We did not usually see 1.0's for CICS logons. I think there is a caller ability to suppress cutting the record, or perhaps customers don't usually audit successful logons (?) so we found CICS logons to be basically hopeless. There is some other 1.nn that gets cut a lot but it happens on every transaction (?) so customers were reluctant to turn it on due to the volume. Working from two+ year old memory here.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Hayim Sokolsky Sent: Sunday, October 25, 2020 2:41 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SMF to capture user login history User logon activity depends upon a combination of which logons you are talking about -and- which OEM security you use - RACF, Top Secret, or ACF2. TSO logon, job start (batch) and Started Task events are SMF type 20 or type 30. Anything else (CICS, Distributed DB2, IMS, etc…) is an SMF type 80 (event code 1 - RACINIT) cut by the security product itself. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN