SMF 119 record subtypes

TCP/IP collects SMF information about certain Telnet, FTP, TCP/IP stack, IKE daemon, CSSMTP, or VTAM® 3270 Intrusion Detection activity. These records can be generated by the TCP/IP stack, the FTP and Telnet clients and server, the IKE daemon, the CSSMTP client, or VTAM. You can control the collection of some of these records by using the SMFCONFIG statements in PROFILE.TCPIP, or by using statements in the various application's configuration files. For more information about those statements, see z/OS Communications Server: IP Configuration Reference.

All the records described in this topic are written using record type 119 (X'77'), and standard subtype values, at offset 22 (X'16') in SMF record header, are used to uniquely identify the type of record being collected. Table 1 correlates the subtype information to the type of record being produced.

Table 1. SMF 119 record subtype information and record type
Record subtype Description TCP/IP component event Reason
1(X'1') TCP connection initiation record (subtype 1) TCP Event
2(X'2') TCP connection termination record (subtype 2) TCP Event
3(X'3') FTP client transfer completion record (subtype 3) FTPC Event
4(X'4') TCP/IP profile event record (subtype 4) STACK Event
5(X'5') TCP/IP statistics record (subtype 5) STACK Interval
6(X'6') Interface statistics record (subtype 6) IP Interval
7(X'7') Server port statistics record (subtype 7) STACK Interval
8(X'8') TCP/IP stack start/stop record (subtype 8) TCP Event
9 Reserved    
10(X'A') UDP socket close record (subtype 10) UDP Event
11(X'B') zERT connection detail record (subtype 11) STACK Event
12(X'C') zERT Summary record (subtype 12) STACK Interval, Event
13-19 Reserved    
20(X'14') TN3270E Telnet server SNA session initiation record (subtype 20) TN3270S Event
21(X'15') TN3270E Telnet server SNA session termination record (subtype 21) TN3270S Event
22(X'16') TSO Telnet client connection initiation record (subtype 22) TN3270C Event
23(X'17') TSO Telnet client connection termination record (subtype 23) TN3270C Event
24(X'18') TN3270E Telnet server profile event record (subtype 24) TN3270S Event
25–31 Reserved    
32(X'20') DVIPA status change record (subtype 32) STACK Event
33(X'21') DVIPA removed record (subtype 33) STACK Event
34(X'22') DVIPA target added record (subtype 34) STACK Event
35(X'23') DVIPA target removed record (subtype 35) STACK Event
36(X'24') DVIPA target server started record (subtype 36) STACK Event
37(X'25') DVIPA target server ended record (subtype 37) STACK Event
38(X'26') SMC-D link statistics record (subtype 38) SMCD Interval
39(X'27') SMC-D link state start record (subtype 39) SMCD Event
40(X'28') SMC-D link state end record (subtype 40) SMCD Event
41(X'29') SMC-R link group statistics record (subtype 41) SMCR Interval
42(X'2A') SMC-R link state start record (subtype 42) SMCR Event
43(X'2B') SMC-R link state end record (subtype 43) SMCR Event
44(X'2C') RDMA network interface card (RNIC) interface statistics record (subtype 44) SMCR Interval
45(X'2D') Internal shared memory (ISM) interface statistics record (subtype 45) SMCD Interval
46–47 Reserved    
48(X'30') CSSMTP configuration record (CONFIG subtype 48) CSSMTP Event
49(X'31') CSSMTP connection record (CONNECT subtype 49) CSSMTP Event
50(X'32') CSSMTP mail record (MAIL subtype 50) CSSMTP Event
51(X'33') CSSMTP spool file record (SPOOL subtype 51) CSSMTP Event
52(X'34') CSSMTP statistical record (STATS subtype 52) CSSMTP Interval
53–69 Reserved    
70(X'46') FTP server transfer completion record (subtype 70) FTPS Event
71(X'47') FTP daemon configuration record (subtype 71) FTPD Event
72(X'48') FTP server logon failure record (subtype 72) FTPS Event
73(X'49') IPSec IKE tunnel activation and refresh record (subtype 73) IKE Event
74(X'4A') IPSec IKE tunnel deactivation and expire record (subtype 74) IKE Event
75(X'4B') IPSec dynamic tunnel activation and refresh record (subtype 75) IKE Event
76(X'4C') IPSec dynamic tunnel deactivation record (subtype 76) IKE Event
77(X'4D') IPSec dynamic tunnel added record (subtype 77) STACK Event
78(X'4E') IPSec dynamic tunnel removed record (subtype 78) STACK Event
79(X'4F') IPSec manual tunnel activation record (subtype 79) STACK Event
80(X'50') IPSec manual tunnel deactivation record (subtype 80) STACK Event
81(X'51') VTAM 3270 Intrusion Detection Services event record (subtype 81) IDS3270 Event
82–93 Reserved    
94(X'5E')–98(X'62') OpenSSH    
99(X'63') Reserved    
100(X'64') FTP server transfer initialization record (subtype 100) FTPD Event
101(X'65') FTP client transfer initialization record (subtype 101) FTPD Event
102(X'66') FTP client login failure record (subtype 102) FTPD Event
103(X'67') FTP client session record (subtype 103) FTPD Event
104(X'68') FTP server session record (subtype 104) FTPD Event
105-255 Reserved    
Notes:
  1. The TCP/IP component indicated is the one reported in the TCP/IP identification section for each record (see the following sections).
  2. The Reason indicated determines whether each record is an event record (it is flagged with a reason code of X'08'; in the TCP/IP identification section) or an interval record (it is flagged with one of the six interval reason codes in the TCP/IP identification section).
  3. The OpenSSH element of z/OS® also creates SMF 119 records with subtypes of 94 through 98. For a description of these records, see z/OS OpenSSH User's Guide.
  4. VTAM also creates SMF 119 records with a subtype of 81.