Kolusu,
Thank you very much for your JCL.
I have tweaked it a little to modify the column layout, moving the "who did it"
to the end of the line, and keeping "what happened" at the start.
Some minor displacement corrections also.
Very useful JCL.
Thank you very much.
Bruce
//ITSXSA3U JOB (ACCT#),'RACF USER=CSMADMIN',
// CLASS=U,
// MSGCLASS=W,
// MSGLEVEL=(1,1),
// NOTIFY=&SYSUID
//*
//*******************************************************************
//* THIS WILL READ THE SMF EXTRACT DATASET OF RACF RELATED SMF
//* RECORDS (TYPES 30, 80, 81, 82, 83) AND USE THE SORT TOOL
//* TO SORT THE DATA AND GENERATE A REPORT.
//*
//* THIS JOB WILL REPORT ALL SMF EVENTS FOR A SELECTED USERID.
//*
//*******************************************************************
//*
// SET USERNAME='CSMADMIN'
// SET REPORT='ITSXSA3.RACFICE.REPORT.CSMADMIN.REFORMAT'
//*
//*****************************************************************
//* Unload the SMF data for RACF records and format them using **
//* IRRADU00 **
//*****************************************************************
//SMFDUMP EXEC PGM=IFASMFDP
//SYSPRINT DD SYSOUT=*
//ADUPRINT DD SYSOUT=*
//SMFDATA DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPBK.HB
// DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPRD.HB
//OUTDD DD DSN=&&IRASMF,DISP=(NEW,PASS),
// SPACE=(CYL,(100,100),RLSE),
// UNIT=(SYSDA,4),
// BLKSIZE=32760
//SMFOUT DD DUMMY
//SYSIN DD *
INDD(SMFDATA,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(000:255))
ABEND(NORETRY)
USER2(IRRADU00)
USER3(IRRADU86)
/*
//*****************************************************************
//* create the consolidated report for an user based on the **
//* Event type using DFSORT. The username can be dynamically **
//* passed. Look at the SET statment up above for the username **
//* The following Event Types are reported **
//* ADDUSER/ALTUSER/CONNECT/PASSWORD/PERMIT/RALTER/RDEFINE **
//*****************************************************************
//UAREPORT EXEC PGM=SORT,PARM='JP1"&USERNAME"'
//*
//PRINT DD DSN=&REPORT.,
// DISP=(NEW,CATLG,DELETE),
// UNIT=3390,
// SPACE=(TRK,(15,15))
//*
//SYSOUT DD SYSOUT=*
//SYMNOUT DD SYSOUT=*
//SYMNAMES DD *
RDW,1,4,BI
EVENT_TYPE,*,8,CH
SKIP,1
EVENT_QUAL,*,8,CH
SKIP,1
TIME_WRITTEN,*,8,CH
SKIP,1
DATE_WRITTEN,*,10,CH
SKIP,1
SYSTEM_SMFID,*,4,CH
SKIP,1
VIOLATION,*,4,CH
SKIP,1
USER_NDFND,*,4,CH
SKIP,1
USER_WARNING,*,4,CH
SKIP,1
EVT_USER_ID,*,8,CH
SKIP,1
EVT_GRP_ID,*,8,CH
SKIP,1
AUTH_NORMAL,*,4,CH
SKIP,1
AUTH_SPECIAL,*,4,CH
SKIP,1
AUTH_OPER,*,4,CH
SKIP,1
AUTH_AUDIT,*,4,CH
SKIP,1
AUTH_EXIT,*,4,CH
SKIP,1
AUTH_FAILSFT,*,4,CH
SKIP,1
AUTH_BYPASS,*,4,CH
SKIP,1
AUTH_TRUSTED,*,4,CH
SKIP,1
LOG_CLASS,*,4,CH
SKIP,1
LOG_USER,*,4,CH
SKIP,1
LOG_SPECIAL,*,4,CH
SKIP,1
LOG_ACCESS,*,4,CH
SKIP,1
LOG_RACINIT,*,4,CH
SKIP,1
LOG_ALWAYS,*,4,CH
SKIP,1
LOG_CMDVIOL,*,4,CH
SKIP,1
LOG_GLOBAL,*,4,CH
SKIP,1
TERM_LEVEL,*,3,CH
SKIP,1
BACKOUT_FAIL,*,4,CH
SKIP,1
PROF_SAME,*,4,CH
SKIP,1
TERM,*,8,CH
SKIP,1
JOB_NAME,*,8,CH
SKIP,1
READ_TIME,*,8,CH
SKIP,1
READ_DATE,*,10,CH
SKIP,1
SMF_USER_ID,*,8,CH
SKIP,1
LOG_LEVEL,*,4,CH
SKIP,1
LOG_VMEVENT,*,4,CH
SKIP,1
LOG_LOGOPT,*,4,CH
SKIP,1
LOG_SECL,*,4,CH
SKIP,1
LOG_COMPATM,*,4,CH
SKIP,1
LOG_APPLAUD,*,4,CH
SKIP,1
LOG_NONOMVS,*,4,CH
SKIP,1
LOG_OMVSNPRV,*,4,CH
SKIP,1
AUTH_OMVSSU,*,4,CH
SKIP,1
AUTH_OMVSSYS,*,4,CH
SKIP,1
USR_SECL,*,8,CH
SKIP,1
RACF_VERSION,*,4,CH
//SORTIN DD DISP=SHR,DSN=&&IRASMF
/*
//SYSIN DD *
OPTION VLSCMP
INCLUDE COND=(01,8192,SS,EQ,JP1,AND,
(EVENT_TYPE,EQ,C'ADDUSER ',OR,
EVENT_TYPE,EQ,C'ALTUSER ',OR,
EVENT_TYPE,EQ,C'CONNECT ',OR,
EVENT_TYPE,EQ,C'PASSWORD',OR,
EVENT_TYPE,EQ,C'PERMIT ',OR,
EVENT_TYPE,EQ,C'RALTER ',OR,
EVENT_TYPE,EQ,C'RDEFINE '))
INREC BUILD=(01,1000) $ BUILD REQD DATA
SORT FIELDS=(EVENT_TYPE,A) $ SORT EVENT TYPE
OUTREC IFTHEN=(WHEN=(5,8,CH,EQ,C'ADDUSER'),
OVERLAY=(1001:508,008, $ USERID
1011:08X, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:517,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'ALTUSER'),
OVERLAY=(1001:522,008, $ USERID
1011:286,008, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:531,127)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'CONNECT'),
OVERLAY=(1001:498,008, $ USERID
1011:08X, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:507,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'PASSWORD'),
OVERLAY=(1001:08X, $ USERID
1011:286,008, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:498,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'PERMIT'),
OVERLAY=(1001:08X, $ USERID
1011:08X, $ OWNER
1021:286,008, $ CLASS
1031:507,035, $ RESOURCE
1071:304,020, $ USER NAME
1095:763,100)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'RALTER',OR,
5,8,CH,EQ,C'RDEFINE'),
OVERLAY=(1001:08X, $ USERID
1011:295,008, $ OWNER
1021:286,008, $ CLASS
1031:516,024, $ RESOURCE
1071:304,020, $ USER NAME
1095:772,100)) $ KEYWORDS
OUTFIL FNAMES=PRINT,REMOVECC,VTOF,
BUILD=(001:DATE_WRITTEN,
014:TIME_WRITTEN,
025:SYSTEM_SMFID,
033:EVENT_QUAL,
044:EVENT_TYPE,
055:1001,008, $ USERID
065:1011,008, $ OWNER
075:1021,008, $ CLASS
085:1031,035, $ RESOURCE
122:1095,138, $ KEYWORDS
262:EVT_USER_ID,
272:EVT_GRP_ID,
282:TERM,
292:JOB_NAME,
302:1071,020, $ USER NAME
500:X),
SECTIONS=(EVENT_TYPE,
HEADER3=(/,
001:'RACF ',
006:EVENT_TYPE,
015:'Command Report',
037:DATE=(4MD/),
055:TIME=(24:),8X,
120:'Page',
125:PAGE,/,/,
001:'DATE',
014:'TIME',
025:'SMFID',
033:'RESULT',
044:'COMMAND',
055:'USER ID',
065:'OWNER',
075:'CLASS',
085:'RESOURCE',
122:'KEYWORDS USED',
262:'ISSUER',
272:'GROUP',
282:'TERMINAL',
292:'JOB NAME',
302:'USER NAME'/,
001:010'-',
014:008'-',
025:004'-',
033:008'-',
044:008'-',
055:008'-',
065:008'-',
075:008'-',
085:035'-',
122:138'-',
262:008'-',
272:008'-',
282:008'-',
292:008'-',
302:020'-'))
/*
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
