OPTIONS statement
You can use the OPTIONS statement to specify miscellaneous options for BMC AMI Defender and CZASEND. CZASEND honors the parameters of the OPTIONS statement except as indicated for certain individual parameters.
For information about for and/or if, see FOR and IF statements
For information about trace-specification , see Using the TRACE facility.
If you code more than one OPTIONS statement—or if your OPTIONS statements are qualified with FOR (more than one OPTIONS statement that applies to a particular LPAR)—then the effect is cumulative.
Item | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
OPTions | Must be specified as shown | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
For and/or if | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NOAPFENRich
| Specifies that APF status enrichment is to be suppressed (for more information, see APF Status Enrichment) No table of APF-authorized data sets is built at startup, SMF type 90 records are not checked for APF updates (they are still formatted if configured), and APF authorization status enrichment fields are treated as missing (see Missing Fields). This parameter is optional. If NOAPFENRich is omitted, then APF status enrichment is enabled. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BOOLValues(truevalue falsevalue) | Specifies the values to be used for true and false for Boolean (yes and no, or true and false) fields For truevalue and falsevalue, code either the keyword OMIT (upper or lower case, without quotation marks) or a character string of zero to eight characters enclosed in quotes. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CLOCKMsg(AT(MIDNight|COMMand|EVERY(minutes)) | Specifies whether BMC AMI Defender should send message CZA0352I (see BMC AMI Defender for z/OS Messages and Codes) to the SIEM console, and if so, at what interval Message CZA0352I is intended to facilitate compliance with ISO 27000 (and similar standards): Ensure that the clocks of all relevant information processing systems at the organization are synchronized to an official or industry best practice source. The message shows the clock setting of the z/OS system.
This parameter is optional. If CLOCKMsg is omitted, it defaults to COMMand; that is, the message is sent only if requested manually. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DATAVALidate | Specifies that field data validation is to be performed If you specify DATAVALidate, then all field values are checked for valid characters, and invalid characters are diagnosed with message CZA0367W. DATAVALidate is intended primarily for testing new field definitions or diagnosing field definition problems. Do not use DATAVALidate routinely in production as it increases CPU utilization unnecessarily. This operand is optional; if you omit DATAVALidate, then no data validation is performed. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DELIMit(‘lead’ ‘trail’ ‘innerlead’ ‘innertrail’ ‘grouplead’ ‘grouptrail’ NOFINal|FINal) | Specifies how fields in each syslog record should be delimited:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NOEXITs | Specifies that the z/OS installation exit that monitors z/OS system exits IEFU83, IEFU84 and IEFU85 are not to be installed (see Overview) Specifying NOEXITs prevents the agent from receiving any SMF records from z/OS. Generally, this parameter should only be used as directed by BMC Support. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
FORMat(format) | Specifies whether fields that are zero or blank are to be formatted as part of syslog messages and if so, what string (if any) is to be used to indicate all-blank fields If FORMAT(ERGO) is specified or allowed to default, then fields with a value of zero or all blanks are omitted from messages sent to the syslog console. Group fields are omitted when all of the subsidiary fields are suppressed (blank or zero). If FORMAT(ALL) is specified, then fields with a value of zero are formatted as Tag: 0 -. Fields with a value of blank are formatted as Tag: blank-indicator – where the value of blank-indicator is determined by the operand following ALL: if NONE is specified or allowed to default then the blank indicator is the word None; if NULL is specified then the blank indicator is the null string (Tag: -); if a value in quotes is specified then the specified value is used. The quoted value might be from zero to 20 characters in length. Note FORMat has no effect on Boolean fields. For more information, see the BOOLValues description earlier in this topic. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
FRAMing(framing_options) | Specifies, for TCP/IP transport only, how individual messages are to be delimited or framed within the TCP/IP datastream Specify one of CR (carriage return, X’0D’), LF (linefeed, X’0A’), CRLF (carriage return plus linefeed, X’0D0A’), Null (null, X’00’) or Octetcount. Make sure that whatever framing option you specify is supported by your syslog console. BMC Defender believes that octet counting is superior to the use of delimiter characters and recommends its use whenever possible. Octet counting should always be used for SyslogDefender connections. If you do not specify FRAMing it defaults to LF (linefeed). See the description of SIEMtype for its effect on FRAMing. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HEADer(hostname) | Specifies that BMC AMI Defender and CZASEND are to begin each syslog message with a BMC Defender proprietary header indicating the actual origin of the syslog message (as opposed to the device that forwarded the message to the BMC Defender Server) Code this parameter only if the ultimate destination of the syslog messages is the BMC Defender Server (as opposed to some other syslog collector) and there is some intermediate node between the LPAR and the BMC Defender Server such as a load balancer, tunnel, or proxy. Code CPUID, IPV4, IPV6, HOSTNAME, JESNODE, LPARNAME, NONE, SMFID, or SYSNAME to indicate the CPU ID (serial number), the Ipv4 dotted address, the Ipv6 colon-formatted address, the TCP/IP hostname, the JES node name, the LPAR name, no hostname, or the system name (&SYSNAME as defined in the IEASYSxx or IEASYMxx parmlib member) respectively, or code a literal character string enclosed in single or double quotation marks. The character literal might not contain embedded blanks and must not exceed 100 characters in length. Do not code LPARNAME if you are not running in logical partition mode. If you omit HEADer, no header is inserted. See the description of SIEMtype for its effect on HEADer. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HOSTname(hostname) | Specifies how the origin (hostname) of syslog records generated by zDefender or CZASEND is to be identified Code CPUID, IPV4, IPV6, HOSTNAME, JESNODE, LPARNAME, NONE, SMFID, or SYSNAME to indicate the CPU ID (serial number), the Ipv4 dotted address, the Ipv6 colon-formatted address, the TCP/IP hostname, the JES node name, the LPAR name, no hostname, or the system name (&SYSNAME as defined in the IEASYSxx or IEASYMxx parmlib member) respectively, or code a literal character string enclosed in single or double quotation marks. The character literal might not contain embedded blanks and must not exceed 1 characters in length. Do not code LPARNAME if you are not running in logical partition mode. If you omit HOSTNAME, the TCP/IP hostname of the LPAR is used. See the description of SIEMtype for its effect on HOSTname. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INSTName(name) | Specifies an optional name for the running instance of BMC AMI Defender (see START command) Specify a name of one to sixteen characters; the first character might not be numeric. The name might not be quoted; that is, the name might not contain blanks or parentheses nor begin with a quotation character. The name does not affect the operation of BMC AMI Defender, but identifies BMC AMI Defender in the DISPLAY(INSTances) output (see MODIFY command) and might be used by API programs (see API1 common fields) to identify BMC AMI Defender. The name is displayed in the case you specify but name comparisons are case-insensitive (like a Windows filename). Any name you specify must not be a duplicate of the name of another BMC AMI Defender running in the same LPAR. If you omit INSTName it defaults to the name of the CZAPARMS member; if that name is a duplicate of an already-running BMC AMI Defender then it is ignored: BMC AMI Defender instance is unnamed and might not be accessible by some API programs. The instance number and instance name are available as SIEM syslog message fields; see Universal fields. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INTFormat(CANONical|SCALEd CANONical|SCALEd) | Specifies the format in which integers are to be formatted The two formats are canonical (CANONical – regular numbers) and scaled for better readability (SCALEd). The first operand of INTFormat specifies how event (SMF and API record) integer fields are to be formatted and the second operand specifies how counters (see ) are to be formatted in SIEM messages. Certain event integer fields that represent codes or similar data always appear in canonical format, and counters always appear in scaled format on the console and in CZAPRINT. If you omit INTFormat it defaults to SCALEd SCALEd. If you code INTFormat and specify only the first operand, then the second operand defaults to the value specified for the first operand; in other words, INTF(CANON) is equivalent to INTF(CANON CANON). See the description of SIEMtype for its effect on INTFormat. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LOGSTReam( + ifasmf.lgstream.logr1 + ... + ifasmf.lgstream.logr32 + ) (version 5.9.02) | Specify the name of up to 32 SMF log streams to read and collect SMF records that are generated as part of the IPL process before the BMC AMI Defender for z/OS agent program starts The agent address space reads the specified SMF log streams and scans for the following SMF records:
The SMF log stream or log streams that contain these records are in your SYS1.PARMLIB(SMFPRMxx) member. Contact your system administrator for this information. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PRIority | NOPRIority | Specifies whether a message severity value, which is assigned by the user, should be passed to the SIEM. SIEMTYPE(CEF) requires and defaults to PRIority | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PROCess(‘process-tag’) | Specifies the tag that appears at the start of general syslog messages issue by zDefender to indicate its own status, following the priority, timestamp and hostname, and preceding the formatted fields Specify the exact process tag that you want to include in syslog messages including any spaces and punctuation. Process-tag might be any length from the null string (‘’) to 32 characters. If OPTIONS PROCess is omitted it defaults to Internal followed by the leading delimiter from OPTIONS DELIM. CZASEND always uses the process tag CZASEND followed by the leading delimiter from OPTIONS DELIM; it is not possible to change CZASEND’s process tag. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
QUEUE() | Deprecated It is scanned for valid syntax, and a diagnostic message is issued, but QUEUE is otherwise ignored and has no effect on BMC AMI Defender operation. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
QUEUE64/Q64(size) | Specifies the number of megabytes (MB) allocated to store the captured SMF data QUEUE64(1) is 1MB or 1,048,576 bytes. This queue is allocated in above-the-bar (64-bit) storage. For information about determining an optimal value for QUEUE64, see Determining the QUEUE64 size. If you omit QUEUE64, it defaults to QUEUE64(1024) or 1,073,741,824 bytes. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
REFResh(AT(MIDNight|COMMand|EVERY(minutes)) | Specifies whether BMC AMI Defender should automatically refresh (reread and process) the parameter file A parameter refresh is equivalent in effect to the MODIFY PARMS command (see MODIFY command). AT(MIDNight) specifies that the parameter file should be automatically refreshed every midnight local time; COMMand specifies that the parameters are refreshed only manually with the MODIFY PARMS command (see MODIFY command); EVERY(minutes) specifies that parameters should be refreshed at the expiration of the specified number of minutes. Specify a number of minutes between 5 and 1440 (24 hours). This parameter is optional. If REFResh is omitted, it defaults to COMMand. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SIEMtype(RFC3164|CEF|JSON|LEEf|SPLunk) | Specifies whether to enable the CEF, JSON, LEEF, or Splunk integration features For more information, see Proprietary syslog format extensions. For the BMC Defender Server, omit SIEMtype or code SIEMtype(RFC3164). If SIEMtype is omitted it defaults to RFC3164; that is, vanilla syslog. If you code SIEMtype(CEF, JSON, LEEf or SPLunk) then certain other options are set to specific values to accommodate the named SIEM type. You can override the options set by SIEMtype but BMC AMI Defender issues a warning if the overridden value is required and the specified SIEM might not function correctly. The options set by the possible SIEMtype values are shown in the following table.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
STATUSTOSiem | NOSTATUSTOSiem | Specifies whether or not agent status and error messages are to be sent to the SIEM SIEMtype(CEF) requires and defaults to STATUSTOSiem. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
STATs(AT(MIDNight|COMMand|EVERY(minutes) RESET SEND) | Specifies when BMC AMI Defender should display operating statistics in CZAPRINT, and optionally reset the counters to zero and send them to the syslog server (see Counters) AT(MIDNight) specifies that the statistics should be produced at midnight local time; COMMand specifies that statistics should be produced only manually with the MODIFY STATs command (see MODIFY command); EVERY(minutes) specifies that statistics should be produced repeatedly at the expiration of the specified number of minutes. Specify a number of minutes between 5 and 1440 (24 hours). This parameter is optional. If STATs is omitted it defaults to AT(MIDNIGHT). RESET and SEND might be specified with COMMand but have no effect; BMC AMI Defender instead honors the parameters of the MODIFY command. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SUBSYS(subsysname) | For each subsystem named in your active SMFPRMxx record, if the SUBSYS statement in SMFPRMxx contains the keyword EXITS and you want BMC AMI Defender to forward SMF events for that subsystem, then you must code that subsystem name here SUBSYS is ignored by CZASEND and by MODIFY CZAGENT,PARMS. If you are missing all syslog records for a particular subsystem such as TSO, you should try coding its name here, for instance SUBSYS(SYS SYSTSO). Contact BMC technical support if you would like assistance with the use of this parameter. Specify ALL, or allow SUBSYS to default, to cause BMC AMI Defender to automatically pick up all of the subsystems configured in SMF. It is highly recommended that you allow SUBSYS to default. However, you might determine appropriate SUBSYS values by issuing the D SMF,O console command and examining the output. Look for SUBSYS(xxx,EXITS … statements. If any such statements appear, and xxx is the name of a subsystem from that you would like events forwarded to your syslog console, then you must code SYSxxx as the operand of an BMC AMI Defender parameter file SUBSYS parameter. For instance, if SUBSYS(SLS0,EXITS(IEFU83)) appears in the D SMF,O output then SYSSLS0 should be included as an operand of SUBSYS. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SWAPpable(ASIS|Yes|No)) | Specifies whether z/OS workload manager swapping of BMC AMI Defender should be allowed For more information about swapping, see the following resources:
The default value is SWAPpable(No)). Use the SWAPpable parameter with caution because making an address space non-swappable might have an impact on the performance of the LPAR as a whole.Specify the swapping status for BMC AMI Defender:
SWAPpable is ignored by CZASEND. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
TAGCase(case NOBLanks) | Specifies whether tags (field labels) in the syslog messages are to be displayed in mixed, upper, or lower case, or with an initial capital, and whether any blank characters occurring in tags are to be converted to underscores (NOBLanks) If TAGCase is omitted, it defaults to MIXED. See the description of SIEMtype for its effect on TAGCase. The following table shows how the JobNm (Job Name) and IEFU83 driven tag and data would be displayed under various TAGCASE options:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
TCPname(tcpname) | Available to customers with multiple TCP/IP stacks and a requirement that BMC AMI Defender and CZASEND use a specific stack that is not the default stack Most customers should not need to code this parameter. If you want BMC AMI Defender and CZASEND to use a specific TCP/IP stack, code TCPNAME with the name of the desired TCP/IP image stack. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NOTCPWait | Specifies that in the event that BMC AMI Defender determines that the default, only, or specified (with TCPNAME) TCP/IP stack is not active, BMC AMI Defender do not wait for it to become active NOTCPWAIT is ignored by CZASEND (that never waits for the TCP/IP stack; if the TCP/IP stack is not active, CZASEND always terminates). If BMC AMI Defender is waiting for TCP/IP to become active it might be terminated with the STOP console command. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
TIMESTamp and NOTIMESTamp | Specifies that syslog records are or are not to include a timestamp in accordance with the RFC 3164 specification If you omit TIMESTAMP, then the generated syslog records do not include a timestamp. See the description of SIEMtype for its effect on TIMESTamp. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
TRACE(trace_specifications) | Specifies that BMC AMI Defender and CZASEND are to output additional diagnostic messages and the types of diagnostic messages, or not to output additional diagnostic messages, in the CZAPRINT data set TRACE might be useful for diagnosing certain problems. If TRACE is completely omitted then it defaults to the previous state of TRACE; if TRACE() or TRACE(-ALL) is specified then all tracing is turned off. Specify zero or more of the trace types described in Using the TRACE facility (in any order). Prefix any of the specifications with - (a minus sign or hyphen) to indicate negation. The specifications are processed left to right. For instance, TRACE(ALL –XL –ENV) indicates all TRACE output except that related to translation and the operating environment. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
VERBose and NOVERBose | VERBOSE and NOVERBOSE are deprecated VERBOSE is equivalent to TRACE(PARM ENV CSA) and NOVERBOSE is equivalent to TRACE(‑ALL). | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
XLATE(from-ccsid to-ccsid ‘technique’) | Specifies how data is to be translated from its EBCDIC representation on a z System to the ASCII representation of syslog messages Specify a valid EBCDIC single-byte CCSID and optionally a valid UTF-8 or ASCII single-byte CCSID. You might also specify (enclosed within quotation marks) a list of desired code conversion (translation) techniques. If you want to specify a UTF-8 or ASCII CCSID then you must also specify an EBCDIC CCSID. The valid conversion techniques are:
CCSID stands for coded character set identifier. For more information about CCSIDs and conversion techniques, see the IBM Manual z/OS Support for Unicode: Using Unicode Services. CCSIDs are traditionally specified as five-digit numbers with leading zeros if necessary but you might omit the zeros if you prefer: 00819 and 819 are equivalent CCSID specifications. If you omit XLATE then zDefender and CZASEND use CCSIDs 01047 and 01208 and a conversion techniques priority list of ERLM. CCSID 01208 is a UTF-8 CCSID. (UTF-8 CCSIDs can represent every character in use anywhere in the world.) If you are using BMC Defender, make sure Message Encoding (under Edit Define Info after clicking on the hostname or TCP/IP address of the LPAR) is set to UTF-8. If you are using a different syslog console make the equivalent configuration selection. If you cannot or do not want to do so, then you should specify the ASCII code page appropriate for your culture, such as 01252 for standard U.S. English. BMC AMI Defender and CZASEND attempt to validate the supplied CCSIDs based on the following criteria:
z/OS releases earlier than V1R10.0 do not support the z/OS Unicode Services function CUNLINFO that allows BMC AMI Defender and CZASEND to perform these validations. If you are running an earlier release, be careful when coding the operands of XLATE as BMC AMI Defender. Otherwise, CZASEND cannot validate them and errors during execution might result. If you omit XLATE, it defaults to 01047 01208 ‘LERM’. See the description of SIEMtype for its effect on XLATE. |
Comments
Log in or register to comment.