Customizing for a proprietary syslog extension
This topic describes how to customize BMC AMI Defender to be compatible with the following products:
- ArcSight
- RSA Security Analytics
- IBM Security QRadar
- JSON
- Splunk
To make BMC AMI Defender compatible these products, begin your testing by customizing the CZAPARMS member in your amihlq.CZAGENT.cntl data set. The amihlq variable is the high-level qualifier that you choose during installation.
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP INSTNAME(Agent.for.Splunk)
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP INSTNAME(Agent.for.Splunk)
Specifying your configuration type
The CNTL file member named CZDCONFG allows you to control the SIEM type and other optional record definitions by setting switches:
;**********************************************************************;
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
Say "CZDCONFG v5.9.01 updated 18 July 2019"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
Say "CZDCONFG v5.9.01 updated 18 July 2019"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
By uncommenting (removing the leading semi-colon), you can enable the SIEM type and other record definitions.
Be sure to enable only one SIEM type.
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*