Hi Joe
Email is generated in the same way as a NEWLIST puts information into a report. All events (SMF records, SYSLOG lines) that are collected in the reporting interval, and match the SELECT command, are combined into 1 email. You cannot have a separate email for each event. And to make matters worse, the email subject is taken from the first event in the report, so if your IEF125I messages are for different user IDs, the first is shown in the email subject, the rest is only shown in the mail body.
What can you do about this?
a. not use email, but use another message format, such as Unix Syslog to send the events as individual records to the server.
b. create non-standard alert code, using BUNDLE BUNDLEBY=userid BUNDLEMAILTO=userid:lookuptarget
but this requires a table or a field in the USER profile that contains the email address to use for logons by that particular user id.
c. open an Idea (the new name for enhancement request) to interpret the PAGE modifier in email newlists as a request to generate a separate email. Like
newlist emailto='securityteam@company.com' title='logon for user '
sortlist userid(TITLE,PAGE) 'unexpected logon for user' userid
d. Write a Rexx program that uses the SDSF API. Have the Rexx program collect email files from JES2 spool, pry the email apart and resend it as one-line emails. Then discard the original email.
Run this Rexx program in a batch job that is submitted every, say, 5 minutes. Your job scheduler can do this.
Set the SMTPWRITER value for your alert to another value, not SMTP, so the original emails are left in spool for the Rexx program to process.
I've used option d. some 8 years ago to transfer the alert emails to a mainframe email system called memo. I should have the Rexx code in my archive, it should be fairly easy to adapt (if you're a Rexx nutter like me).
------------------------------
Rob van Hoboken
------------------------------