Customizing the syslog server address
Specify the following values in the SERVER statement in the $$$SERVR member of the amihlq.CZAGENT.PARM data set:
- IP address of the BMC Defender Server or syslog console
- IP port number (if it is not the standard syslog default, port 514)
The IP address and optional port are specified on the SERVER statement in the parameter file as a host name or in IPv4 dotted format.
The following code shows the $$$SERVR member:
;**********************************************************************;
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Datastream ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2022 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 13 May 2022"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(ADELOG) SIEM(ADELOG) +
INSTNAME(Agent.ADELog)
OPTIONS IF(ADEINFLUX) SIEM(ADEINFLUX) +
INSTNAME(Agent.ADEInf)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
;OPTIONS IPASYNCDisable ; Disable Asynchronous IP processing
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADELOG) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADEINFLUX) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADELOG) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADEINFLUX) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(ADELOG) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(IEFU86) IEFU86Enable ; Enable the IEFU86 SMF exit
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; ADELog - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
;TIME UTC +
; DUR(ISO8601_T) +
; TIMEOFDAY('%Y-%m-%dT%H:%M:%S.%Q3Z') +
; ZONE('CST6CDT') ; Review TIME statement ZONE parameter
; ---------------------------------------------------------------------
; ADEInflux - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired extra
; precision
; ---------------------------------------------------------------------
; TIME UTC DUR(' %H:%M:%S:%Q6 ') TIMEOFDAY('%d%b%Y %H:%M:%S:%Q6') +
; ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Datastream for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Datastream ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2022 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 13 May 2022"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(ADELOG) SIEM(ADELOG) +
INSTNAME(Agent.ADELog)
OPTIONS IF(ADEINFLUX) SIEM(ADEINFLUX) +
INSTNAME(Agent.ADEInf)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
;OPTIONS IPASYNCDisable ; Disable Asynchronous IP processing
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADELOG) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADEINFLUX) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADELOG) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADEINFLUX) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(ADELOG) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(IEFU86) IEFU86Enable ; Enable the IEFU86 SMF exit
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; ADELog - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
;TIME UTC +
; DUR(ISO8601_T) +
; TIMEOFDAY('%Y-%m-%dT%H:%M:%S.%Q3Z') +
; ZONE('CST6CDT') ; Review TIME statement ZONE parameter
; ---------------------------------------------------------------------
; ADEInflux - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired extra
; precision
; ---------------------------------------------------------------------
; TIME UTC DUR(' %H:%M:%S:%Q6 ') TIMEOFDAY('%d%b%Y %H:%M:%S:%Q6') +
; ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Datastream for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*