These are the audit events emitted by the External Security Facility (ESF),
Micro Focus Directory Server (MFDS), JCL, and Data File Tools. Events from ESF use the "mf.safmgr" component ID; those from MFDS use "mf.mfds", JCL uses
"mf.jcl", and Data File Tools use "mf.cas".
ESF Events: Category and Type Codes, and Parameters
In the following list, the first number is the event category and the second number is the event type. Events are grouped
by category, so "1:x" or "1 x" is the collection of events in category 1, the category for events generated by the audit facility
itself.
Note: Different auditing emitters may separate the two numbers using a space or a colon character.
The following is a list of event categories and types with their parameters for either a specific event or in the description
of a group of events:
Category 0: Unknown
-
- No events defined
Category 1: Audit facility-specific
- 1 0
- Audit manager starting.
- Shared memory area name.
- Server type (1 = multiprocess CTF server).
- 1 1
- Audit manager stopping.
- 1 2
- Deactivate file.
Category 2: System
The following are ESF only:
Unless otherwise indicated their parameters are:
- Exit point.
- 1 = Exit has stopped processing of the request.
- Request RC value after exit returned.
- Request return value after exit returned.
- Request reason value after exit returned.
- 2 0
- Component Initializing
- 2 1
- Component Started.
- 2 2
- Component Terminating.
- 2 3
- User exit called.
- 2 4
- User exit halted processing of the request.
- 2 5
- User exit returned an error.
- 2 6
- Request Throttle
- Request Type
- Number of events per second
- Time the process sleeps for (seconds)
The following are MFDS only:
Unless otherwise indicated, their parameters are:
- Receive count
- Object class
- Object name
- 2 10
- String parameter "MFDS process starting..."
- 2 11
- String parameter "MFDS Request processor started."
- 2 12
- String parameter "MFDS Request processor terminating."
- 2 13
- Auditing turned on
- Receive count
- Account ID
- String "MFDS auditing starting..."
- 2 14
- Auditing turned off
- Receive count
- Account ID
- String "MFDS auditing stopped..."
The following are
ESCWA only:
- 2 15
- ESCWA Starting
- 2 16
- ESCWA Terminating
- User - (Optional) The name of the user that actioned the shutdown, if any.
- 2 17
- ESCWA Auditing Starting
- User - (Optional) The name of the user that started auditing, if any.
- 2 18
- ESCWA Auditing Stopping
- User - (Optional) The name of the user that stopped auditing, if any.
- 2 19
- ESCWA ESF Auditing Starting
[13]
- OriginalUser - (Optional) The name of the supplied user which has permissions for the current ESF configuration. This ESF
configuration does not have auditing enabled because there are no Security Managers in the stack or
Create audit events is disabled.
- NewUser - (Optional) The name of the supplied user which has permissions for the new ESF configuration. This ESF configuration
has auditing enabled.
- 2 20
- ESCWA ESF Auditing Stopping
[13]
- OriginalUser - (Optional) The name of the supplied user which has permissions for the current ESF configuration. This ESF
configuration has auditing enabled.
- NewUser - (Optional) The name of the supplied user which has permissions for the new ESF configuration. This ESF configuration
does not have auditing enabled because there are no Security Managers in the stack or
Create audit events is disabled.
- 2 21
- A user logs off or a session is first checked after having expired:
- Session Removed - set to the session token string.
The following are MFDS only:
- 2 100
- Found Server
- 2 101
- Found Comms Server
- 2 102
- Found Listener
- 2 103
- Found Handler
- 2 104
- Found Package
- 2 105
- Found Service
- 2 106
- Found XRM
- 2 107
- Found JES Initiator
- 2 108
- Found JES Printer
- 2 109
- Found IMS MPR
- 2 110
- Found MQL
- 2 120
- Found ESM
- 2 121
- Found User
- 2 122
- Found Group
- 2 123
- Found Resource Class
- 2 124
- Found Resource Entity
- 2 200
- Page request
- Receive count
- User ID
- Request description (format varies)
- 2 201
- Logon request
- Receive count
- User ID
- Return code (prefixed with "Logon attempt, rc=")
- 2 300
-
- Receive count (Optional)
- Account ID
- String parameter "Auditing set to ON for default ES security..."
This event is emitted when the default ES security auditing option configuration is selected to be on. This event is only
emitted if MFDS process audit is enabled.
[13]
Note: The "Account ID" value can only be known if
Restrict administration access has been checked.
- 2 301
-
- Receive count (Optional)
- Account ID
- String parameter "Auditing set to OFF for default ES security..."
This event is emitted when the default ES security auditing option configuration is selected to be off. This event is only
emitted if MFDS process audit is enabled.
[13]
Note: The "Account ID" value can only be known if
Restrict administration access has been checked.
- 2 302
-
- Receive count (Optional)
- Account ID
- String parameter "Auditing set to ON for region [name] ES security....", where [name] is the name of the
enterprise server region.
This event is emitted when the region-specific auditing option configuration is selected to be on, either explicitly (non-default
ES security is selected and the
Create audit events option is enabled) or when changing to use default ES security which has the audit option on and previously the region-specific
audit option was off. This event is only emitted if MFDS process audit is enabled.
[13]
Note: The "Account ID" value can only be known if
Restrict administration access has been checked.
- 2 303
-
- Receive count (Optional)
- Account ID
- String parameter "Auditing set to OFF for region [name] ES security....", where [name] is the name of the
enterprise server region.
This event is emitted when the region-specific auditing option configuration is selected to be off, either explicitly (non-default
ES security is selected and the
Create audit events option is disabled) or when changing to use default ES security which has the audit option off and previously the region-specific
audit option was on. This event is only emitted if MFDS process audit is enabled.
[13]
Note: The "Account ID" value can only be known if
Restrict administration access has been checked.
Category 3: Security API request
Only emitted by ESF. These are not emitted by default. See
Security Configuration Custom Configuration Information for more information on the "category 3 audit" configuration option.
- 3 0
- VERIFY
- Username
- Subsystem
- Signon group
- 3 1
- AUTH
- User
- Subsystem
- Resource class
- Resource entity
- Requested access
- 3 2
- XAUTH
- User
- Subsystem
- Resource class
- Resource entity
- Requested access
Category 4: Administration request
Only emitted by ESF.
These all use the same parameterization. They include three fixed parameters followed by a variable number of parameters,
with one for each key-value pair included in the request. For password keys, the key is included but the value is omitted.
Requests that are too long for a single audit event are split into a series of "continuation" events (category 5, type 3).
The fixed parameters are:
- Audit command name
- Audit command code
- User
- 4 0
- List
- 4 1
- Add
- 4 2
- Delete
- 4 3
- Alter
- 4 4
- Set password
- 4 5
- Set options
Category 5: Other request
The following are ESF only:
- 5 0
- Update notify. Currently not used.
- 5 1
- Audit success (a SAFROUTE AUDIT request with type=1)
- User
- Entity string supplied by caller
- Log string supplied by caller
- 5 2
- Audit failure (a SAFROUTE AUDIT request with type=2)
- User
- Entity string supplied by caller
- Log string supplied by caller
- 5 3
- Parameter information (continuation of large audit event)
- Parameter ID
- Chunk number
- Data chunk
- 5 6
- Verifying with long mapped name
The following are Data File Tools only:
Unless otherwise indicated, its parameters are:
- Username
- Group
- Call
- DS Name
- Operation
- 5 4
- Data File Editor audit event
The following are JCL only:
- 5 5
- JCL Audit Event
See
MF_JCL_AUDIT for more information.
The following are
ESCWA only:
- 5 10
-
ESCWA API modify request response
- User - Session username
- Path - Request URI
- Method - Request method (for example, POST, PUT, DELETE)
- Request body - The body of the incoming request
[22]
- Response - HTTP response status code
- Session Token - Set to session token string for all requests
- Client Ip - set to a string, for logon requests
- Stop Script - set to true or false, indicating whether stop script is enabled when stopping an
enterprise server region.
- Start Script - set to true or false, indicating whether start script is enabled when starting an
enterprise server region.
Note: The request body is optional and is only received if the
Audit Request Bodies option is checked in the
ESCWA Tracing and Logging Settings.
[22]
Category 6: Allow
Only emitted by ESF.
Note: Specifying the
category 3 audit=yes configuration option disables audit events 2 and 3. If you specify the
password change success=yes configuration option, then audit event 2 will be generated. See
Security Configuration Custom Configuration Information for more information.
- 6 0
- Verify success
- Username
- Subsystem
- Signon group
- 1 = resolved using the ESF cache
- 6 1
- Verify allowed for unknown user
- 6 2
- Verify password change success
- Username
- Subsystem
- Signon group
- 6 3
- Auth success
- Username
- Subsystem
- Resource class
- Resource entity
- Request access
- 6 4
- Auth query
- Username
- Subsystem
- Resource class
- Resource entity
- Granted access level
- 6 5
- XAuth success
- Username
- Subsystem
- Resource class
- Resource entity
- Requested access
- 6 6
- XAuth query
- Username
- Subsystem
- Resource class
- Resource entity
- Granted access level
Category 7: Deny
Only emitted by ESF.
Unless otherwise indicated, the Verify deny events use these parameters:
- User ID
- Subsystem
- Signon group
and the Auth/XAuth-deny events use:
- User ID
- Subsystem
- Resource class
- Resource entity
- Requested access
- 7 0
- Verify deny: Invalid password
- 7 1
- Verify deny: Expired password
- 7 2
- Verify deny: Password change rejected
- 7 3
- Verify deny: User unknown
- 7 4
- Verify deny: User not in requested signon group
- 7 5
- Verify deny: Other failure
- 7 6
- Auth deny
- 7 7
- XAuth deny
Category 8: ESM error
Only emitted by ESF.
Unless otherwise indicated their parameters are:
- Username
- Subsystem
- ESM number
- ESM name
- ESM return code
- Error description
- 8 0
- Verify error
- 8 1
- Auth error
- Username
- Subsystem
- Resource class
- Resource entity
- Requested access
- ESM number
- ESM name
- ESM return code
- Error description
- 8 2
- XAuth error
- Username
- Subsystem
- Resource class
- Resource entity
- Requested access
- ESM number
- ESM name
- ESM return code
- Error description
- 8 3
- Admin error
- Admin command name
- Command code
- User
- 8 4
- Update error
- User
- ESM number
- Update action code
- Resource entity
- 8 5
- Map error
Category 9: Security request success
Only emitted by ESF.
- 9 0
- Admin success
- Admin command name
- Command code
- User
- 9 1
- Update success
- User
- ESM number
- Update action code
- Resource entity
Category 100: ESM requests
- 100 1
- Effective rule auditing
- Security manager index
- Security manager name
- Username
- Subsystem
- Type of request
- Name of resource
- Access decision
- Name of the rule
See
MLDAP ESM Module Custom Configuration Information for more information on audit rule.
Category 200: mfsecrets requests
- 200 1
- Open enter
- Process username
- Vault handle
- Description
- Config section
- Provider name
- 200 2
- Open provider exit
- Process username
- Vault handle
- Description
- Config section
- Provider name
- Provider return code
- 200 3
- Close enter
- Process username
- Vault handle
- 200 4
- Close provider exit
- Process username
- Vault handle
- Provider return code
- 200 5
- Read enter
- Process username
- Vault handle
- Secret path
- 200 6
- Read provider exit
- Process username
- Vault handle
- Secret path
- Provider return code
- 200 7
- Write enter
- Process username
- Vault handle
- Secret path
- 200 8
- Write provider exit
- Process username
- Vault handle
- Secret path
- Provider return code
- 200 9
- Delete enter
- Process username
- Vault handle
- Secret path
- 200 10
- Delete provider exit
- Process username
- Vault handle
- Secret path
- Provider return code
- 200 11
- List enter
- Process username
- Vault handle
- Secret path
- 200 12
- List provider exit
- Process username
- Vault handle
- Secret path
- Provider return code