Log Types: RACFLog

Overview

RACF, short for Resource Access Control Facility, is an IBM software product. It is a security system that provides access control and auditing functionality for the z/OS and z/VM operating systems.

Collection

RACF resource violation logs can be batch-imported to the Snare Central. In particular, ACCESS, DELRES, and JOBINIT logs are supported directly, .

RACF files should be in ASCII format, and transferred to the directory /data/SnareCollect/RACFLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Sample Events

RACF logs are fixed-column logs. The Snare Central assumes the following format:

  • EVENT TYPE: Characters 1-8

  • EVENT QUALIFIER: Characters 10-17 (Eg; SUCCESS, INVPSWD, RACINITD)

  • TIME: Characters 19-26

  • DATE: Characters 28-37

  • SYSTEM: Characters 39-42 (SYSTEM ID)

  • USER ID: Characters 59-66

  • GROUP ID: Characters 68-75

  • TERMINAL (HOSTNAME): Characters 171-178

  • JOB NAME: Characters 180-187

  • USER NAME: Characters 556-575

  • ATTRIBUTES: (True/False)

    • VIOLATION: 44-47

    • BYPASS: 107-110

    • SPECIAL USER: 602-605

    • PRIV: 646-649 

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

RACFLog

EVENTID

Event Type

JOBNAME

Job name

SOURCE

 

RESOURCE

eg: TCT.COMET.TCTCICSI.CSMTDD.G0001V00

ACTION

eg: UPDATE

USERID

 

USERNAME

 

USERFLAGS

eg: BYPASS SPECIAL

GROUPID

 

RETURN

 

RESULT

eg: INSAUTH

DATA

 

Notes

-