Log Types: RACFLog
Overview
RACF, short for Resource Access Control Facility, is an IBM software product. It is a security system that provides access control and auditing functionality for the z/OS and z/VM operating systems.
Collection
RACF resource violation logs can be batch-imported to the Snare Central. In particular, ACCESS, DELRES, and JOBINIT logs are supported directly, .
RACF files should be in ASCII format, and transferred to the directory /data/SnareCollect/RACFLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Sample Events
RACF logs are fixed-column logs. The Snare Central assumes the following format:
EVENT TYPE: Characters 1-8
EVENT QUALIFIER: Characters 10-17 (Eg; SUCCESS, INVPSWD, RACINITD)
TIME: Characters 19-26
DATE: Characters 28-37
SYSTEM: Characters 39-42 (SYSTEM ID)
USER ID: Characters 59-66
GROUP ID: Characters 68-75
TERMINAL (HOSTNAME): Characters 171-178
JOB NAME: Characters 180-187
USER NAME: Characters 556-575
ATTRIBUTES: (True/False)
VIOLATION: 44-47
BYPASS: 107-110
SPECIAL USER: 602-605
PRIV: 646-649Â
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | RACFLog |
EVENTID | Event Type |
JOBNAME | Job name |
SOURCE | Â |
RESOURCE | eg: TCT.COMET.TCTCICSI.CSMTDD.G0001V00 |
ACTION | eg: UPDATE |
USERID | Â |
USERNAME | Â |
USERFLAGS | eg: BYPASS SPECIAL |
GROUPID | Â |
RETURN | Â |
RESULT | eg: INSAUTH |
DATA | Â |
Notes
-