The Subsystem parameter that is present in many of the ESF audit events can be mapped using the following table:
| Subsystem number | Description |
|---|---|
| 0 | None (for example, command line program) |
| 1 | CICS |
| 2 | IMS |
| 3 | JCL |
| 4 | ESMAC |
| 5 | Web service |
| 6 | BINP |
| 7 | CGI |
| 8 | MF Directory Server |
| 9 | MF Communications Server |
| 10 | ES Common Web Admin |
| 11 | Data File Tools |
When using syslog auditing, the Structured Data section of the emitted syslog message contains a SYSTEM key, which contains the value representing the high-level component that emitted the syslog message. For example, SYSTEM="ESDEMO" indicates that the message originated from the ESDEMO region, or SYSTEM="-MFDS-" which indicates the message originated from MFDS. Every event that originates from a specific region will have the same SYSTEM value, and an appropriate Subsystem number in the events.