You might want to consider that the OpenSSH SMF records are part of the Type 119 record and use subtype 94, 95, 96, 97, and 98 Subtype 96 is the "Server" transfer complete record and 97 is the "Client" equivalent. These records would give you who, what and where someone accessed a file, including the SFTP command executed against the file.
I gathered the above information from: "z/OS IBM Ported Tools for z/OS: OpenSSH User's Guide Version 1 Release 3" (SA23-2246-03), the details for the subtypes 94 through 98 are in this manual and not in the "z/OS Communications Server: IP Programmer's Guide and Reference" which will have the other SMF 119 record subtype descriptions. Al Nims Systems Admin/Programmer 3 UFIT University of Florida (352) 273-1298 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Edward Finnell Sent: Tuesday, May 16, 2017 6:30 PM To: [email protected] Subject: Re: SMF Records I think DAF off CBT will answer all the questions. In a message dated 5/16/2017 5:16:17 P.M. Central Daylight Time, [email protected] writes: Basically SMF always writes a record, it does not check if that file name was done that way or not. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
