CZALDFIL parameters
CZALDFIL is a program that sends or loads one or more MVS data sets or z/OS UNIX files into a SIEM console using BMC AMI Defender. For more information, see Using-the-CZALDFIL-program.
CZALDFIL’s initial source of parameters is the JCL EXEC statement PARM= operand, or the equivalent data passed from a calling program or script. The parameter might consist of either a LOAD statement, described in this topic, or a INCLUDE-statement referencing a data set or PDS member containing one or more LOAD statements and/or %INCLUDE statements. In the PARM= operand you might separate parameters with either spaces or commas.
CZALDFIL load statement syntax diagram
Required Parameters
Optional Parameters
CZALDFIL load statements option descriptions
You can code the optional parameters in any order.
Parameter | Description | ||||||
|---|---|---|---|---|---|---|---|
Load | Must be coded as shown.
| ||||||
COMMent(comment_indicator) | Optional comment indicator Code a character string of one to eight characters that, if found in the first position (neglecting any LLBB positions) of a data set record, indicates that it is a comment, not a data record to be passed to BMC AMI Defender and the SIEM. The character string comparison is case-sensitive. This parameter is optional; if omitted, all data set records are passed to BMC AMI Defender. | ||||||
DATASet(dataset|DD:CZAINFIL) | Input data set using one of the formats listed in Data-set-specification As it is an input file, * (SYSOUT) is not allowed, nor are the output file variable symbols. There is no default PDS, so a member-only specification is not allowed. If omitted, the parameter defaults to DD:CZAINFIL, that is, the data set or z/OS UNIX file referenced with the DD statement or dynamic allocation named CZAINFIL. | ||||||
LENgth(PREfix|REMove) | For RECFM=Vxx data sets only, whether the LLBB field (the first four bytes of each record) is to be passed to BMC AMI Defender or removed PREfix passes the LLBB field. REMove removes the LLBB field and passes only the data portion of each record passed to BMC AMI Defender. LENgth is checked for a valid value, but is otherwise ignored for all except RECFM=Vxx data sets. If not specified for the RECFM=Vxx data sets, then the LLBB field is passed to BMC AMI Defender. | ||||||
PURGE(Yes|No) | Action to take if CZALDFIL discovers that the BMC AMI Defender queue is too full to accept a data set record For more information, see Determining-the-QUEUE64-size. See also the QUEUESLack parameter, later in this topic. PURGE(Yes) specifies that if the queue is full then the oldest records in the queue are to be discarded to make room; PURGE(No) specifies that CZALDFIL is to wait a brief interval (computed to minimize both CPU time and elapsed time) and try again. BMC Defender strongly recommends the use of PURGE(No) as there is usually little benefit in discarding security events to make room for records that are resident on DASD. CZALDFIL logs a diagnostic message if any events are purged (for any reason) during its execution. PURGE is optional; if you omit PURGE then CZALDFIL waits for queue space to become available (subject to WAITQUEUEMax() below) rather than triggering a purge. | ||||||
QUEUESLack(percent) | Amount of queue space that must be available before CZALDFIL attempts to queue a record; otherwise CZALDFIL waits a brief interval (computed to minimize both CPU time and elapsed time) and tries again Without queue slack, CZALDFIL might fill the queue completely and almost instantly, causing subsequent real-time events to purge queued records in order to obtain space. For more information, see Determining-the-QUEUE64-size. Specify the percentage, between 0 and 100 percent, that must be free:
If you specify too great a percentage, CZALDFIL elapsed time might suffer; if you specify too low a value then real-time security events might be lost unnecessarily. CZALDFIL logs a diagnostic message if events are purged for any reason during its execution. If omitted, the default value is 50 percent. | ||||||
SEVerity(DEFAULT|severity) | Syslog severity for the messages formatted from the records To obtain space, see Syslog-facilities-and-severities and for more information, see Determining-the-QUEUE64-size. You can code DEFAULT, which indicates that the severity is to default to the severity specified in the TYPE statement for the event (for more information, see TYPE-and-RETYPE-statements). If you omit SEVerity, it defaults to the severity specified in the TYPE statement for the event. | ||||||
SUBType(0|subtype) | BMC AMI Defender subtype for the loaded events Subtypes can be formatted with the SIEM message (see Event_SubType in the Universal-fields of the FIELDS parameter). You can qualify the formatting of specific fields (see CSubTp() in Condition-specifications). Specify a value between 0 and 32767. If omitted, the value defaults to 0. | ||||||
TRACE(trace-specifications) | Type of additional diagnostic messages the CZALDFIL outputs in the CZAPRINT data set TRACE might be useful for diagnosing certain problems. If TRACE is omitted, it defaults to the previous state of TRACE; if TRACE() or TRACE(-ALL) is specified, then all tracing is turned off. Specify zero or more of the trace types (in any order) described in Using-the-TRACE-facility. Prefix any of the specifications with a minus sign ( - ) to indicate negation. The specifications are processed left to right. For instance, TRACE(ALL –XL –ENV) indicates all TRACE output except that related to translation and the operating environment. | ||||||
WAITQUEUEMax(300|No|seconds) | Maximum continuous amount of time that CZALDFIL is to wait if it is unable to queue records (see PURGE and QUEUESLack in this topic), that is, the maximum amount of time without queueing a single record that CZALDFIL permits Specify the number of seconds between 1 and 86400, or No to indicate no maximum wait time. If omitted, it defaults to 300 seconds (five minutes). |