SERVER statement
The SERVER statement specifies the IP (Internet Protocol) address of one or more syslog servers, either a BMC Defender Server, BMC Defender SyslogDefender or any standard syslog console, and other parameters relative to communication with the syslog server. The SERVER statement is required by both BMC AMI Defender and CZASEND.
If you code more than one SERVER statement, then a subsequent SERVER statement replaces any SERVER statement(s) that came before.
SERVER | Must be specified as shown. | |||||||||||||||||||||
host-specification | Specifies the address of the primary syslog server. Specify the address as a hostname, or in IPv4 dotted format, or IPv6 colon format. If the port is not the default port for the TRANSport (514 for UDP, 1468 for TCP, or 6514 for SSL/TLS) then you must follow the name or address with a port number preceded by a colon, with no embedded spaces, as shown in the examples.
The host-specification coded as the first operand of the SERVER statement is called the primary IP address and is required. | |||||||||||||||||||||
ALTERNate(host-specification) | Specifies the address of an alternate syslog server in one of the formats shown. The ALTERNate parameter is optional; you might code zero or more ALTERNate parameters. See Multiple syslog server support. | |||||||||||||||||||||
ALTRevert(AT(MIDNight|COMMand|EVERY(minutes)) | Specifies when BMC AMI Defender should attempt to revert from an alternate TCP/IP or SSL/TLS Server to the primary server (see Multiple syslog server support). AT(MIDNight) specifies that the reversion should be attempted at midnight local time; COMMand specifies that the reversion must be initiated manually with the SET(SERVER) command (see The Modify or F Command in BMC AMI Defender for z/OS Installation and Operation); EVERY(minutes) specifies that reversion should be attempted at the expiration of the specified number of minutes. Specify a number of minutes between 5 and 1440 (24 hours). This parameter is optional. The default of COMMand is recommended: server connection switching is a fairly time-consuming process, especially if the primary server is still inoperable. | |||||||||||||||||||||
MAXMSGlen(length) | Specifies the maximum syslog message length in bytes for BMC AMI Defender and CZASEND. (For messages encoded in UTF-8, the length in bytes might be greater than the length in characters, because some characters are encoded in more than one byte. The message encoding is specified with the OPTIONS XLATE parameter.) Specify a number between 512 and 2,500,000. Most SMF records might be formatted within the default message length of 1024 bytes, but certain records, notably certain ACF2 and DB2 records, might require up to twice that number or more, depending on the fields specified and their values. If you are receiving message CZA0301W syslog message (SMF Record Type ttt) overflowed SERVER MAXMSGLEN then you should consider increasing MAXMSGLEN. Keep the following considerations in mind:
| |||||||||||||||||||||
PACE(No|msgs seconds) | Specifies, for UDP Servers only, the maximum number of messages to transmit in a window of so-many seconds, or that no pacing is desired. | |||||||||||||||||||||
PROTOCOL(IPV4|IPV6) | Specifies the IP protocol, IP version 4 or IP version 6. If this parameter is omitted, and the protocol cannot be determined from the format of the IP address, then Ipv4 is used, unless no Ipv4 connection is available. | |||||||||||||||||||||
REXMIT(number) | Specifies the number of retransmission buffers for TCP/IP and SSL/TLS connections. See TCP/IP error recovery. Specify a number between 1 and 20. This parameter is optional; if omitted, it defaults to 2. | |||||||||||||||||||||
TIMEout() | ||||||||||||||||||||||
CONNect(DEFault|seconds) | Specifies the time in seconds, after that an attempt by BMC AMI Defender or CZASEND to connect a TCP/IP session with the SIEM receiver is abandoned. Specify a time in seconds between 15 and 240 (four minutes), or specify DEFault to allow z/OS communication server to determine the timeout. (The connection timeout default value is not documented but appears to be a little more than three minutes.) If you specify too low a value then sessions might not connect; if you specify too high a value then BMC AMI Defender is not able to respond to console MODIFY and STOP commands until the timeout completes. If you omit TIMEout CONNect, then it defaults to 30 seconds. TIMEout CONNect has no effect on UDP transport. | |||||||||||||||||||||
IDLE(None|seconds) | Specifies the time in seconds, after that an idle (no formatted messages) BMC AMI Defender TCP/IP session will get terminated. Specify None or a number of seconds between 5 and 3600 (one hour). It is very important that you not specify too high a value for IDLE as at least one syslog message is usually lost each time a session is terminated by the SIEM receiver before being terminated by BMC AMI Defender. However, specifying too high a value ties up resources for non-productive sessions. If you omit TIMEout IDLE, it defaults to 300 seconds (five minutes). IDLE has no effect on CZASEND nor on UDP transport. | |||||||||||||||||||||
SEND(seconds) | Specifies the amount of time to be allowed for a TCP/IP send to complete. Specify None (for no timeout) or a time in seconds between 5 and 60 (one minute). Specifying too low a value might cause successful transmissions to be reported as errors; specifying too high a value might cause needless delay in recovering from an error. If you omit TIMEout SEND, then it defaults to 15 seconds. TIMEout SEND has no effect on UDP transport. | |||||||||||||||||||||
RETRY(seconds) | Specifies the delay in seconds after a TCP/IP error before BMC AMI Defender tries to establish a new session and transmit a message. Specify a time in seconds between 0 (always retry) and 600 (ten minutes). Specifying too low a value might cause needless churning; specifying too high a value might cause needless delays in recovering from an error, and lost messages until the session is reconnected. If you omit TIMEout RETRY, then it defaults to 35 seconds. TIMEout RETRY has no effect on CZASEND nor on UDP transport. | |||||||||||||||||||||
TLS|SSL(TLS parameters) | Specifies various parameters relevant only to SSL/TLS transport. (The SSL and TLS keywords are completely equivalent and the choice of one or the other has no effect on the operation of the software.) If you specify TLS or SSL with TRANSport TCP or UDP, the SSL/TLS parameters are validated, but a warning message is issued and the parameters have no effect. | |||||||||||||||||||||
CIPHersuites(ciphers) | Specifies the SSL or TLS cipher suites that are acceptable to the SSL/TLS client software. The SSL/TLS Server selects a cipher suite from this list that is mutually acceptable. (If no cipher suites are mutually acceptable, the session initiation fails.) Specify one or more cipher suite numbers that are supported by your version of IBM z/OS Cryptographic Services in your order of preference. Cipher suite numbers are specified as one to four hexadecimal digits. Starting with z/OS V1R13 the supported cipher suites are tabulated in Appendix C of the IBM Manual z/OS Cryptographic Services System Secure Sockets Layer Programming. If you omit TLS(CIPHersuites), then Cryptographic Services uses an internal list of available ciphers, that might vary from release to release (and also vary for FIPS versus non-FIPS mode). You might determine the current list by running BMC AMI Defender with TRANSport(Ssl|TLS) and OPTions TRACE(TLS). The available cipher suites are displayed in message CZA0104I. You should carefully review the defaults as they might not be appropriate for your installation. | |||||||||||||||||||||
FIPS | Specifies that the TLS encryption is to run in FIPS mode. FIPS mode means that the encryption is designed to meet the NIST FIPS 140-2 criteria. FIPS mode enforces more restrictions than non-FIPS mode. For instance, the key database must have been created in FIPS mode, and certain ciphersuites are considered too weak for FIPS mode. For more information, see System SSL and FIPS 140-2 in the IBM publication z/OS Cryptographic Services System Secure Sockets Layer Programming and the US Department of Commerce publication SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES ( http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf ). Note BMC AMI Defender is not a validated cryptographic module itself, but rather BMC AMI Defender is an application that uses IBM z/OS Cryptographic Services for all cryptographic services. IBM z/OS Cryptographic Services is FIPS 140-2 certified. If you are running a level of z/OS lower than V2R1 and require FIPS compliant encryption, you might need to install the appropriate PTF for IBM APAR OA39422. FIPS support is available only in the BMC AMI Defender for z/OS product. For more information, see Federal Information Processing Standards support. | |||||||||||||||||||||
KEYRing(keyringfile) | Specifies the z/OS key ring that BMC AMI Defender or CZASEND uses to verify the signature of the server’s certificate, and to locate a client certificate if one is requested by the server. Specify the HFS file name of a gskkyman key database, or the name of a RACF key ring, optionally prefaced with userid/ if the RACF key ring is owned by another user. If keyringfile begins with a slash (/), it is assumed to be the name of a gskkyman key database; otherwise it is assumed to be a RACF key ring. HFS file names are case sensitive. The User ID under that BMC AMI Defender or CZASEND runs, requires read access to RACF resource IRR.DIGTCERT.LISTRING to use its own key ring, or update access to IRR.DIGTCERT.LISTRING to use a different User ID’s keyring. If the keyring name contains /*, then be sure to enclose the name in quotes: KEYRing('*AUTH*/*'). This parameter is required. | |||||||||||||||||||||
LABel(label) | Specifies the label in the key ring of the client certificate to be presented if the server requests one. If the label contains space characters, then you must enclose it in single or double quotation marks. | |||||||||||||||||||||
OCSP | Specify to activate certificate revocation checking using the HTTP URI values in the certificate's AIA extension. OCSPrequires z/OS V2R2 or later. | |||||||||||||||||||||
PASSword(password) | Specifies the password of the gskkyman key ring database. Do not specify PASSword with a RACF key ring. The PASSword parameter is provided as a convenience; the preferred method of specifying the gskkyman key ring database password is with a stashed password file (stash file). The name of the stash file is constructed by BMC AMI Defender or CZASEND automatically from the name of the database: if the key ring file name ends with .kdb, then the .kdb is removed and .sth is appended; if the name does not end with .kdb, then .sth is simply appended. If this parameter is omitted, then the key database must be a RACF key ring or must have a stashed password file named as described. | |||||||||||||||||||||
SECurity(security) | Specifies the allowed SSL/TLS security protocols. The z/OS cryptographic client software presents the specified list to the SSL/TLS Server, and the server selects a protocol. If there is no mutually acceptable protocol then session initiation fails. If TLS(SECurity) is omitted, then it defaults to ALL –SSLV3, that is, all of the supported protocols except SSLV3. (SSLV3 has been deprecated due to its vulnerability to the POODLE attack.) Specify zero or more of the security specifications in the table shown (in any order). Prefix any of the specifications with - (a minus sign) to indicate negation. The specifications are processed left to right. For instance, SECURITY (ALL –SSLV3) indicates all supported protocols except SSLV3. Note SSLv2, a severely flawed and deprecated protocol, is not supported.
| |||||||||||||||||||||
TRANSport(Ssl|TCP|TLS|Udp) | Specifies the transport protocol. Specify one of the following options. SSL and TLS are equivalent; see TLS(SECurity) if you want to specify a specific secure protocol. If your SIEM console or syslog receiver supports it, you should probably specify TLS or at least TCP. If you omit TRANSport it defaults to Udp, unless you specify SERVER SSL() or TLS(), in that case it defaults to SSL/TLS.
|
Comments
Log in or register to comment.