What is needed in Top Secret to capture sign on and sign off events for all ACIDs?

Include INIT in the global LOG control option setting and also in any facility LOG options set. You can make the changes in the  Top Secret parameter file and these will take effect the next time Top Secret is recycled.

These can also be set with a TSS MODIFY command, but you must include any other LOG settings with INIT. For example, if your global LOG option is LOG(SEC9,MSG) and you want to include INIT, use:

TSS MODIFY LOG(SEC9,MSG,INIT).

Be sure to set LOG(SEC9,MSG,INIT) in the Top Secret parameter file to make this change permanent.

Do the same for any facilities in the Top Secret parameter file that have a LOG option set for the specific facility. For example, if the Top Secret parameter file has:

FAC(CICSPROD=LOG=(SEC9,MSG))
and you want to include INIT, use:
TSS MODIFY FAC(CICSPROD=LOG=(SEC9,MSG,INIT))
and change the Top Secret parameter file statement to:
FAC(CICSPROD=LOG=(SEC9,MSG,INIT))

to make the change permanent.

LOG(INIT) logs all job/session initiations and terminations to the audit file. You can run TSSUTIL with:
REPORT EVENT(JOBS) LONG
or
REPORT EVENT(INIT,TERM) LONG

and this will select the job/session initiations (sign ons) and terminations (sign offs). The events will include the date, time, and facility. With the LONG option specified on the REPORT statement, the facility name will be spelled out.

NOTE: Setting LOG(INIT) will cause more records to be written to the audit file, so the audit file will fill up faster and either wrap (if using just 1 audit file) or switch (if using 2 audit files) more frequently. There will also be more I/O to the audit file to write these records.