Management Information › SMF Analysis

SMF Analysis

The System Management Facility (SMF) collects information about z/OS system events. SMF produces an audit trail of z/OS system events by recording events in SMF data sets or log streams. SMF writes records for events such as:

• The logon and logoff of TSO users
• The reconfiguration of devices
• Initiation and termination of jobs
• The signon and signoff of NJE users
• System status information, such as:
  • Data set status (opened, closed, renamed, or scratched)
  • VSAM catalog information
  • Job output statistics (cards punched and lines printed)

The benefits of using CA Auditor to review SMF options, files, and exits are as follows:

• Online retrieval and interpretation of SMF records—CA Auditor performs online searches of active or inactive SMF files or dumped copies of SMF files or log streams. It can select particular records or ranges of records based on search criteria (such as date, time, and job name). CA Auditor interprets and presents the SMF record information in easy‑to‑understand language. For example, a message can read JOB ABC OPENED FILE XYZ FOR INPUT or USER XYZ LOGGED ON TO TSO AT 10:00 AM.
• An examination of the current SMF options—The SMF facility records events as they occur in the system, providing a journal of this activity. Each type of event is assigned a unique record number. The journaling of each type of event is optional.

  CA Auditor tells you which events are or are not recorded. The recording of the proper events is critical because the information in SMF records can help locate inefficiencies, better manage DASD space, increase system performance, and identify system-wide problem areas.

• Information about the SMF files or log streams on the system—SMF files contain all SMF records collected on the system. This includes a journal of all events occurring in the system and SMF records access control software (such as CA ACF2, CA Top Secret, and RACF) logs. The loss of SMF records when the files are not dumped at appropriate times, or when computer operators or SMF exits alter or delete these records, can jeopardize the integrity of this audit trail.
• CA Auditor provides the names and locations of all SMF files on the system, identifies which SMF file is currently active, and notes any SMF files that need dumping. This information helps you ensure that SMF files are correctly maintained and are adequately protected from unauthorized use or modification.
• If log stream recording is active, CA Auditor reports on information such as the buffer size for each log stream, whether it is the default log stream, if it is active, if it is being cleaned up, or if it is connected at the time.
• A summary of the SMF exits in use on the system—SMF exits are user‑tailorable, IBM‑supplied routines that take control from a job at the beginning of a job or before the processing of a job step. IBM supplies these exits as dummy stub modules. Systems programmers can tailor these exits to suit a data center’s needs. All SMF exits are APF‑authorized.
• SMF exits can modify all JCL, including changing file names, program names, job accounting information, and altering job priorities. SMF exits can cancel programs, jobs, and SMF records before they are journalled.
• The CA Auditor SMF Analysis function identifies the SMF exits in effect on the system, flags which exits you should review, and provides a brief description and the purpose of each exit. It also identifies the location of each exit in storage. Because of the power afforded to SMF exits, ensure their protection and carefully monitor their use.

You can specify SMF exits in the logical parmlib members PROGxx and SMFPRMxx. Console operators or APF‑authorized programs can add exits or change their attributes dynamically. SMF exits defined in the logical parmlib member PROGxx can have more than one exit program associated with a single exit point. Each exit can be associated with a certain job name or mask. Each exit can also have thresholds for the number of total or consecutive abends required to disable it. CA Auditor shows all exit programs active at each exit point.