BMC AMI Datastream overview

BMC AMI Datastream for z/OS and its product variations monitor system activity and collect, process, and deliver application events to your distributed SIEM in real time. BMC AMI Datastream uses IBM z Systems Integrated Information Processor (zIIP) for environments that are able to take advantage of the savings that zIIP provides.

Related topics

SMF DB2 statement

Monitoring data access using Db2 traces

Getting started

The following sections provide an overview of the products and features:

BMC AMI Datastream for z/OS

The BMC AMI Datastream for z/OS product is an agent program that you install and run on one or more z/OS LPARs.

BMC AMI Datastream performs the following activities:

Continuously monitors mainframe events from system management facilities (SMF) and collects SMF records.
SMF is a z/OS component that collects system activity data. SMF is typically used for accounting, security, and performance monitoring.

Operates by installing the following z/OS exits on each LPAR on where you run BMC AMI Datastream:
- IEFU83
- IEFU84
- IEFU85
- IEFU86
Reformats the SMF records that you specify as standard syslog messages.
Sends the reformatted messages using UDP/IP, TCP/IP, or encrypted TCP/IP (IPv4 or IPv6) to a specified syslog console or server (such as the BMC Defender Server).

Important

In the documentation for this product, syslog refers to message streams traditionally produced by UNIX systems and routers, as documented in IETF RFC 3164 and subsequent RFCs.
To use BMC AMI Datastream, you do not need to install it on the BMC Defender Server, or on any other computer or console.

BMC AMI Datastream for Db2

BMC AMI Datastream for Db2 is a configuration alternative to BMC AMI Datastream for z/OS. You can use BMC AMI Datastream for Db2 to help you comply with the following regulatory standards:

Payment Card Industry Data Security Standard (PCI DSS)
Sarbanes-Oxley Act 2002 (SOX)
Health Information Portability and Accountability Act 1996 (HIPAA)
Gramm-Leach-Bliley Act 1999
IRS Publication 1075
Federal Homeland Security Modernization Act 2014 (FISMA)

BMC AMI Datastream for Db2 performs the following activities:

Automatically captures IBM Db2 events
Audits file and database access
Monitors database activity
Monitors file integrity

You can configure BMC AMI Datastream as a McAfee Database Activity Monitoring (DAM) or a SIEM agent that captures z/OS system and subsystem session, transaction, security and statement activity.

The following table lists the SMF records applicable to various compliance activities. For more information about the SMF records referenced in the table, see Parameter file statements.

Activity	SMF records (IFCID)
Early IPL record support	00—IPL (SMF initialization) 08—I/O configuration 22—Device configuration 43—JES2 or JES3 startup 81—RACF initialization
Privileged user monitoring	361
Invalid logical access attempts	80, 140
Creation and deletion of system level objects	97
Data access	80 EVENT(.0), 143, 144, and 145 For the appropriate RACF data set profiles, specify AUDIT(ALL).
File integrity	42 and 80 EVENT(.0) SMF 42 can notify you of changes to system libraries. For the appropriate RACF data set profiles, specify AUDIT(ALL(UPDATE)).
Backup and recovery	24 and 25

BMC AMI Datastream for Ops

BMC AMI Datastream for Ops is a configuration alternative to BMC AMI Datastream for z/OS and BMC AMI Datastream for Db2. You can use this configuration to pass BMC AMI Ops performance and monitoring data to a specified business analysis and reporting product such as Splunk.

Datastream for Ops provides secure data transport that complies with the following regulatory standards:

Payment Card Industry Data Security Standard (PCI DSS)
Sarbanes-Oxley Act 2002 (SOX)
Health Information Portability and Accountability Act 1996 (HIPAA)
Gramm-Leach-Bliley Act 1999
IRS Publication 1075
Federal Homeland Security Modernization Act 2014 (FISMA)

Datastream for Ops supports the formatting and transporting of BMC AMI Ops performance and monitoring data exclusively. Review your BMC AMI Ops documentation for supported data types.

BMC AMI Datastream architecture, security, main, and supplementary programs

Sample environment

The following figure illustrates the relationship between various parts of the BMC AMI Datastream environment:

Sample environment shows an example of an internal network and the way the different product components relate to each other.

Support for security products

BMC AMI Datastream supports SMF records from the following products:

Resource Access Control Facility (RACF)
CA ACF2
CA Top Secret

CZASEND program

You can use the CZASEND program to send text as custom syslog messages to a specified syslog console or server.

The CZASEND parameter file, CZAPSEND, contains parameters such as the IP address of the syslog console. Modify the parameter file to specify configuration options such as the target server IP address. For more information, see Parameter file statements.

BMC AMI Datastream sends messages that are compliant with the syslog standard, RFC 3164. There are several security information and event management (SIEM)-vendor proprietary or semi-standard enhancements that are layered on top of the syslog standard. BMC AMI Datastream supports all of the common format extensions. For more information, see Proprietary syslog format extensions.