Customizing for a proprietary syslog extension
This topic describes how to customize BMC AMI Defender to be compatible with the following products:
- ArcSight
- RSA Security Analytics
- IBM Security QRadar
- JSON
- Splunk
Selecting product compatibility
To make BMC AMI Defender compatible with the listed SIEM products, begin your testing by customizing the $$$SERVR member in your amihlq.CZAGENT.PARM data set. The amihlq variable is the high-level qualifier that you choose during installation.
The following code shows the $$$SERVR member:
;**********************************************************************;
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Defender ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.0.02 Updated 21 March 2020"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS SWAP(NO) ; Recommended default is NO
OPTIONS QUEUE64(1024) ; 1GB default
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center or BMC AMI SyslogDefender
; with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Defender ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.0.02 Updated 21 March 2020"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS SWAP(NO) ; Recommended default is NO
OPTIONS QUEUE64(1024) ; 1GB default
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center or BMC AMI SyslogDefender
; with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
Specifying the configuration type
With the PARM file member named $$$CONFG, you can control the SIEM type and other optional record definitions by setting switches.
To enable the SIEM type and other record definitions, uncomment (remove the leading semicolon) the required switches. Ensure that you enable only one SIEM type.
The following code shows the $$$CONFG member:
;**********************************************************************;
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.0.02 Updated 28 February 2020"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; BMC AMI CZAJOBLG - SYSOUT
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI-created SMF records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 12
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.0.02 Updated 28 February 2020"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; BMC AMI CZAJOBLG - SYSOUT
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI-created SMF records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 12
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*