SMF logging activated and require SMF codes for the following.  

1.      Login attempt, success

2.      Login attempt, fail (and “why” is really helpful to know…bad password, account already locked out, MFA issue, etc.)

3.      Account Lockout occurred

4.      Logout (there really is no attempt/fail for this)

5.      Password change on logon screen

6.      Password change from command issued by user

7.      Password change from command issued by admin/system

Release : 16.0

Component : CA Top Secret for z/OS

SMF logging

There are no SMF flags that would indicate if it is a self admin password change or an admin id did the tss repl() pass() command.

Issue TSS MODI(LOG(CMDS)), any TSS command will be logged to the SMF file.

The SMF record contains the ACCESSOR that issued the command along with the TSS command.