LOG(INIT,SMF,SEC9,MSG) is what the DoD z/OS STIG recommends, that does record all security violations.
Hope this helps.
The DoD z/OS STIG for CA-TSS can be downloaded at the following link: https://iasecontent.disa.mil/stigs/zip/U_zOS_TSS_V6R36_STIG.zip
Once you download, unzip. Look for folder: U_zOS_TSS_V6R36_Manual_STIG, go into the folder and double click on file: U_zOS_TSS_V6R36_STIG_Manual-xccdf that should open the STIG for CA-TSS in your browser. Lots of good security standards are found within as well as all the other documents provided within the z/OS STIG for TSS.
The specific Control for LOG setting is:
Rule Version (STIG-ID): TSS0440
Rule Title: The LOG Control Option is not set to (SMF,INIT, SEC9, MSG).
Semper Fi
Steve