Restriction: This topic applies only when the Enterprise Server feature is enabled.
These are the audit events emitted by the External Security Facility (ESF),
Micro Focus Directory Server (MFDS), JCL, and Data File Tools. Events from ESF use the "mf.safmgr" component ID; those from MFDS use "mf.mfds", JCL uses "mf.jcl", and Data File Tools use "mf.cas".
ESF Events: Category and Type Codes, and Parameters
In the following list, the first number is the event category and the second number is the event type. Events are grouped by category, so "1:x" or "1 x" is the collection of events in category 1, the category for events generated by the audit facility itself.
Note: Different auditing emitters may separate the two numbers using a space or a colon character.
The following is a list of event categories and types with their parameters for either a specific event or in the description of a group of events:
Category 0: Unknown
-
- No events defined
Category 1: Audit facility-specific
- 1 0
- Audit manager starting.
- Shared memory area name.
- Server type (1 = multiprocess CTF server).
- 1 1
- Audit manager stopping.
- 1 2
- Deactivate file.
The following are MFDS only:
- 1 200
- Page request
- Receive count
- User ID
- Request description (format varies)
- 1 201
- Logon request
- Receive count
- User ID
- Return code (prefixed with "Logon attempt, rc=")
Category 2: System
- 2 0
- Component (ESF or MFDS) Initializing
- MFDS parameter:
- String "MFDS auditing starting..."
- No ESF parameters
- 2 1
- Component Started.
- 2 2
- Component Terminating.
- MFDS parameter:
- String "MFDS Request processor terminating."
- No ESF parameters
The following are ESF only:
Unless otherwise indicated their parameters are:
- Exit point.
- 1 = Exit has stopped processing of the request.
- Request RC value after exit returned.
- Request return value after exit returned.
- Request reason value after exit returned.
- 2 3
- User exit called.
- 2 4
- User exit halted processing of the request.
- 2 5
- User exit returned an error.
The following are MFDS only:
Unless otherwise indicated, their parameters are:
- Receive count
- Object class
- Object name
- 2 3
- Auditing turned on
- Receive count
- Object class
- String "MFDS auditing starting..."
- 2 4
- Auditing turned off
- Receive count
- Object class
- String "MFDS auditing stopped..."
- 2 100
- Found Server
- 2 101
- Found Comms Server
- 2 102
- Found Listener
- 2 103
- Found Handler
- 2 104
- Found Package
- 2 105
- Found Service
- 2 106
- Found XRM
- 2 107
- Found JES Initiator
- 2 108
- Found JES Printer
- 2 109
- Found IMS MPR
- 2 110
- Found MQL
- 2 120
- Found ESM
- 2 121
- Found User
- 2 122
- Found Group
- 2 123
- Found Resource Class
- 2 124
- Found Resource Entity
The following are JCL only:
Unless otherwise indicated its parameters are:
- User ID
- Group ID
- ESMAC or JCL Job number
- Catalogue entry
- Function
- 2 1
- JCL Audit Event
See
MF_JCL_AUDIT for more information.
Category 3: Security API request
Only emitted by ESF.
- 3 0
- VERIFY
- 3 1
- AUTH
- User
- Resource class
- Resource entity
- Requested access
- 3 2
- XAUTH
- User
- Resource class
- Resource entity
- Requested access
Category 4: Administration request
Only emitted by ESF.
These all use the same parameterization. They include three fixed parameters followed by a variable number of parameters, with one for each key-value pair included in the request. For password keys, the key is included but the value is omitted. Requests that are too long for a single audit event are split into a series of "continuation" events (category 5, type 3). The fixed parameters are:
- Audit command name
- Audit command code
- User
- 4 0
- List
- 4 1
- Add
- 4 2
- Delete
- 4 3
- Alter
- 4 4
- Set password
- 4 5
- Set options
Category 5: Other request
The following are ESF only:
- 5 0
- Update notify. Currently not used.
- 5 1
- Audit success (a SAFROUTE AUDIT request with type=1)
- User
- Entity string supplied by caller
- Log string supplied by caller
- 5 2
- Audit failure (a SAFROUTE AUDIT request with type=2)
- User
- Entity string supplied by caller
- Log string supplied by caller
- 5 3
- Parameter information (continuation of large audit event)
- Parameter ID
- Chunk number
- Data chunk
The following are Data File Tools only:
Unless otherwise indicated, its parameters are:
- Username
- Group
- Call
- DS Name
- Operation
- 5 4
- Data File Editor audit event
Category 6: Allow
Only emitted by ESF.
- 6 0
- Verify success
- User ID
- Signon group
- 1 = resolved using the ESF cache
- 6 1
- Verify allowed for unknown user
Category 7: Deny
Only emitted by ESF.
Unless otherwise indicated, the Verify deny events use these parameters:
and the Auth/XAuth-deny events use:
- User ID
- Resource class
- Resource entity
- 7 0
- Verify deny: Invalid password
- 7 1
- Verify deny: Expired password
- 7 2
- Verify deny: Password change rejected
- 7 3
- Verify deny: User unknown
- 7 4
- Verify deny: User not in requested signon group
- 7 5
- Verify deny: Other failure
- 7 6
- Auth deny
- 7 7
- XAuth deny
Category 8: ESM error
Only emitted by ESF.
Unless otherwise indicated their parameters are:
- ESM number
- ESM name
- ESM return code
- Error description
- 8 0
- Verify error
- 8 1
- Auth error
- 8 2
- XAuth error
- 8 3
- Admin error
- Admin command name
- Command code
- User
- 8 4
- Update error
- User
- ESM number
- Update action code
- Resource entity
- 8 5
- Map error
Category 9: Security request success
Only emitted by ESF.
- 9 0
- Admin success
- Admin command name
- Command code
- User
- 9 1
- Update success
- User
- ESM number
- Update action code
- Resource entity