Proprietary syslog format extensions
This topic provides information about the following extensions:
Common Event Format (CEF)
Both BMC AMI Defender and CZASEND support ArcSight Common Event Format (CEF).
CEF is a log management standard . It provides a standardized, normalized syslog record format that is supported by ArcSight ESM, a SIEM correlation engine and also by RSA (EMC) Security Analytics SIEM and Intel Security McAfee Enterprise Security Manager. BMC AMI Defender optionally conforms to the CEF standard. For more information about CEF, see the relevant Micro Focus documentation and the BMC AMI Defender for z/OS agent program Common Event Configuration Guide. An instance of a CEF-format BMC AMI Defender message is:
CEF-format message features
| Message feature | Description |
|---|---|
| Yellow | The timestamp and hostname fields. |
| Blue | A standard header. |
| Green | An extension consisting of zero or more values identified by standardized CEF names followed by an equal sign. |
| Magenta | An optional message field (msg=) followed by additional non-CEF-standard tags and values. |
In FIELDS parameter, the standardized CEF name (if any) is indicated by the second line under Tag/CEF Name; non-CEF standard fields have a blank second line under Tag/CEF Name.
In CEF mode, all times in CEF extension fields are reported as an integral number of milliseconds since January 1, 1970. In the preceding instance, rt=1372718485293 represents UTC 22:41:25.293 on July 1, 2013.
CEF compatibility is enabled by specifying OPTions SIEMtype(CEF). For more information, see SIEMtype. If you are using BMC AMI Defender or CZASEND with CEF, see Format of parameter and field definition files.
Log Event Extended Format (LEEF)
LEEF is a customized event format for IBM Security QRadar. The rpm file name is DSM-CorreLogzOSzDefender_qradar-version_build-number.noarch.rrpm. For more information, see IBM documentation.
An instance of a LEEF-formatted message follows:
LEEF-format message features
| Message feature | Description |
|---|---|
| Yellow | The timestamp and hostname fields. |
| Blue | A standard LEEF header. |
| Green | An extension consisting of zero or more event attribute values identified by keys followed by an equal sign and separated by tabs. |
| Magenta | An optional message field (msg=) followed by additional non-CEF-standard tags and values. |
To enable LEEF compatibility, specify OPTions SIEMtype(LEEf). For more information, see SIEMtype. To use zDefender or CZASEND with IBM Security QRadar, see Customizing for a proprietary syslog extension.
JavaScript Object Notation (JSON)
JSON is a lightweight data-interchange format with a rigorously defined syntax (but not taxonomy). A mainframe security event formatted in JSON might appear as follows:
{“Time”: “2018-01-04T18:40:35.880”, “HostName”: “IBMSYSC”, “Cat”: “RACF”, “EventDesc”: “RESOURCE ACCESS: Insufficient Auth”, “Severity”: “Err”, “Auth_Audit”: false, “Auth_Bypass”: false, “Auth_Exit”: false, “Auth_Normal”: true, “Auth_Oper”: false, “Auth_Special”: false, “Auth_Trusted”: false, “Auth”: “Normal check”, “Violation”: true, “User_Warning”: false, “Group”: “RESTRICT”, “JobNm”: “SP003ATR”, “Vol”: “SYS001”, “Type”: “DATASET”, “Res”: “DV205B.R320.BLD”, “APF”: false, “Prof”: “DV205B.R320.BLD”, “Req”: “READ”, “Name”: “JOE SYSPROG”}Splunk
The Splunk integration feature improves the usability of BMC AMI Defender data in Splunk searches by formatting all fields as tag, tag=value, or tag=”quoted value” and by introducing a field severity=. To enable Splunk integration, specify OPTions SIEMtype(SPLunk). The SIEMtype(SPLunk) specification does not affect CZASEND. For more information, see SIEMtype and Customizing for a proprietary syslog extension.
Comments
Log in or register to comment.