Hi Peter, Try looking at the SMF 30, type 1, records, which you can process with RACF's SMF unload and which zSecure should also be able to report on.
There might be other events shown in SYSLOG immediately before and after the ICH408I message that give some clue as to its origins. If JESINPUT and JESJOBS are active, look at associated Access Monitor records as they may provide further details. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --------------------------------------------------------------------------- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 19-23, 2020 - RACF Level I Administration - DEC 7-11, 2020 - RACF Level II Administration - NOV 16-20, 2020 - RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020 - RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020 --------------------------------------------------------------------------- -----Original Message----- Date: Mon, 13 Jul 2020 22:27:53 +0000 From: "TenEyck, Peter" <[email protected]> Subject: SMF record What SMF record and report/tool could I use to determine the point of origin for this attempted logon? M 0080000 ABCD 20180 07:40:36.85 JOB03275 00000090 ICH408I USER(RACFID ) GROUP( ) NAME(??? ) 395 E 395 00000090 LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED //* Peter Ten Eyck //* Senior Systems Programmer //* American National // ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
