SECTRACE translation - event is not logged by TSS but is logged by CEM

Document ID : KB000126419
Last Modified Date : 08/02/2019
Show Technical Document Details
Introduction:
Reading the CA Top Secret SECTRACE.
Question:
The following trace event represents a violation that is showing up on a TSSUTIL EVENT(VIOL) report, but it shows up on the Compliance Event Manager. I assume that this is due to the LOG= setting, could you help me interpret the TRACE event: 

X TSS-C-0888*USERA USERA T SDSF 202E G/0400000000,0000000000 L/F08802 F/00200320,000100,0021,000000
X TSS-1 400000000000 00000000 T/8000000003 ISFAUTH.DEST..DATASET.JESYSMSG 
X TSS-2 060000 R/1288C0 S/600100,0A8020800000 N509FJD2 A/990080 P/ISPTASK ,B122,ISFMAIN ,PDF F/80208680
X TSS-4 02000000 008FC680 7E752050 REQ/ISFOPDST SUB/ 

I could not find the 'rr' of 2E as well as I could not find the 'l1' of 'F0' in the documentation. Can you help identify these
Answer:
x'2E' is the FACILITY id. Issue a TSS MODIFY FACILITY(ALL) which will give a list of all active FACILITYs. Look for a FACILITY with 'ID=2E'. 

x'F0' are switches or bit settings. 

The following bits are on: 

◦10 audited event 
◦20 real return code passed 
◦40 forced log-out 
◦80 violation 

x'10' + x'20' + x'40' + x'80' = x'F0'