CorreLog Agent for z/OS V5.4.0 CEF Configuration Guide 2014

Summary:

The provided text outlines a series of IFCIDs (Identifiers for Control Information) used in a software system, primarily related to database management and authorization controls within IBM DB2 for z/OS. Here's an overview and summary of each IFCID discussed: ### 1. **IFCID 0361** This IFCID pertains to various fields that describe the type of data being handled in the system, including authorization ID types (AuthIDType), authority types (dpriv), file path details (filePath), and object type information (fileType). These fields are crucial for detailed auditing and management within the database environment. - **Fields**: - **AuthIDType QW0361IT** and **QW0361ITD**: Specifies whether an authorization ID is primary or secondary, with "L" indicating a role. - **dpriv QW0361AT** and **QW0361ATD**: Describes the type of authority using codes such as B (System DBADM, DBCTRL). - **filePath QW0361TC**: Qualifier/owner of a target object. - **fileType QW0361OT** and **QW0361OTD**: Specifies the type of file or database object, with codes B (Bufferpool) or C (Collection). - **fname QW0361TN**: The name of the target object. - **spriv QW0361PR** and **QW0361PRD**: Privilege checks are detailed in "QW0361PRD". ### 2. **IFCID 361** This IFCID is specific to command fields, particularly relevant for newer versions or features not covered in the referenced DB2 Version 9 manual. - **Field**: - **cs1 Cmd**: A command field that might be specific to certain system updates or advanced functionalities. ### Summary of Key Points: These IFCIDs are integral to managing and auditing data within a database environment, providing detailed information about the type of data being handled, authorization details, object types, file paths, and privilege checks. The fields provided allow for comprehensive tracking and management of database activities, ensuring compliance with security policies and system governance rules.

Details:

The "CEF Connector Configuration Guide" is a document designed to assist in setting up the HP ArcSight CEF connector for event collection from various devices. This guide emphasizes that it's meant for informational purposes only and that information can change without notice. It advises users to report any errors to HP, while acknowledging that HP does not provide warranties or assume liability for the content. The document outlines details about the Certified CEF format which meets requirements of the HP ArcSight Common Event Format (CEF). The HP ArcSight CEF connector is capable of processing these events correctly and making them available within the HP’s ArcSight product, categorized appropriately for use in correlation rules, reports, and dashboards. The guide also introduces "CorreLog Agent for z/OS" version 5.4.0, dated December 5, 2013, with a revision history indicating updates on January 7, 2014 (first edition) and January 10, 2014 (version 5.4.0 certified by HP Enterprise Security). It provides support information for the CorreLog Agent where issues might be outside the ArcSight team's capability to assist with configurations or solutions, suggesting contacting CorreLog Customer Support through phone (1-800-CORRELOG) and pressing 2, or email (support@CorreLog.com). The "CorreLog Agent for z/OS (CZAGENT) Configuration Guide" is a detailed manual that explains how to configure the agent for collecting syslog events from z/OS platforms. It specifies that the connector supports devices starting from version 5.4.0 and above, as well as z/OS releases V1R11 and above. The main purpose of this guide is to integrate a z/OS mainframe with an enterprise ArcSight ESM strategy by forwarding security, TCP/IP, job, and other related events. The provided text describes the functionality and features of CZAGENT, an agent designed for use with IBM ArcSight SIEM (SIEM) software. This agent is intended to capture mainframe system events such as those related to security (RACF), terminal sessions (TSO Session, Job, and Started Task Events), network activities (TCP/IP FTP Events), database management (DB2 Events), and other operational data points like file integrity monitoring for QSAM and BSAM datasets, VSAM datasets, and more. CZAGENT is configured to integrate with the ArcSight Enterprise Security Manager (ESM) by using a parameter file named CZAPCEF, as documented in the CZAGENT reference manual under the section on ArcSight CEF. Alternatively, it can be specified directly within any CZAGENT parameter file as SIEM(CEF). The agent generates various event types categorized into internal messages, user-generated messages (via utility program CZASEND), and system management facilities (SMF) events including: 1. **Internal Messages**: These are numbered messages generated by the agent itself to indicate processes like termination in progress or other operational statuses. 2. **User Messages**: Free-format user messages transmitted by the utility program CZASEND, such as job updates or customer record insertions. 3. **SMF Events**: These cover a wide range of system activities including output file integrity monitoring, dataset renames, JES2/JES3 job and TSO session start/end events, VSAM status changes, and more. 4. **DB2 Events**: Specific to DB2 database activity, these include monitoring for database operations such as queries, updates, deletions, or other interactions with the DB2 database engine. 5. **CICS Audited Transactions (SMF Type 110)**: This pertains to audited transactions handled by CICS (Customer Information Control System). 6. **ACF2 Security Events (SMF Type 230)**: These are security-related events recorded by ACF2, which handles security functionalities on the mainframe system. 7. **RACF and Top Secret Security Events (SMF Type 80)**: RACF is a security product that logs security-related events from RACF or Top Secret systems. This agent helps in ensuring compliance with regulatory requirements such as PCI DSS, HIPAA, Sarbanes-Oxley, by providing real-time event monitoring and logging across the mainframe environment. The provided text is a summary of event types within the SMF (System Management Facility) record type used for diagnostic purposes, primarily focusing on those related to specific systems such as ACF2, CICS Audit, DB2 IFCID, DFSMS, and internal diagnostics from the CorreLog agent. Here's an overview: 1. **ACF2**: This includes various events like S/F/P command failures, CA statistics records, dataset violations, distributed database interactions, logon ID modifications, TSO transactions, and more. Each event is self-descriptive and serves to monitor the system's activities related to user authentication, resource usage, and data access. 2. **CICS Audit**: This type of event logs audited CICS transactions, tracking user actions within the CICS environment. 3. **DB2 IFCID**: This involves specific events named DB2 IFCID which are detailed further in the referenced manual for CZADDB2I and IBM DB2 documentation. These likely pertain to interactions or errors related to the DB2 database management system. 4. **DFSMS (Distributed File System Management Service)**: Events include adding/replacing members, deleting members, initializing partitioned datasets, and renaming members within a dataset. This reflects actions on distributed file systems managed by DFSMS. 5. **Diag**: Used to log common fields from any SMF record type for diagnostic purposes. It captures standard information useful in troubleshooting and error analysis across various system components. 6. **Internal CZAnnnnx**: These are diagnostic and status messages generated internally by the CorreLog agent itself, providing internal state and operational data that can be crucial for debugging and maintenance of the software. Each event type is designed to capture specific aspects of system operation or error conditions, aiding in diagnostics and troubleshooting efforts across different IBM enterprise systems. This text provides a detailed overview of various syslog messages and their corresponding types used within the CZAGENT software. It includes specific event codes for events such as JES2, JES3, Start, Step End, or End Job, TSO session start, step end, and end events; RACF events and qualifiers; rename status of non-VSAM datasets; TCP/IP connection initiations, terminations, dynamic tunnel activities, FTP client and server logs, IKE tunnel activities, interface statistics, manual tunnel activations and deactivations, server port statistics, stack start/stop, and TCP/IP statistics. Each type is associated with a unique subtype number as described in the referenced IBM manuals for SMF Type 80 Record Description File (CZAD80EQ) and "z/OS Security Server RACF Macros and Interfaces." The provided text is a summary of various records related to network communications, specifically focusing on Telnet sessions and UDP socket closures. It also outlines the mapping of these events to ArcSight data fields in CEF format. Here's a simplified breakdown:

• **TN3270E** and **SNA Session Termination Record (Subtype 21)**: This refers to a Telnet server SNA session termination, where subtype 21 is used for this specific record type.

• **TCP/IP TSO Telnet Initiation and Termination Records (Subtypes 22 and 23)**: These records pertain to the initiation and termination of TCP/IP TSO Telnet client connections using subtypes 22 and 23 respectively.

• **UDP Socket Close Record (Subtype 10)**: This describes a UDP socket closure event, coded under subtype 10.

Furthermore, the text explains how these events are mapped to ArcSight data fields in a Common Event Format (CEF). It provides a list of universal fields that can be used across different SMF statements and defines each field:

• **deviceFacility**: This is an identifier for syslog facilities from RFC3164, represented as numbers ranging from 0 to 23. There's also a textual version, `SYSLOG_FACILITY_D`.

• **dvcHost** and its subfields: These are IP addresses (IPv4 and IPv6), CPU ID, hostname, JES node name, LPAR name, SMF ID, and system name. Some of these fields have specific conditions or requirements such as running in logical partition mode.

• **rt CURRENT_TIME**: The current date and time when the record was created.

• **rt SMFXXDTETME**: A timestamp specifically for the SMF record.

The text concludes with a note on fields that can be used across various SMF statements, including those related to SMF 15 records. This mapping is crucial for integrating system management events into broader security information and event management (SIEM) systems like ArcSight. These tables summarize various fields from different types of System Management Facilities (SMF) records, which are used to monitor and manage computer systems. Each type has a specific set of fields with descriptive names and labels. Here's a breakdown for SMF14, SMF18, and SMF30 records: **SMF 14 Fields:**

• **Names beginning with SMF14**: These fields are related to data set output by jobs in JCL (Job Control Language).

• **cat (SMF14CAT)**: Constant "DS_Output", indicating the type of record.

• **cs2 (DDN)**: The Data Definition Name (DDname), which is a part of SMF records for job step activities, including input and output datasets.

• **filePath (SMF14JFCBDSNM)**: Dataset name related to the job, used in JCL for defining jobs and their data sets.

• **fname (SMF14JFCBELNM)**: Member name or relative generation number, which refers to a part of a dataset.

• **sproc (SMF14JBN)**: Job name, indicating the job step being processed at that moment.

• **start (SMF14RST)**: Time when the reader recognized the JOB card for this specific job.

**SMF 18 Fields:**

• **Names beginning with SMF18**: These fields are related to record types used in System Management Facilities (SMF).

• **cat (SMF18CAT)**: Constant "Rename", indicating that these records pertain to renaming activities.

• **cn1 (Vol#)**: Number of volumes involved in the rename operation.

• **cs2 Indic1 (SMF18IN1D)**: Record indicator byte 1, expressed as text, which is part of the data structure for SMF records.

• **fileID (SMF18FVL)**: First volume serial number associated with the renaming activity.

• **filePath (SMF18NDS)**: New dataset name after the rename operation.

• **oldFilePath (SMF18ODS)**: Old dataset name before the rename operation.

• **sproc (SMF18JBN)**: Job name, identifying the job that triggered the renaming event.

• **start (SMF18RST)**: Time at which the reader recognized the JOB card for this specific renaming job.

**SMF 30 Fields:**

• **Names beginning with SMF30**: These fields relate to detailed information about processing steps in various subsystems like JES2, JES3, TSO, STC, and APPC.

• **cat (SMF30CAT)**: Subsystem name such as "JES2", "JES3", "TSO", "STC", or "APPC".

• **cn1 (Step#)**: Step number in the sequence of processing steps within a subsystem.

• **cn2 (SubStep)**: Substep number, incremented for each substep within a step; set to zero for non-z/OS UNIX System Services steps.

• **cs3 (JobID)**: JES job identifier, which is unique and includes an "A" followed by seven digits for APPC/MVS transaction scheduled jobs.

• **cs4 (ProcStep)**: Name of the step that invoked a procedure; blank if not applicable.

These tables are essential for system administrators to monitor and analyze system performance, job processing, and other operational details through detailed records provided by SMF. The text provided is a summary of various fields and their descriptions within the context of System Management Facilities (SMF) records. Here's an overview of each field mentioned in the text: 1. **SMF30TID**: This field represents the RACF terminal ID, which is blank if RACF is inactive or the user does not have a terminal access. 2. **SMF30USR (cs5)**: Known as the programmer’s name field, it serves as a 20-byte description field on the JOB statement, providing more context like a system destination service name. 3. **SMF30WID**: This is the work type indicator for the address space and identifies the type of address space being reported on, such as "STC" for started tasks and system address spaces or "TSO" for TSO/E users. 4. **SMF30SYN (deviceExternalId)**: Refers to the system name from the SYSNAME parameter in IEASYSxx parmlib member. 5. **SMF30PGM (deviceProcessName)**: The program name taken from the PGM= parameter on an EXEC card. It uses a backward reference if necessary. 6. **SMF30SCC (outcome)**: This field represents the job or step completion code and ABEND reason code, with system ABENDs reported as Sxxx-xxxx and user ABENDs as Unnnn-xxxx. 7. **SMF30TSN (shost)**: Known as the terminal symbolic name within RACF terms. 8. **SMF30GRP (spriv)**: The RACF group ID, which is blank if RACF is not active. 9. **SMF30JBN (sproc)**: Refers to either the job or session name in SMF records. 10. **SMF30RUD (suid)**: Represents the RACF user ID, and it's blank if RACF is not active. 11. **SMF42 Fields**: These are specific to SMF type 42 records:

• **CEF Name (cat)**: Constant value "DFSMS".

• **Alias (cs3)**: List of alias names deleted in sympathy with a delete or replace operation.

• **Step (cs4)**: Step name within the job or procedure.

• **Proc (cs5)**: Proc name, which can be blank or used for specific process details.

• **Flag (cs6)**: Expresses flags as textual descriptions such as "Add" or "Replace".

• **Interval End/CLOSE time (end)**: The end of the interval time or CLOSE time formatted according to TIME statement parameters, being zero if not available.

• **File ID (fileID)**: Refers to VOLSER in this context.

• **Data set name (filePath)**: Name of the data set involved.

• **Member name (fname)**: For rename operations, it is the new name after the change; otherwise, it's the member name as usual.

• **Old Member name (oldFileName)**: The previous name before any rename operation.

• **Record subtype (outcome/SMF42STY)**: Expressed as an integer where 20 is for initialization, 21 for deletion, 24 for addition or replacement, and 25 for renaming. It can also be described textually as "Initialize", "Delete", "Add/Replace", or "Rename".

These fields are crucial in monitoring and managing systems using SMF records to understand various aspects of system usage, performance, and events across different environments and services. The provided information is a summary of two types of data records within the System Management Function (SMF) system, which are used to monitor and manage various components and operations in an IBM mainframe environment. These data records include SMF42X and SMF80 formats, each containing specific fields that provide detailed user and system information. **SMF42X Data Record:** This record is related to the STOW or DESERV macro operations within a Unix System Services (USS) environment on an IBM mainframe. The key details captured in this record include:

• **Host Information**: Identified by "host" which includes SMF42XUI_TOKPOE and SMF42XUI_TOKGRUP, providing user information about the caller of STOW or DESERV macros.

• **User ID and Terminal Information**: Noted as CONSID (Caller Identification) and TERM-ID (first half of IP value for SERVAUTH), which might include details like port numbers or terminal IDs associated with a session.

• **Process Information**: Captured under "sproc" including the job name, task control information, and time-sharing user who issued either STOW or DESERV commands.

• **Time Details**: Includes interval start (SMF42PTS) and open time of day (START), with formatting according to TIME statement parameters; zero if not available.

**SMF80 Data Record:** This record pertains to System Resource Access Controller Facility (RACF) operations, which are used for user profile management in a Unix environment on IBM mainframes. The key details captured include:

• **Access Request and Ownership**: Noted under "cs1 Req" (SMF80R3Req) indicating the access requested and "cs2 Owner" (SMF80R38Owner), which could be either a user ID or group name that owns the profile. This field also covers operations beyond simple define, such as RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE, among other commands like SETROPTS and RVARY.

• **Class Information**: Captured under "cs2 Class" (SMF80R42Class) which includes the class name from SETROPTS or GENLIST/NOGEN commands used to manage system resources effectively.

These two formats provide detailed insights into user interactions with mainframe systems, especially regarding data storage operations and profile management through RACF commands, aiding in performance monitoring, security auditing, and troubleshooting within IBM environments. The provided descriptions are taken from "z/OS Security Server RACF Macros and Interfaces" © Copyright International Business Machines Corporation 1994, 2008. They list various fields in an SMF (System Management Facilities) record used by the RACF (Resource Access Control Facility) subsystem of z/OS, which is a part of the OS/390 operating system for mainframe computers. The descriptions include field names and their meanings as follows:

• **cs3 CmdUserID**: This field represents the User ID specified on an ADDUSER or ALTUSER command. It's used to identify the user who initiated a specific action in RACF, likely related to managing user accounts.

• **cs4 GenClass**: This refers to the ClassGen class name from SETROPTS GENLIST/NOGENLIST command. It seems to be used for categorizing or classifying various system resources and configurations within RACF.

• **cs5 Auth**: This field contains authorities used for processing commands or accessing resources, expressed as text. These could include permissions or rights granted by RACF for specific actions such as data access, program execution, etc.

• **cs6 POE**: Known as the "port of entry," this is a user security token from SMF 80 Relocatable section 53, which can be used to identify and manage user sessions or processes in RACF environment.

• **fileID**: This field represents either the volume serial number (for RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE) or a dataset profile's list of volume serials when input is received for data set auditing purposes.

• **filePath**: Specifies the resource name or old resource name in the context of RACF operations like AUTH and DEFINE requests.

• **filePermission**: Indicates whether access to resources is allowed, based on specific permissions granted by RACF.

• **fileType**: This field denotes the class name related to auditing for requests made through RACROUTE REQUEST=AUTH or similar commands in RACF.

• **reason SMF80READ** and **reason SMF80READX**: These fields provide textual descriptions of why a RACF record was logged, either as plain text or hexadecimal representation, which helps in debugging or understanding the specific event that triggered the log entry.

• **shost**: This field represents the terminal ID of the foreground user, if available; otherwise, it's blank. It might be used for tracking and identifying users based on their terminal connections.

• **spriv SMF80GRP** and **sproc SMF80JBN**: These fields denote the group to which a user is connected (via stepname or job name) in RACF, depending on whether the user is defined within RACF or not.

• **suid SMF80USR**: This field identifies the user associated with an event, using either the job name if direct association isn't available. This ID helps to track and manage user activities as they relate to specific system events or tasks.

These descriptions are crucial for understanding how RACF manages and records various system interactions in a controlled environment like z/OS, providing detailed metadata that can be used for administrative actions, auditing, and compliance monitoring. The provided text outlines the fields and descriptions for two specific types of SMF (System Management Facility) records: SMF 110 and SMF 119. These records are used in IBM systems to monitor network communications and task activities within CICS (Customer Information Control System). **SMF 110 Fields:**

• **cat**: A constant value "CICS" indicating the record type pertains to CICS.

• **cs2**: The class of data, labeled as SMFMNCL.

• **cs3**: Job name, identified as SMFSTJBN.

• **cs4**: Network Unit-of-Work Netname.

• **cs5**: Workload Manager report class name (DFHCICS_RPTCLSNM) and service class name (DFHCICS_SRVCLSNM).

• **deviceProcessName**: The first program name originating the network unit-of-work, identified as DFHPROG_PGMNAME.

• **dproc**: Sub-System Identification, labeled as SMFSTSSI.

• **start**: Task start time, labeled as DFHCICS_START.

• **end**: Task stop time, labeled as DFHCICS_STOP.

• **suid**: User identification, labeled as DFHCICS_USRID.

**SMF 119 Fields:** The SMF 119 records are divided into two main types: those that are common to all subtype 119 records and specific fields for the Connection Initiation Record (Subtype 1).

• **Common to All Type 119 Records:**

• **cat**: A constant value "TCP/IP" indicating the record pertains to TCP/IP communications.

• **deviceExternalID**: The system name from SYSNAME in IEASYSxx.

• **deviceProcessName**: Specifies the type of TCP/IP subcomponent, including FTPC (FTP client), FTPS (FTP server), IKE (IKE daemon), IP (IP layer), STACK (entire TCP/IP stack), TCP (TCP layer), TN3270C (TN3270 client), and TN3270S (TN3270 server).

• **dproc**: The started task qualifier or address space name of the address space that writes this SMF record.

• **For Connection Initiation Record (Subtype 1):**

• **c6a2**: Remote IPv6 address at the time of connection open, labeled as RemtIP.

• **c6a3**: Local IPv6 address at the time of connection open, labeled as LocIP.

• **dpt**: Local port number at the time of connection open, labeled as TILPort.

• **dst**: Local IP address at the time of connection open, formatted either as an IPv4 address or set to 255.255.255.255 if it is not available.

• **spt**: Remote port number at the time of connection open, labeled as TIRPort.

These descriptions are based on data areas and configurations related to IBM's CICS and TCP/IP communications within their systems. This text provides information about two types of records in a system called SMF (System Management Function), specifically related to network connections and FTP client completions. The first section details the fields for a "Connection Termination Record" with subtype 2, which includes remote and local IP addresses, port numbers, byte counts, and other network-related information. The second part pertains to an "FTP Client Completion Record" (subtype 3), which captures data about FTP connections including control connection details such as IP addresses, command types, user ID, file transfer details like the dataset name and type, and timestamps for when the transmission ended. The provided information is a summary of various fields and their descriptions related to two types of records within an IT system, specifically for TN3270E SNA sessions. These records include both session initiation (Subtype 20) and termination (Subtype 21). Here's the breakdown of each field as per the description: For SMF119FT_FCBytes and SMF119TN_NTInByte/OutByte, these are used to represent byte counts in transmission. The former is a 64-bit integer indicating the number of bytes transmitted during an operation, while the latter two fields respectively denote inbound (received) or outbound (sent) byte count within session termination records. SMF119FT_FCLReply and SMF119TN_NTRCode are related to server replies and termination reasons. The former is a 3-digit RFC code representing the last server reply, while the latter is a reason code for terminating a session which aligns with values displayed in message EZZ6034I. Other fields like hostnames (SMF119FT_FCHostname and SMF119TN_NILU), port numbers (SMF119FT_FCCRPort, SMF119TN_NILPort, SMF119TN_NIRPort, SMF119TN_NTLPort), IP addresses (IPv4 in SMF119FT_FCHostname and SMF119TN_NILIP_V4, IPv6 in various forms such as c6a2 RemtIP, c6a3 LocIP, cn1 DevNo, etc.), and timestamps (SMF119FT_FCSTime, start/end times for sessions) provide detailed information about the session details. These fields collectively help in tracking and analyzing TN3270E SNA sessions by providing critical metadata such as connection endpoints, data transfer volumes, error codes related to termination, and timestamps of events during a session's lifecycle. The provided text describes various fields associated with an FTP server completion record in the context of a specific system named "SMF 119". This record details information about network connections, file transfers, and user activities. Here's a summary of each field mentioned:

• **ct variable**: Not specified but likely refers to some type of identifier or status code related to the FTP session.

• **RemtCtlIP (c6a2)**: The remote IPv6 address for control connections, used in communication between systems.

• **LocCtlIP (c6a3)**: The local IPv6 address for control connections, which is the IP address on the server side where the FTP session starts or ends.

• **SubCmd (cs1)**: The specific command issued by the client during the FTP session as per RFC 959+. This could include commands like LIST, RETR (retrieve a file), STOR (store a file, etc.).

• **DStype (cs3)**: Defines the type of data set being transferred. Options are SEQ (sequential), PDS (partitioned data set), or HFS (hierarchical file system).

• **Security (cs5)**: Refers to security features as outlined in SMF 119 Security Sections, possibly related to authentication and encryption methods used during the session.

• **DSCLPort (dpt)**: The local port number on the FTP server that handles control connections from clients.

• **DstIP (dst)**: The IP address of the client making a connection to the FTP server. It is formatted as an IPv4 address, but can also include the special value 255.255.255.255 for unspecified or error cases.

• **End (end)**: Indicates the date and time when the FTP session ended on the server side.

• **filePath (filePath)**: Refers to the second MVS or z/OS UNIX file name associated with a rename operation, which is either the new file name after renaming or a data set name in case of transfer operations.

• **fileType (fileType)**: Specifies the type of file being transferred, such as SEQ (sequential), JES (job entry subsystem files), or SQL (database files).

• **fname (fname)**: Indicates the PDS member name involved in a rename operation if applicable.

• **in (in)**: The number of bytes transmitted during the FTP session, represented as a 64-bit integer.

• **oldFileName (oldFileName)**: The original PDS member name before any renaming occurred.

• **oldFilePath (oldFilePath)**: The initial server MVS or z/OS UNIX file name associated with the file transfer or rename operation.

• **reason (reason)**: Contains the last reply code sent to the client, which is a 3-digit number as per RFC 959 and represents the status of the FTP command execution.

• **shost (shost)**: The hostname from which the FTP session originates or towards which data is being transferred.

• **spt (spt)**: The port number on the client side that initiates a control connection to the server during an FTP session.

• **src (src)**: The IP address of the remote system initiating the control connection, formatted as an IPv4 address or using 255.255.255.255 for unspecified cases.

• **start (start)**: Indicates the date and time when the FTP session began on the server side.

• **suid (suid)**: The client user ID on the server that initiated the FTP session, likely used for authentication purposes.

The provided information outlines the fields and descriptions for an FTP server logon failure record, specifically subtype 72 of SMF (System Management Facility) type 119. This record is used to capture details about failed FTP logins, such as the reason for failure, IP addresses involved, port numbers, user identifiers, and other related information. Key fields include:

• **RemtIP** or Remote IPv6 address: Indicates the IP address of the client attempting to log in.

• **LocIP** or Local IPv6 address: Shows the local (server) IP address where the login attempt was made.

• **reason**: Specifies the reason for the failed login, which can include password invalidity, expiration, user ID revoked, no server access, excessive bad passwords, and others.

• **spt** or Remote port number: Indicates the port number used by the client during the failed logon attempt.

• **src** or Remote IP address (formatted as IPv4): The IP address of the client formatted in an IPv4 style, which can also be represented as 255.255.255.255 if needed.

• **suid** or Client User ID: The user ID received by the server from the client during the failed logon attempt.

In addition to these, there are fields that are common across various ACF2 record subtypes and include details such as:

• **deviceExternalId**: SMFID of the system where the event occurred.

• **duser**: ACF2 user name associated with the login attempt.

• **sproc**: Job name related to the logon process.

• **suid**: ACF2 user Logon ID string, which is a unique identifier for the user session.

These fields help in understanding and troubleshooting failed FTP logins, providing essential information about the client's IP address, port numbers, authentication details, and system identifiers involved during the logon process. The provided text lists various fields associated with different subsystems or records, as indicated by their labels such as "SSPDSN," "ACUMF_F2," and "QW002XDB." These fields are typically used in mainframe environments to provide detailed information about system operations. Here's a summary of the key points from each record: 1. **SSPDSN Dataset Access:**

• **fname A$SSPMEM**: Member name for PDS, if any.

• **oldFileId A$SSOVOL**: Original volume for DSN.

• **oldFilePath A$SSODSN**: Original/unmodified DSN.

• **spid A$SSPID1**: Security Module Issuing Svc expressed as an integer code and text.

• **spriv A$SLTFLG**: User's privileges expressed as an integer and text.

• **suser A$SSNAME**: Users name.

2. **SMF ACF2 Fields:**

• These fields relate to the ACRECL (Logon ID Modification) and ACRECU (RACROUTE REQUEST=DIRAUTH) record subtypes, including flags for fileType, SAF return code, and input sub-function.

3. **SMF DB2 Fields:**

• Common to All DB2 IFCIDs, these fields include:

• **Work QWHSLWID**: Logical unit of work ID.

• **Loc QWHSLOCN**: Local location name.

• **NetID QWHSNID**: Network ID.

• **CorrID QWHCCV**: Correlation ID.

• **DB2 Subsystem ID (dproc SM100SSI)**.

• **Correlation authorization ID (duid QWHCAID)**.

• **The end user's workstation name (shost QWHCEUWN)**.

• **Job name (sproc QWHCPLAN)**.

• **The end user's user ID at the user's workstation (suid QWHCEUID)**.

• Specific to IFCIDs 23, 24, and 25:

• **DBID QW002XDB**: Database ID.

• **Pagespace ID (PSID QW002XPD)**.

• **Utility name (deviceProcessName QW002XNM)**.

• **Database name (filePath QW002XNA)**.

• **Object name (fname QW002XPN)**.

• **Job name for IFCIDs 24 and 25 only (sproc QW002XJN)**.

• Specific to IFCID 53:

• **SQL (cfp1 SQL)**.

These fields are crucial for understanding the detailed operational context of mainframe systems, providing insights into user activities, system resources accessed, and other critical aspects that can help in troubleshooting and performance optimization. The text provides an overview of several DB2 for z/OS performance monitoring and error handling concepts related to SQLERRD4 and SQLCODE variables in SMF (System Management Facility) records. Specifically, it discusses how these variables are used to track resource requirements estimates, provide return codes indicating success or failure of a particular SQL statement, and vary based on changes in catalog statistics or between different DB2 releases. The descriptions are sourced from various IBM publications including manuals such as "DB2 Version 9.1 for z/OS Performance Monitoring and Tuning Guide," "DB2 10 for z/OS SQL Reference," and technical guides like "z/OS Security Server RACF Data Areas." This summary provides an overview of the SQL return codes and related fields in the IBM manual "DB2 10 for z/OS DB2 Codes," specifically focusing on SMF (Systems Management Facilities) DB2 fields associated with IFCIDs from 59 to 97. The detailed descriptions include various field names such as `sourceServiceName`, `fileType`, `fname`, `cs4 Loc`, `cs1 Sql`, `cs1 Cmd`, and `outcome`. These fields are used in different contexts like program names, object types, SQL statements, command texts, and return codes related to the completion of commands. The data is structured under specific labels including CEF (Common Event Format) name, CEF label, CZAGENT field name, and description. The provided information is a summary of various fields and their descriptions related to database management, specifically within the context of IBM's z/OS operating system. These fields are part of the CZAGENT component, which likely pertains to agent software used in managing databases or interactions with specific database services. Here's an overview based on the given data: 1. **Label CZAGENT**: This refers to a set of fields and their descriptions under the CEF (Common Event Format) label for handling various commands and statuses related to database operations using IBM tools like DB2, which is commonly used in enterprise environments. 2. **Field Descriptions**:

• **cs1 Cmd QW0097P1**: This field describes a command used for accessing method services, with a maximum size of 160 bytes. The "outcome" field that follows it (QW0097RC) indicates the result or status of this command, expressed as a return code indicating completion or error.

• **SMF DB2 Fields**: These fields are specific to System Management Facility (SMF) and Database 2 (DB2), focusing on details related to database operations under certain IDs like IFCID 107 and 140. They include:

• **cn1 DBID QW0107DB**: The unique identifier for the database, known as the DBID.

• **cn3 PSID QW0107OB**: A parameter that might represent a pageset ID or another session-related identifier in an OS environment.

• **filePath QW0107DN**: Indicates the name of the data base which could be relevant for database operations.

• **fileType QW0107T, QW0107TD**: These fields specify types related to requests such as opening or closing files in DB2 context; these are expressed either as a single byte code (QW0107T) or a textual description (QW0107TD).

• **fname QW0107TN**: Refers to the name of the table space within the database.

• **cs1 Sql QW0140TX_1023**: Contains SQL text, limited to 1023 bytes which is truncated for storage or transmission.

• **cs2 AuthIDType QW0140AT, QW0140ATD**: Specifies the type of authorization ID used in DB2 operations; it can be either primary/secondary (blank or secondary) or a role (L).

• **filePath QW0140TC, fname QW0140TN**: Relevant when defining indexes or tables within the database context. These fields specify target object details and are used for authorization checks related to CREATE INDEX and CREATE TABLE privileges.

• **outcome QW0140RC**: Indicates return codes from various authorization exit routines which could be critical for understanding the success or failure of specific actions in DB2 operations.

3. **SMF DB2 Fields of IFCID 141** are similar to those under 140 but might have slight variations depending on the exact query or event being logged, such as different SQL text formats (truncated) and detailed object type specifications according to QW0140OB and QW0140OBD. This summary provides a basic understanding of how database interactions are tracked in SMF records using IBM tools like DB2, with particular focus on event IDs related to command handling and authorization checks across different contexts. The document outlines various field names and their descriptions for different systems, including NT Field Name Description6, CEF Name CEF Label CZAGENT Field Name Description6, and SMF DB2 Fields of IFCID 142, 143, and 144. Here's a summary: NT Field Name Description6 includes fields such as cs1 Sql QW0141TX_1023 (GRANT or REVOKE SQL statement truncated to 1023 bytes), cs2 AuthIDType QW0141OT and its detailed version QW0141OTD (Authorization ID type expressed as a one-byte code for primary/secondary or role), dpriv QW0141RE and its detailed version QW0141RED (Authority type represented by codes B or C, and textual description respectively), fileType QW0141OB and its detailed version QW0141OBD (Object type coded as B or C, and described as Bufferpool or CEF Name), among others. CEF Name CEF Label CZAGENT Field Name Description6 includes cn1 DBID QW0142DB (Database ID), cn2 OBID QW0142OB (Object ID), cs1 Sql QW0142TX_1023 (SQL text truncated to 1023 bytes), cs2 AuthIDType QW0142OR and its detailed version QW0142ORD (Authorization ID type coded as blank for primary/secondary or L for role), filePath QW0142OW (Table owner, same as qualifier), fname QW0142TN (Table name), reason QW0142AC (Statement type - CREATE, DROP, or ALTER - expressed as a one-character code) and its detailed version QW0142ACD. SMF DB2 Fields of IFCID 143 and 144 share the same field names across both IDs: cn1 DBID (Database ID), cn2 OBID (Record OBID), cn3 PSID, cs1 Sql (SQL text), cs2 AuthIDType (Authorization ID type), and reason (Statement type). These fields are crucial for understanding data in specific databases or systems related to SQL statements, authorization IDs, authority types, object types, table names, database IDs, and other relevant details. The text discusses various fields and their descriptions related to different IFCIDs (Interface Control Document IDs) in DB2, a database management system. Here's a summary of the main points: 1. **IFCID 145**:

• This refers to SQL statements that can be truncated up to 1023 bytes per record. Additional text is written in subsequent records until the entire statement is recorded. The field for this in DB2 Version 9.1 is called QW0145TX. DbDefender uses QW0145RT_1023 across all supported versions of DB2.

• **Outcome**: Indicates success with warnings, or error conditions based on the return code (QW0145SC).

• **Source Service Name**: Identifies the program name (QW0145PN).

2. **IFCID 233**:

• **Location Name** (QW0233LN) and **Type of Statement** (fileType QW0233TY, text representation as "OPEN", "FETCH" etc., but also includes a detailed description field fileType QW0233TYD).

• **Outcome**: Action expressed as codes 00 for entry to a routine or 01 for return from a routine (QW0233EX and its textual representation QW0233EXD).

• **Source Service Name** (QW0233PN) and **Routine Specific Name** (suser QW0233PR).

3. **IFCID 247**:

• **Data Type of Entry** (fileType QW0247TY), derived from the IBM manual "DB2 for z/OS SQL Reference".

• **Source Service Name** (QW0247PN).

4. **IFCID 319**:

• **IPv6 Address** (src QW0319RI_IPv6 and formatted IPv4 address if applicable, src QW0319RI_IPv4), derived userid (suid QW0319US).

• Requesting Kerberos principal name is noted if applicable (suser QW0319D1).

5. **IFCID 361**:

• Not available in DB2 Version 9, but details a command field (cs1 Cmd) which might be specific to newer versions or features not covered in the referenced version.

These summaries are based on the provided text and highlight key information about each IFCID's fields and their roles in DB2 database management. The provided text discusses various fields related to a software system, specifically within the context of database management and authorization controls. Here's a summary of the key points: 1. **TX_1023 SQL Statement or Command**: Refers to a command used in SQL (Structured Query Language) for managing data in relational databases, truncated at 1023 bytes if it exceeds this length. 2. **AuthIDType QW0361IT and QW0361ITD**: These fields pertain to the type of authorization ID used in the system, which can be either a primary or secondary authorization identifier (blank for primary, L for role) as indicated by "QW0361IT" and its detailed description "QW0361ITD". 3. **dpriv QW0361AT and QW0361ATD**: These fields describe the authority type using single-character codes (e.g., B or C) which are expanded to textual descriptions such as "System DBADM, DBCTRL" in "QW0361ATD". 4. **filePath QW0361TC**: This field represents the qualifier/owner of a target object within the system. 5. **fileType QW0361OT and QW0361OTD**: These fields specify the type of an object, with "QW0361OT" indicating a one-byte code (e.g., B or C) that is expanded to a full name such as "Bufferpool" or "Collection" in "QW0361OTD". 6. **fname QW0361TN**: This field denotes the target object's name within the system database. 7. **spriv QW0361PR and spriv QW0361PRD**: These fields pertain to privilege checks, where "QW0361PR" is represented as an integer value and its detailed description is provided in "QW0361PRD". 8. **SMF DIAG Fields**: The text briefly mentions specific field names like CEF Name (CEF Label CZAGENT Field Name) which are part of the SMF Diagnostic framework, describing their role as constants or labels for diagnostics within the system. 9. **Trademarks**: The text notes that certain terms used in the context of database management and software systems are trademarks of specific companies:

• "dbDefender" is a trademark of CorreLog, Inc., while "CorreLog®" is a registered trademark of the same company.

• "IBM® z/OS®", "MVS", "ACF2®", and "Top Secret®" are trademarks of IBM Corporation in various regions or globally.

This summary captures the essential details about these fields within their respective context, highlighting how they contribute to system management and data handling capabilities.