Trying to understand how to trap TSO Logon - Logoff events? Tried with System access events related to ESM signon and signoff but CEM triggers multiple signon events for a single Logon or Logoff action. Is this normal? How can we trap just one?

Release : 6.0

Component : CA COMPLIANCE EVENT MANAGER

For Event-based monitor policy statements with Signon, Successful Signon, and Signoff checked, CEM will get all the events that are associated to those events.

Some actions are not one-to-one.

For example, Signon may generate multiple racroute verify calls. In that case, CEM will return all events associated.