MODIFY command

You can use MODIFY (abbreviated as F) to issue commands from the z/OS system console to perform tasks on the BMC AMI Defender address space. For example, you can request configuration or statistical information and display that information or send it as a syslog message. You can also issue commands to the address space.

Each task can support its own command interface and requires a special command format:

F czagentName,taskID,command

The task ID, a 1–8 character value that uniquely identifies each task, is used in the command interface to direct task-specific commands. In the following example, the CZA1196I message indicates that subtasks of the task are started:

  CZA1196I $AGENT task attached: CZAGENT – AMI z/OS Agent
  CZA1009I $PRT AMI z/OS Print Manager task initialization complete.
  CZA1196I VMRACF task attached: CZATSERV – AMI Defender for z/VM RACF
  CZA1196I VMCON task attached: CZATSERV – AMI Defender for z/VM CONSOLE
  CZA1196I VMSECURE task attached: CZATSERV – AMI Defender for z/VM Secure
  CZA1196I $AUTO task attached: CZAECXCF – AMI Defender Alert Automation
  CZA1196I $IPAUTO task attached: CZAIPMGR – AMI Defender Alert Automation TCP/IP Interface

The task manager has its own task identifier:

CZA1009I $MGR BMC AMI Defender task initialization complete.

$AGENT subtask

Commands are directed to the $AGENT subtask if they are issued without a task identifier or issued with a $AGENT task identifier. For example, the following commands are equivalent:

F czagentName,$AGENT,DISPLAY(OPTIONS)
F czagentName,DISPLAY(OPTIONS)

The following sections of this topic describe the various formats of the MODIFY command:

MODIFY command for alert automation

The alert automation feature supports TCP/IP connections to BMC AMI Command Center for Security. You can have up to 255 connections to remote BMC AMI Command Center for Security systems, each with their own subtasks. See all of your connections by using the LIST command:

F czagentName,$IPAUTO,LIST

An example of the output from the LIST command is as follows:

  CZA1008I $IPAUTO task processing LIST command.
  CZA2012I Task Client IP Addr Client Port Start Date/Time        Recv. Ct      Send Ct
  CZA2011I     1 172.28.176.30      64280    07/14/2020 10:45:47       11815            0
  CZA2014I 1 active TCP/IP alert notification connections.

Alert automation supports the following commands and their parameters:

Parameter	Description
czagentName \| taskName	Name of the BMC AMI Defender job or started task specified on the START command or in the JCL For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website. This parameter is required.
subtask	Name of the subtask You can use one of the following subtasks: For alert automation, $IPAUTO For z/VM subtasks (SPE2010): VMCON VMSECURE VMRACF (Prior to SPE2010, see z/VM connection subtasks.)
LIST	List TCP/IP connections Lists all connections from remote BMC AMI Command Center for Security systems.
STOP ALL \| taskNumber	Stop TCP/IP connections Terminate one or all BMC AMI Command Center for Security connections. For example: F czagentName,$IPAUTO,STOP 1
FORCE ALL \| taskNumber	Force stop TCP/IP connections Force the termination of one or all BMC AMI Command Center for Security connections using an S222-10 abend code. For example: F czagentName,$IPAUTO,FORCE ALL

MODIFY command for BMC AMI Defender for z/OS

MODIFY-zos_6.1.00.png

For information about traceSpecification, see Using-the-TRACE-facility.

Enable a new license

MODIFY_LICENSE_5.9.02.png

CZAGENT for BMC AMI Defender for z/OS

CZAGENT for BMC AMI Defender supports the following display specifications:

Parameter

Description

czagentName | taskName

Defines the name of the BMC AMI Defender job or started task specified on the START command or in the JCL

For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website.

This parameter is required.

BACKLOG(Send)

(Does not apply to Datastream for Ops)Causes BMC AMI Defender to display message CZA0386 with queue utilization data on the console and in the listing on CZAPRINT

If you specify Send (or S), then a BACKLOG syslog message is transmitted to the BMC Defender Server or another syslog console as a syslog message. For more information about the BACKLOG syslog message, see BACKLOG-statement.

CLOCKmsg

Causes BMC AMI Defender to transmit the Clock message CZA0352I to the SIEM server and display the message on the console and in CZAPRINT

Display(...)

Causes BMC AMI Defender to display the currently active settings for the indicated parameters

The values are displayed on the console (except for Display(APF)) and in CZAPRINT in the following format:

CZA0251I| LOCAL
CZA0251I| DATASET (*)
CZA0251I| FOLD (133)
CZA0251I| NOMOD

DISPLAY specification	Information displayed
APF (Deprecated, see ENRichment)	APF enrichment data set names, as well as the system PROCLIB, system PARMLIB, encryption, and SAF database data set names. For more information, see SMF-record-enrichment. The table is displayed only in CZAPRINT and there is no console output.
COMPILE	BMC AMI Defender compilation information, including ARCH level, optimization, and tuning
CONSOLE(SETS)	(Does not apply to Datastream for Ops)SELECTed CONSOLE SETs, in the order of selection The information displayed includes the set name, the PREFIX (if any), the SEVerity, and the count of matching console messages. For more information, see CONSOLE-statement.
CPUTime	Total CPU time consumed by BMC AMI Defender
ENRichment	Names of the following data sets: APF-authorized System PARMLIB System PROCLOB Encryption SAF database For more information, see SMF-record-enrichment.
EVENTs	SELECT status for each API1 event For each SMF type, its processing class, selection code, and INHIBIT status.
INSTances	Running BMC AMI Defender instances with their instance names (if any) and their job or started task names For more information, see START-command.
LICENSE	Current license information and enables new license keys in a running agent LICENSE has two forms: DISPLAY(LICENSE) command and LICENSE command. Run the F czagent,DISPLAY(LICENSE) command to display the valid licenses and number of days remaining on the license, such as in the following example: Click here to see the example. CZA0014I Processing MODIFY command 'DISPLAY(LICENSE)' CZA0472I AMI Defender for z/OS license expires in 862 days. CZA0472I AMI Defender for Db2 license expires in 862 days. CZA0472I AMI Defender for IMS license expires in 862 days. CZA0472I AMI Defender for Predictive license expires in 862 days. CZA0026I MODIFY processing completed Run the F czagent,LICENSE command to reprocess the licenses or enable a new license, such as in the following example: Click here to see the example. CZA0014I Processing MODIFY command 'LICENSE' CZA0460I AMI Defender for z/OS license verification successful. License expires in 862 days. CZA0460I AMI Defender for Db2 license verification successful. License expires in 862 days. CZA0460I AMI Defender for IMS license verification successful. License expires in 862 days. CZA0460I AMI Defender for Predictive license verification successful. License expires in 862 days. CZA0026I MODIFY processing completed The licenses are validated and processing is adjusted appropriately. License validation automatically occurs at agent startup.
LOCal	Settings related to LOCAL (see LOCAL-statement ), such as the data set name and FOLD, MOD, REOPEN, and SPACE parameters
OPTions	Settings that might be specified on the OPTIONS statement (see OPTIONS-statement ), such as delimiters, framing, and host name options
PARMs	Data set equivalent to LOCAL,OPTIONS,SERVER,TIME
SERVers	Settings related to the syslog server, including any alternatives For more information, see Multiple-syslog-server-support and SERVER-statement.
TIME	Settings related to TIME, such as the date and time formats and time zone For more information, see TIME-statement.
TIMERs	Currently pending internal timers, such as for timeouts, alternative server reversion, and automatic parameter refresh For more information, see TIMEout and ALTRevert in SERVER-statement and REFResh in OPTIONS-statement.

LOCal(REOPen)

Specifies that BMC AMI Defender is to close and reopen the LOCAL syslog data set

Before using this command, consider the effect of the use or absence of system variable symbols in the specified data set name, and the use or absence of MOD.

Example

REOPEN might be meaningless for a data set specified with MOD because additional records simply get appended to the already-open data set. If REOPEN is specified for a local MVS data set without the &HHMMSS. variable symbol in its name and without MOD, BMC AMI Defender overwrites the existing data set and any existing messages are lost.

PARMs
or PARMs(datasetSpecification)

Specifies the data set from which BMC AMI Defender takes new operating parameters

Because the parameter file is an input file, specifiying * (SYSOUT) is invalid and the output variable symbols are not supported. CZAJOBLG processes uppercase, unquoted command operands, so you can specify a zFS file as one of the examples:

F CZAGENT,PARMS('/u/myfiles/czaparms')
F CZAGENT,'PARMS(/u/myfiles/czaparms)'

The default PDS(E) is DD:CZAPARMS, the library specified by the CZAPARMS DD statement.

If you omit this value, it defaults to the last parameter file specified. For example, the data set specified or defaulted to in any preceding MODIFY PARMS or, if none, the data set specified or defaulted to in START PARMS.

For more information about the parameter file, see Parameter-file-statements.

Parameter processing starts over each time you read in a parameter file with MODIFY CZAGENT,PARMS with the exception of OPTIONS TRACE, SUBSYS, and QUEUE. Every parameter assumes its default value except for the three parameters named.

OPTIONS QUEUE and SUBSYS are ignored during MODIFY processing. To change their values, you must stop and restart BMC AMI Defender.

To change the setting of TRACE, you must explicitly specify TRACE. So if BMC AMI Defender is running with a LOCAL data set, FORMAT(ALL), and an SMF 119 statement, and you read in a new parameter file with FORMAT, LOCAL, and SMF 119 omitted, then FORMAT assumes its default value of ERGONOMIC, the LOCAL data set is closed, and no further SMF 119 records are formatted and transmitted.

SET(APF)

Causes BMC AMI Defender to re-initialize the table of APF-authorized data sets

The table is refreshed from the current APF list and the defined LNKLST sets. BMC AMI Defender updates this table automatically in most circumstances, so this command is superfluous unless at least one of the following situations occurs:

You are running a release of z/OS below V2R2.
SMF 90 subtype 37 is not enabled for BMC AMI Defender processing.
You have added non-APF-listed files to the active LNKLST.

For more information, see "Other Limitations" under APF status enrichment in the "SMF record enrichment" topic. Use caution with SET(APF) because it freezes SMF record processing for about one second, depending on the number of APF-authorized data sets and the speed and processor load of your system.

SET(CICS(NEWMCT))

(Does not apply to Datastream for Ops)Requires BMC AMI Defender, for performance reasons, to cache any DFHMCT customization on a per-CICS-applid basis

If you recustomize and stop and start a CICS subsystem, you can force BMC AMI Defender to purge and refresh its CICS DFHMCT customization cache with the command SET(CICS(NEWMCT)).

SET(DB2(STArt))

(Does not apply to Datastream for Ops)Causes BMC AMI Defender to reissue any relevant START TRACE commands for DB2See STArt in the SMF-DB2-statement .

SET(SERVER(RECONnect))

Causes BMC AMI Defender to attempt to reconnect to the active syslog server

This command is valid only if the syslog server is disconnected (due to an error) and using TCP/IP or SSL/TLS transport. This command would be suitable for use when a previously disconnected communication link is restored.

SET(SERVER(USEALT(number)))

SET(SERVER(USEPRImary))

(Does not apply to Datastream for Ops)Causes BMC AMI Defender to change the active syslog server to the primary or the specified alternate

For more information, see Multiple-syslog-server-support.

USEPRIMary and USEALT(0) are equivalent.

STATs

STATs(RESET,Send)

Causes BMC AMI Defender to display message CZA0215I with counts of SMF records processed and similar statistics on the console and in the listing on CZAPRINT

In addition, counts by SMF record subtype are displayed only in the CZAPRINT listing. If RESET is specified, then the various statistical counters are reset to zero after being displayed. If Send is specified, then the statistics (not including the subtype counts) are also transmitted to the BMC Defender Server or another syslog console as syslog messages. Send can be abbreviated as S. For more information about various statistics except the subtypes, see Counters. See Messages CZA0300 through CZA0399 for information about the subtype statistics in messages CZA0323I through CZA0327I.

TRACE (traceSpecification)

Tells BMC AMI Defender to use one or more trace types (in any order) or no trace type, as described in Using-the-TRACE-facility

TRACE can be useful for diagnosing certain problems. Diagnostic messages of the specified type are output to the CZAPRINT data set. If TRACE is completely omitted or specified as TRACE(), it defaults to the previous state of TRACE. If TRACE(-ALL) is specified, all tracing is turned off.

Prefix any of the trace specifications with a minus sign (-) to indicate negation. The specifications are processed from left to right. In the following example, the statement indicates that all TRACE output is used except that related to translation and the operating environment:

TRACE(ALL -XL -ENV)

After processing TRACE, BMC AMI Defender displays the trace specifications that are in effect. To display the current trace specifications only, enter the following statement:

F CZAGENT,TRACE()

For more information about TRACE, see TRACE-facility-syntax.

MODIFY command for BMC AMI Defender for Db2

MODIFY_DAM_5.9.02.png

For information about additional MODIFY operands, see the following topics:

CZAGENT for BMC AMI Defender for Db2

CZAGENT for BMC AMI Defender for Db2 supports the following display specifications:

Parameter	Description
czagentName \| taskName	Defines the name of the BMC AMI Defender for z/OS job or started task, as specified on the START command or in the JCL For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website. This parameter is required.
Display(...)	Causes BMC AMI Defender for z/OS to display the currently active settings for the indicated parameters
Display(DAM(SESSions))	Causes BMC AMI Defender for z/OS to display a summary list of all active DAM sessions The sessions are displayed in session-unique order. The first 20 or fewer sessions are displayed on the console and in CZAPRINT. Any sessions beyond 20 are displayed only in CZAPRINT. The display has the following format: CZA0360I 3 active DAM sessions CZA0361I Session-Unique SSID User ID Logon Activity Conn Stmts CZA0362I ---------------- ---- -------- -------- -------- ------ ----- CZA0363I 01e68ccb6d5bd88f DB1T DB1TADMT 19:08:41 19:08:42 LOCAL 4 CZA0363I 0ae29e057e4acc85 DB1T RU018P 19:08:50 19:08:51 LOCAL 131 CZA0363I 79e39263f13b171a DB1T RU018P 19:08:43 19:08:47 LOCAL 143
Display(DAM(SESSions(id)))	Displays details for the specified session ID. Enter one or more leading hex digits of a session-unique from the summary session display (or the DAM console) You must enter enough hex digits to uniquely identify the session. Example Given sessions are shown in DAM(SESSions). You can specify D(DAM(SESS(7))) because only one session-unique begins with 7, but you can not specify D(DAM(SESS(0))) because more than one session-unique begins with 0. You can specify D(DAM(SESS(01))) or D(DAM(SESS(0A))). Always specify as many additional digits of the session-unique as you want. For example, D(DAM(SESS(01E6))) and D(DAM(SESS(79E39263F13B171A))) are both valid. You can specify alphabetic hex characters in any mix of upper and lower case. For example, 79E and 79e are both valid. The detail display has the format as follows: CZA0251I SESSION 79e39263f13b171a CZA0251I Activity 2017-07-04T14:29:04.891-0400 CZA0251I Collid CZA0251I Connection LOCAL CZA0251I Date 2017-07-04T14:29:04.920-0400 (1499192944920) CZA0251I Facility BATCH CZA0251I Job name RU018PR -BATCH CZA0251I Location NA01DB1T CZA0251I Logon time 2017-07-04T14:28:50.506-0400 (1499192930506) CZA0251I Package CZA0251I Plan CZA0251I Program CZA0251I Remote txn CZA0251I SQLID RU018P CZA0251I SSID DB1T CZA0251I Stmt-cmd CZA0251I Stmts 565 CZA0251I System SYSC CZA0251I Trans-tok 15179512282545455104 CZA0251I Userid RU018P CZA0251I Worksta'n BATCH

MODIFY command for JOBLOG

(SPE2101)

You can use the JOBLOG feature to modify JOBLOG statement processing.

F czagentName,$JOBLOG, LIST | DIS
F czagentName,$JOBLOG, DEL(joblog_name)
F czagentName,$JOBLOG, JOBDELAY(1 - 600)

JOBLOG supports the following commands and their parameters:

Parameter	Description
czagentName \| taskName	Defines the name of the BMC AMI Defender job or started task specified on the START command or in the JCL For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website. This parameter is required.
DEL(joblogName)	Deletes the specified job Use DEL to remove jobs you don't want to process. The value for joblogName must be unique between multiple JOBLOG statements. DEL deletes the specified JOBLOG statement and terminates any associated JES SYSOUT capture.
JOBDELAY(numberOfSeconds)	Indicates the JES SYSOUT scan interval Enter a number from 1 to 600 to specify the number of seconds between scans for active jobs that meet the selection criteria in the JOBLOG statement. If you omit JOBDELAY, the default is the lowest value for the JOBDELAY parameter in the JOBLOG statement. If there is more than one JOBLOG statement, the lowest value in all the statements is used.
LIST \| DIS	Displays active JOBLOG scans Lists the active JOBLOG statements and any active JES SYSOUT capture processes. Both LIST and DIS (Display) are acceptable values.

MODIFY command for the print manager

(SPE2201)

The print manager function forces the current CZAZOSLG output log to close and then reopen.

F czagentName,$PRT SPIN

This command is of particular interest when you specify the LOGFREE=EOJ parameter setting in the startup JCL. The parameter setting causes the CZAZOSLG output log to remain open for the duration of the agent address space, which might cause an excessive amount of output data and JES spool space shortages. The command closes the current CZAZOSLG log output file so that it can be archived and removed from the JES spool.

MODIFY command for REXX manager

(SPE2010)

The REXX manager feature supports a multitasking REXX environment. Use this command to monitor REXX manager and reload modified REXX execs.

F czagentName,$REXX,RELOAD
F czagentName,$REXX,LIST

REXX manager supports the following commands and their parameters:

Parameter	Description
czagentName \| taskName	Defines the name of the BMC AMI Defender job or started task specified on the START command or in the JCL For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website. This parameter is required.
RELOAD	Reloads the REXX execs located in amihlq.CZAGENT.EXEC in the SYSEXEC DD of the BMC AMI Defender job or started task For changes made to the REXX execs in the exec data set to take effect, you must reload them.
LIST	(SPE2101) Displays the status of the REXX manager Provides a detailed list of the status of REXX manager including: Time that the REXX EXECs were last loaded Number of automated alert threads and their timeout value Total number of automated alerts that haven't been executed, pending a THREAD becoming available Total number of automated alerts that have been executed so far by BMC AMI Defender An example of the output for the LIST command is as follows: CZA1008I $REXX task processing LIST command. CZA1300I The current REXX EXECs were last loaded on 12/02/2020 11:08:06 CZA1301I There are 1 Automated Alert Threads, with Timeout 0 specified CZA1302I A total of 0 Automated Alerts are queued up waiting to execute CZA1303I A total of 15 Automated Alerts have been processed CZA1019I $REXX command processing complete.

MODIFY command for SYSPLEX manager

(SPE2010)

The SYSPLEX manager feature supports XCF communication between BMC AMI Defender address spaces.

F czagentName,$PLEX,LIST

An example of the output from the LIST command is as follows:

System Name Job Name Member Name       ASID Last Update Time     Status    Sent   Rcvd
SYS1         AMICZA1   STC00001SYS1      0100 09/25/2020 18:20:49 Active    0      0
SYS2         AMICZA2   STC00005SYS2      0100 09/25/2020 18:21:02 Active

Output from the LIST command provides details on the number of alerts sent and received by the listed servers:

Sent, lists the number of alerts sent from the server to the specified group member.
Rcvd, lists the number of alerts received by the server from the specified group member.

In the above example, the agent AMICZA2 has sent 0 number of alerts to the AMICZA1 agent and received 0 number of alerts from the AMICZA1 agent.

SYSPLEX manager supports the following commands and their parameters:

Parameter	Description
czagentName \| taskName	Defines the name of the BMC AMI Defender job or started task specified on the START command or in the JCL For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website. This parameter is required.
LIST	Lists the BMC AMI Defender servers in your XCF group

MODIFY command for System Integrity Violation (SIV) scanner

(SPE2101)

The SIV scanner checks your system and identifies settings that might be vulnerable to attack. Use the MODIFY command to force an SIV scan on a particular system resource:

F czagentName,$ZINTEG,SCAN

For information about SIV scanner, see Using-the-System-Integrity-Violation-scanner.

SIV scanner supports the following commands and their parameters:

Parameter	Description
czagentName \| taskName	Defines the name of the BMC AMI Defender job or started task specified on the START command or in the JCL For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website. This parameter is required.
SCAN	Forces a scan on the specified job or started task

MODIFY command for the task manager

To issue console commands, use a standard z/OS modify command with a subtask modifier. If you are unsure about the tasks or their task identifiers, you can request a task list from the task manager:

F czagentName,$MGR,LIST ALL

An example of the output from the LIST ALL command is as follows:

CZA1008I $MGR task processing LIST command.
CZA1012I Task ID TCB      START Date/Time     END Date/Time       Description
CZA1011I $MGR     006EE588 11/03/2021 09:18:46 --- Active Task --- AMI z/OS Task Manager
CZA1011I $IPAUTO 006B67B8 11/03/2021 09:19:22 --- Active Task --- Alert Automation TCP/IP Interface
CZA1011I $REXX    006B6A60 11/03/2021 09:19:22 --- Active Task --- Alert Automation REXX Manager
CZA1011I $AUTO    006B6D90 11/03/2021 09:19:22 --- Active Task --- Alert Automation
CZA1011I VMSECURE 006C6138 11/03/2021 09:19:22 --- Active Task --- AMI Defender for z/VM Secure
CZA1011I VMCON    006C63E0 11/03/2021 09:19:22 --- Active Task --- AMI Defender for z/VM CONSOLE
CZA1011I VMRACF   006C6BB8 11/03/2021 09:19:22 --- Active Task --- AMI Defender for z/VM RACF
CZA1011I $EMCS    006CA0C0 11/03/2021 09:19:22 --- Active Task --- E/MCS Console
CZA1011I $AGENT   006CA430 11/03/2021 09:18:47 --- Active Task --- AMI z/OS Agent
CZA1011I $PRT     006E58B8 11/03/2021 09:18:46 --- Active Task --- Print Manager
CZA1014I 10 tasks found matching selection criteria (active or inactive).

The task manager supports the following commands and their parameters:

Parameter	Description
czagentName \| taskName	Defines the name of the BMC AMI Defender job or started task specified on the START command or in the JCL For a description of how this name is determined and specified, see "MODIFY command" in the "MVS system commands reference" section on the IBM Knowledge Center website. This parameter is required.
LIST ALL \| ACTIVE \| INACTIVE	Lists the tasks running in the address space: LIST ALL shows all active and inactive (terminated) subtasks LIST ACTIVE shows only active subtasks LIST INACTIVE shows only inactive subtasks If no value is specified, the default is ALL.
RETRY taskID	Restart an inactive subtask Include the task identifier of the subtask that you want to restart. For example: F czagentName,$MGR,RETRY $IPAUTO
STOP taskID	Terminate an active subtask Include the task identifier of the active subtask that you want to terminate. For example: F czagentName,$MGR,STOP $IPAUTO The standard task termination Event Control Block (ECB) is posted for normal task termination.
ABEND taskID	Terminate an active subtask with abend Include the task identifier of the active subtask that you want to terminate by abend. For example: F czagentName,$MGR,ABEND $IPAUTO The subtask is abended with an S222-10 abend code, forcing termination.

MODIFY command for z/VM connection subtasks (VMSECURE, VMCON, and VMRACF)

You can direct z/VM connection subtask commands (task identifiers VMSECURE, VMCON, and VMRACF) to these tasks:

F czagentName,VMSECURE command

F czagentName,VMCON command

F czagentName,VMRACF command

For more information, see BMC AMI Defender TCP/IP Receiver command and syntax reference.

(SPE2104)

MODIFY_VMSECURE_VMCON_VMRACF_spe2104

Displays the processing parameters for the specified active VM Receiver.

F czagentName,VMSECURE PARMS
F czagentName,VMCON PARMS
F czagentName,VMRACF PARMS