.  The general recommendation is 30(5), but that may confuse the job tag mechanism, so:

addsmf(rectype(30) subtype(1))
addsmf(rectype(30) subtype(5))

SMF 42 can give you update reporting for PDSE (and PDS) at the member level.

If you're interested in VSAM data set activity, check the record type 60:69.

Telnet and FTP access to z/OS, look at SMF type 119.

------------------------------
Rob van Hoboken
------------------------------

Just like I stated, SMF 30(1) does not show the completion code of the step or the elapsed time.  SMF 30(5) shows both (field COMPLETION_CODE/COMPCODE and JOBELAPSED).  At the time of this general recommendation, the aim was to reduce semi-duplicate records in output, and subtype 1 is clearly lacking in information.

On the other hand, when you code SELECT EVENT=RACINIT both TYPE 80 EVENT=RACINIT and TYPE 30(1,5) are reported.

SMF 80 does not hold a JOBNAME value, so it does not contribute to the JOB TAG cache.  If you need the JOBNAME in your SMF 80 based reports, in addition to the USERID, you must have include SMF 30(1).

>As to SMF type 42, only subtype 6 is relevant to the job tag mechanism. 

Very true, unfortunately CKQEXSMF is unwilling to use subtypes for SMF 42:

------------------------------
Rob van Hoboken

Original Message:
Sent: Tue May 27, 2025 03:31 AM
From: Jeroen Tiggelman
Subject: LEEF SMF14 Enrichment data missing

Hi Rob,

Why would 30(5) be the general recommendation?

Note that some types, such as type 80, are not cached, and will only get the information completed when it is seen before the record is encountered.

As to SMF type 42, only subtype 6 is relevant to the job tag mechanism. 

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM Security zSecure
Delft

Original Message:
Sent: Tue May 27, 2025 03:20 AM
From: Rob van Hoboken
Subject: LEEF SMF14 Enrichment data missing

Glad to be of help.

You may want to limit subtypes for SMF type 30, the interval recording and resource reporting subtypes may result in large records, i.e., heavy buffer usage. You could limit your selection to subtype 5 (job/step termination) which has the return code, or subtype 1, which shows the actual logon time but not the session duration.  The general recommendation is 30(5), but that may confuse the job tag mechanism, so:

addsmf(rectype(30) subtype(1))
addsmf(rectype(30) subtype(5))

SMF 42 can give you update reporting for PDSE (and PDS) at the member level.

If you're interested in VSAM data set activity, check the record type 60:69.

Telnet and FTP access to z/OS, look at SMF type 119.

------------------------------
Rob van Hoboken
------------------------------