TSO explicitly suppresses RACINIT logging for normal TSO logon, so you will find no EVENT=RACINIT for a logon, unless there is an exception for the logon, such as changing password, user having UAUDIT, or interesting authentication. zSecure and other SMF based reporting has to use SMF 30 to keep track of those unremarkable logon event, so zSecure creates a simulated
fake RACINIT event when an SMF 30 subtype 1 or 5 is found (see the CARLa manual for SMF field EVENT).
However, Access Monitor can also be used to feed zSecure Alert, look at alert 1122 for inspiration. This alert uses TYPE=VERIFY record, one of the fields contains the verification method:
REQ_VERIFY_METHOD
This field shows what method was used to authenticate the user. Possible values for this field are:
Omitted, None, Password, Passphrase, Passticket, Started, and MultiFactor. For many
verify events, the identity of an existing user is propagated to a new environment. Examples are batch
jobs and commands issued through SDSF. In those situations, the REQ_VERIFY_METHOD field shows
the value None. The width of the field is 12 characters.
------------------------------
Rob van Hoboken
------------------------------