SMF 30 is sufficient to do this, assuming you have been capturing the start and end events of TSO sessions.
There may be a CBT program to report on this; have you searched? It is not impossible to do it yourself with Rexx. @Lizette mentions the problem of SMF "sections." She's right, but it's not impossible. Here is the basic technique: GetSect: Procedure Expose Recd.1 Triplet = Arg(1) If Triplet = "" Then Return "" Num = C2D(Substr(Triplet, 7, 2)) If Num = 0 Then Return "" Len = C2D(Substr(Triplet, 5, 2)) If Len = 0 Then Return "" Off = C2D(Substr(Triplet, 1, 4)) If Off = 0 Then Return "" Return Substr(Recd.1, Off-3, Len) Then you can code, for example Section = GetSect(Substr(Recd.1, 29, 8)) SMF30JBN = Substr(Section, 1,8) Yes, as @KB more or less alluded to, what you propose may be frowned upon in some circles. This kind of reporting is forbidden (by law? by typical union contract?) in Germany (and perhaps elsewhere in the EU and other places?). It is prohibited to routinely process data that could be used to infer working hours. You can collect it, and process it in a specific investigation, but not routinely. (I am not a lawyer, much less a German labor law lawyer, so take what I write as a general hint, not exact legal advice.) This is all right in my wheelhouse because the program I wrote for CorreLog, zDefender, and which was acquired by BMC as AMI Defender, may be and is often used to do exactly what you describe. You use it in conjunction with a collection and reporting tool running on a "small system": either Splunk, or a "SIEM" such as IBM QRadar. I know you said "no third party" but this was a fairly mature market: nearly every shop has either Defender, or one of the two main competitors, IBM zSecure Audit or Syncsort Ironstream (and nearly every company in the world seems to be running Splunk). You might want to check whether your shop already has one of the three mainframe products I mention, and Splunk or a SIEM in your Security Operations Center. If you have one of the mainframe products already, but your organization does not give you access to Splunk, you can download it and run it "full-function" for free, provided only that you keep your data to under 500MB/day. Splunk is really powerful and really easy to use. (That's why everyone it seems runs it.) Yes, this assumes by "logged on" you refer to TSO. CICS does not generate SMF data equivalent to this, nor does IMS, nor do the session manager products AFAIK. If you have not been collecting SMF 30 TSO start and end events, then you may be able to get the logons from SMF 80, but not the log offs. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jake Anderson Sent: Saturday, October 24, 2020 11:08 PM To: [email protected] Subject: SMF to capture user login history Hello Cross posted. We have a SMF data for some years and I would like to fetch a user's logon history like when he was logged with all time intervals. Is there a sample JCL or process you are following without having to use any third party product to process. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
