BMC AMI Datastream overview
BMC AMI Datastream for z/OS and its product variations monitor system activity and collect, process, and deliver application events to your distributed SIEM in real time. BMC AMI Datastream uses IBM z Systems Integrated Information Processor (zIIP) for environments that are able to take advantage of the savings that zIIP provides.
The following sections provide an overview of the products and features:
BMC AMI Datastream for z/OS
The BMC AMI Datastream for z/OS product is an agent program that you install and run on one or more z/OS LPARs.
BMC AMI Datastream performs the following activities:
Continuously monitors mainframe events from system management facilities (SMF) and collects SMF records.
SMF is a z/OS component that collects system activity data. SMF is typically used for accounting, security, and performance monitoring.
Operates by installing the following z/OS exits on each LPAR on where you run BMC AMI Datastream:
- IEFU83
- IEFU84
- IEFU85
- IEFU86
Reformats the SMF records that you specify as standard syslog messages.
Sends the reformatted messages using UDP/IP, TCP/IP, or encrypted TCP/IP (IPv4 or IPv6) to a specified syslog console or server (such as the BMC Defender Server).
Important
- In the documentation for this product, syslog refers to message streams traditionally produced by UNIX systems and routers, as documented in IETF RFC 3164 and subsequent RFCs.
- To use BMC AMI Datastream, you do not need to install it on the BMC Defender Server, or on any other computer or console.
BMC AMI Datastream for Db2
BMC AMI Datastream for Db2 is a configuration alternative to BMC AMI Datastream for z/OS. You can use BMC AMI Datastream for Db2 to help you comply with the following regulatory standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Sarbanes-Oxley Act 2002 (SOX)
- Health Information Portability and Accountability Act 1996 (HIPAA)
- Gramm-Leach-Bliley Act 1999
- IRS Publication 1075
- Federal Homeland Security Modernization Act 2014 (FISMA)
BMC AMI Datastream for Db2 performs the following activities:
- Automatically captures IBM Db2 events
- Audits file and database access
- Monitors database activity
- Monitors file integrity
You can configure BMC AMI Datastream as a McAfee Database Activity Monitoring (DAM) or a SIEM agent that captures z/OS system and subsystem session, transaction, security and statement activity.
The following table lists the SMF records applicable to various compliance activities. For more information about the SMF records referenced in the table, see Parameter file statements.
Activity | SMF records (IFCID) |
---|---|
Early IPL record support | 00—IPL (SMF initialization) 08—I/O configuration 22—Device configuration 43—JES2 or JES3 startup 81—RACF initialization |
Privileged user monitoring | 361 |
Invalid logical access attempts | 80, 140 |
Creation and deletion of system level objects | 97 |
Data access | 80 EVENT(.0), 143, 144, and 145 For the appropriate RACF data set profiles, specify AUDIT(ALL). |
File integrity | 42 and 80 EVENT(.0) SMF 42 can notify you of changes to system libraries. For the appropriate RACF data set profiles, specify AUDIT(ALL(UPDATE)). |
Backup and recovery | 24 and 25 |
BMC AMI Datastream for Ops
BMC AMI Datastream for Ops is a configuration alternative to BMC AMI Datastream for z/OS and BMC AMI Datastream for Db2. You can use this configuration to pass BMC AMI Ops performance and monitoring data to a specified business analysis and reporting product such as Splunk.
Datastream for Ops provides secure data transport that complies with the following regulatory standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Sarbanes-Oxley Act 2002 (SOX)
- Health Information Portability and Accountability Act 1996 (HIPAA)
- Gramm-Leach-Bliley Act 1999
- IRS Publication 1075
- Federal Homeland Security Modernization Act 2014 (FISMA)
Datastream for Ops supports the formatting and transporting of BMC AMI Ops performance and monitoring data exclusively. Review your BMC AMI Ops documentation for supported data types.
BMC AMI Datastream architecture, security, main, and supplementary programs
Sample environment
The following figure illustrates the relationship between various parts of the BMC AMI Datastream environment:
Support for security products
BMC AMI Datastream supports SMF records from the following products:
- Resource Access Control Facility (RACF)
- CA ACF2
- CA Top Secret
CZASEND program
You can use the CZASEND program to send text as custom syslog messages to a specified syslog console or server.
The CZASEND parameter file, CZAPSEND, contains parameters such as the IP address of the syslog console. Modify the parameter file to specify configuration options such as the target server IP address. For more information, see Parameter file statements.
BMC AMI Datastream sends messages that are compliant with the syslog standard, RFC 3164. There are several security information and event management (SIEM)-vendor proprietary or semi-standard enhancements that are layered on top of the syslog standard. BMC AMI Datastream supports all of the common format extensions. For more information, see Proprietary syslog format extensions.
Comments
Log in or register to comment.