How are password threshold exceeded and password suspension events recorded in Compliance Manager?
There is no administrative command being issued in Compliance Manager. What you see is a command representation of what happened being recorded to the recovery file in case you would have to perform forward recovery. Since a real command was not issued it cannot be captured in the account administration tables. The suspension is the result of a system access signon event, and in this case a signon violation event since the signon was unsuccessful. If you are recording these type of events, you should see a DRC (CODE1 field) of '1' for ACID suspended and a DRC of '27' (x'1B') for Password Violation Threshold Exceeded. If you are capturing these events then you can set an Alert for the DRC codes.