OPTIONS statement

BOOLValues(trueValue falseValue)

Values to be used for true and false for Boolean (yes and no, or true and false) fields

For trueValue and falseValue, enter either the keyword OMIT (upper or lower case, without quotation marks) or a character string of zero to eight characters enclosed in single quotation marks.

Example

• If you omit BOOLValues, the default is Yes OMIT, that means that Boolean fields that evaluate as true is formatted as tag: Yes – and Boolean fields that evaluate as false is omitted. (Boolean field omission is controlled entirely by BOOLValues Omit; OPTions FORMat has no effect on Boolean fields.)
• A zero-length character string differs in meaning from OMIT in that, for instance, a field that evaluates as false is formatted as Tag: - with a zero length character string value, and omitted if OMIT is specified. See the description of SIEMtype for its effect on BOOLValues.

CLOCKMsg(AT(MIDNight)|COMMand|EVERY( minutes))

Specifies whether BMC AMI Defender sends message CZA0352I to the SIEM console and at what interval

Message CZA0352I is intended to facilitate compliance with ISO 27000 (and similar standards). Make sure that the clocks of all relevant information processing systems at your organization are synchronized to an official or industry best practice source.

The message shows the clock setting of the z/OS system. The options in the message have the following meanings:

• AT(MIDNight) specifies that the message should be sent every midnight local time.
• COMMand specifies that the message should be sent only manually with the MODIFY CLOCK command. For more information, see MODIFY-command.
• EVERY(minutes) specifies that the message should be sent every specified number of minutes between 5 and 1440 (24 hours).

If you omit this parameter, the default MIDNight is used.

DATAVALidate

Performs field data validation

If you specify DATAVALidate, then all field values are checked for valid characters, and invalid characters are diagnosed with message CZA0367W. DATAVALidate is intended primarily for testing new field definitions or diagnosing field definition problems. Do not use DATAVALidate routinely in production as it increases CPU utilization unnecessarily.

If you omit DATAVALidate, no data validation is performed.

DELIMit(‘lead’ ‘trail’ ‘innerLead’ ‘innerTrail’ ‘groupLead’ ‘groupTrail’ NOFINal|FINal)

Indicates the characters used to separate text strings in each syslog record

Specify zero to eight characters, enclosed in single quotation marks, for the six delimiter operands:

• lead specifies the characters that should appear between the tag and the field value. 
• trail specifies the characters that should appear between each field and the following tag. 
• innerLead specifies the characters that should appear between the tag and the field value for inner fields grouped within an outer field.
• innerTrail specifies the trailing characters for each inner field. 
• groupLead specifies the bracket characters that should precede a group of inner fields to enclose them.
• groupTrail specifies the bracket characters that should trail a group of inner fields to enclose them.

Use one of the following operands to indicate how to finalize the text strings for the particular syslog message:

• NOFINal specifies that no delimiter should appear after the last field in the record.
  
• FINal specifies that the trail delimiter should appear after the last field in the record.

Specifying NOFINal or omitting the DELIMit parameter altogether might produce a more esthetic display.

Specifying FINal might facilitate automated parsing of syslog messages.

For informaiton about the effect of SIEMtype parameters on DELIMit, see the SIEMtype extension table.

If you omit this parameter, the default ':' '–' ':' '–' '{' '}' NOFINAL is used.

Specifies whether fields that are zero or blank are to be formatted as part of syslog messages and if so, what string (if any) is to be used to indicate all-blank fields

If FORMAT(ERGO) is specified or allowed to default, then fields with a value of zero or all blanks are omitted from messages sent to the syslog console. Group fields are omitted when all of the subsidiary fields are suppressed (blank or zero). If FORMAT(ALL) is specified, then fields with a value of zero are formatted as Tag: 0 -. Fields with a value of blank are formatted as Tag: blank-indicator – where the value of blank-indicator is determined by the operand following ALL: if NONE is specified or allowed to default then the blank indicator is the word None; if NULL is specified then the blank indicator is the null string (Tag: -); if a value in quotes is specified then the specified value is used. The quoted value might be from zero to 20 characters in length.

FRAMing(framingOptions)

For TCP/IP transport only, how individual messages are to be delimited or framed within the TCP/IP datastream

Specify one of CR (carriage return, X’0D’), LF (linefeed, X’0A’), CRLF (carriage return plus linefeed, X’0D0A’), Null (null, X’00’) or Octetcount. Make sure that whatever framing option you specify is supported by your syslog console. BMC Defender believes that octet counting is superior to the use of delimiter characters and recommends its use whenever possible. Octet counting should always be used for SyslogDefender connections. If you do not specify FRAMing it defaults to LF (linefeed). See the description of SIEMtype for its effect on FRAMing.

HEADer(hostName)

BMC AMI Defender and CZASEND begin each syslog message with a proprietary header indicating the actual origin of the syslog message (as opposed to the device that forwarded the message to BMC AMI Defender)

Use this parameter only if the ultimate destination of the syslog messages is BMC AMI Command Center for Security or BMC Defender SIEM Correlation Server (as opposed to some other syslog collector) and there is some intermediate node between the LPAR and BMC AMI Defender such as a load balancer, tunnel, or proxy. Code CPUID, IPV4, IPV6, HOSTNAME, JESNODE, LPARNAME, NONE, SMFID, or SYSNAME to indicate the CPU ID (serial number), the IPv4 dotted address, the IPv6 colon-formatted address, the TCP/IP host name, the JES node name, the LPAR name, no host name, or the system name (&SYSNAME as defined in the IEASYSxx or IEASYMxx parmlib member) respectively, or code a literal character string enclosed in single or double quotation marks. The character literal might not contain embedded blanks and must not exceed 100 characters in length. Do not code LPARNAME if you are not running in logical partition mode. If you omit HEADer, no header is inserted. See the description of SIEMtype for its effect on HEADer.

HOSTname(hostName)

How the origin (hostName) of syslog records generated by zDefender or CZASEND is to be identified

Code CPUID, IPV4, IPV6, HOSTNAME, JESNODE, LPARNAME, NONE, SMFID, or SYSNAME to indicate the CPU ID (serial number), the IPv4 dotted address, the IPv6 colon-formatted address, the TCP/IP host name, the JES node name, the LPAR name, no host name, or the system name (&SYSNAME as defined in the IEASYSxx or IEASYMxx parmlib member) respectively, or code a literal character string enclosed in single or double quotation marks. The character literal might not contain embedded blanks and must not exceed 1 characters in length. Do not code LPARNAME if you are not running in logical partition mode. If you omit HOSTNAME, the TCP/IP host name of the LPAR is used. See the description of SIEMtype for its effect on HOSTname.

INSTName(name)

Optional name for the running instance of BMC AMI Defender (for more information, see START-command)

Specify a name of one to sixteen characters; the first character might not be numeric. The name might not be quoted; that is, the name might not contain blanks or parentheses nor begin with a quotation character. The name does not affect the operation of BMC AMI Defender, but identifies BMC AMI Defender in the DISPLAY(INSTances) output (see MODIFY-command) and might be used by API programs(see Using-the-API)to identify BMC AMI Defender. The name is displayed in the case you specify but name comparisons are case-insensitive (like a Windows filename). Any name you specify must not be a duplicate of the name of another BMC AMI Defender running in the same LPAR.

If you omit this parameter the name of the CZAPARMS member is used. If that name is a duplicate of an already-running BMC AMI Defender instance, it is ignored. The BMC AMI Defender instance is unnamed and might not be accessible by some API programs. The instance number and instance name are available as SIEM syslog message fields. For more information, see Universal-fields.

INTFormat(CANONical|SCALEd CANONical|SCALEd)

Format in which integers are to be formatted

The two formats are canonical (CANONical – regular numbers) and scaled for better readability (SCALEd).

The first operand of INTFormat specifies how event (SMF and API record) integer fields are to be formatted and the second operand specifies how counters (see ) are to be formatted in SIEM messages. Certain event integer fields that represent codes or similar data always appear in canonical format, and counters always appear in scaled format on the console and in CZAPRINT.

See the description of SIEMtype for its effect on INTFormat.

If you omit this parameter, the default SCALEd SCALEd is used.

If you include this parameter but specify only the first operand, the value of the first operand is used for the second operand. For example, INTF(CANON) becomes INTF(CANON CANON). 

LOGSTReam(+ifasmf.lgstream.logr1 + ... +ifasmf.lgstream.logr32 +)

Name of up to 32 SMF log streams to read and collect SMF records that are generated as part of the IPL process before BMC AMI Defender starts

The agent address space reads the specified SMF log streams and scans for the following SMF records:

• SMF 00—IPL 
• SMF 08—I/O Configuration
• SMF 22—Device Configuration
• SMF 43—JES2 adn JES3 Start
• SMF 81—RACF Initialization
• SMF 119—TCP/IP Initialization (subtype 8)

The SMF log stream or log streams that contain these records are in your SYS1.PARMLIB(SMFPRMxx) member. Contact your system administrator for this information.

NOAPFENRich

NOENCRYPTENRich

NOEXITs

The z/OS installation exit that monitors z/OS system exits IEFU83, IEFU84 and IEFU85 are not to be installed (see Overview)

Specifying NOEXITs prevents the agent from receiving any SMF records from z/OS. Generally, this parameter should only be used as directed by BMC Support.

NONCANcelable

Sets server to be noncancelable

If you specify NONCANcelable, then the BMC AMI Defender server address space cannot be canceled. A Force command is still allowed.

If you omit NONCANcelable, the BMC AMI Defender server address space can be canceled.

NOSAFENRich

 NOSIVSCANNER|SIVSCANNER

(SPE2101)

Specifies whether or not to start the System Integrity Violation (SIV) scanner

The SIV scanner identifies data sets and system settings that might be vulnerable to an outside attack. It scans for:

• Sensitive data sets, such as APF, Linklist, Parmlib, and Proclib
• Security settings for data access subsystems, such as MQ, DB2, IMS, and CICS

For more information, see Using-the-System-Integrity-Violation-scanner.

If you omit this parameter, the default NOSIVSCANNER is used.

NOSYSLIBENRich

NOTCPWait

In the event that BMC AMI Defender determines that the default, only, or specified (with TCPNAME) TCP/IP stack is not active, BMC AMI Defender do not wait for it to become active

NOTCPWAIT is ignored by CZASEND (that never waits for the TCP/IP stack; if the TCP/IP stack is not active, CZASEND always terminates). If BMC AMI Defender is waiting for TCP/IP to become active it might be terminated with the STOP console command.

NOTIMESTamp|TIMESTamp

Indicates whether Syslog records include a timestamp in accordance with the RFC 3164 specification

See the description of SIEMtype for its effect on TIMESTamp.

If you omit this parameter, the default NOTIMESTAMP is used and the generated syslog records do not include a timestamp.

NOUNIQUETAG|UNIQUETAG
(SPE2201)

Specifies whether unique tags are used for repeating fields. The initial tag matches the DEF (Definition) tag name. Tags for any repeating fields are appended with -#. For example:

• tagname
• tagname-2
• tagname-3

UNIQUETAG is valid only for SIEMtype extensions ADELog, JSON, and SPLunk. All other extensions are ignored.

If you omit this parameter, the default NOUNIQUETAG is used and all repeating fields have the same tag name.

NOUSSENRICH|USSENRICH

(SPE2107)

Specifies whether to collect information on z/OS Unix System Services (USS) superuser privileges for SMF records written by address spaces on the system

To enable this parameter, first switch on the USSENRICH option in the $$$CONFG member. For more information, see "Specifying the configuration type" in Customizing-for-a-proprietary-syslog-extension.

If you omit this parameter, the default NOUSSENRICH is used.

PRIority|NOPRIority

Specifies whether the message severity value that is assigned by the user is passed to the SIEM

SIEMtype(CEF) requires and defaults to PRIority.

PROCess(‘processTag’)

QUEUE64/Q64(size)

Number of megabytes (MB) allocated to store the captured SMF data

QUEUE64(1) is 1MB or 1,048,576 bytes. This queue is allocated in above-the-bar (64-bit) storage. 

For information about determining an optimal value for QUEUE64, see Determining-the-QUEUE64-size. If you omit QUEUE64, it defaults to QUEUE64(1024) or 1,073,741,824 bytes.

QUEUE()

Deprecated

It is scanned for valid syntax, and a diagnostic message is issued, but QUEUE is otherwise ignored and has no effect on BMC AMI Defender operation.

REFResh(AT(MIDNight|COMMand|EVERY(minutes))

Specifies whether BMC AMI Defender should automatically refresh (reread and process) the parameter file

A parameter refresh is equivalent in effect to the MODIFY PARMS command (see MODIFY-command). AT(MIDNight) specifies that the parameter file should be automatically refreshed every midnight local time; COMMand specifies that the parameters are refreshed only manually with the MODIFY PARMS command (see MODIFY-command); EVERY(minutes) specifies that parameters should be refreshed at the expiration of the specified number of minutes. Specify a number of minutes between 5 and 1440 (24 hours).

If you omit REFResh, it defaults to COMMand.

SIEMtype(RFC3164|ADEInflux|ADELog|CEF|JSON|LEEf|SPLunk)

STATs(AT(MIDNight|COMMand|EVERY(minutes) RESET SEND)

When BMC AMI Defender should display operating statistics in CZAPRINT, and optionally reset the counters to zero and send them to the syslog server (see Counters)

AT(MIDNight) specifies that the statistics should be produced at midnight local time; COMMand specifies that statistics should be produced only manually with the MODIFY STATs command (see MODIFY-command); EVERY(minutes) specifies that statistics should be produced repeatedly at the expiration of the specified number of minutes. Specify a number of minutes between 5 and 1440 (24 hours).

If you omit STATs, it defaults to AT(MIDNIGHT). RESET and SEND might be specified with COMMand but have no effect; BMC AMI Defender instead honors the parameters of the MODIFY command.

STATUSTOSiem|NOSTATUSTOSiem

Specifies whether or not to send agent status and error messages to the SIEM

If you omit this parameter, the default STATUSTOSiem is used.

SUBSYS(subsysName)

For each subsystem named in your active SMFPRMxx record, if the SUBSYS statement in SMFPRMxx contains the keyword EXITS and you want BMC AMI Defender to forward SMF events for that subsystem, then you must code that subsystem name here

SUBSYS is ignored by CZASEND and by MODIFY CZAGENT,PARMS. If you are missing all syslog records for a particular subsystem such as TSO, you should try coding its name here, for instance SUBSYS(SYS SYSTSO). Contact BMC technical support if you would like assistance with the use of this parameter. Specify ALL, or allow SUBSYS to default, to cause BMC AMI Defender to automatically pick up all of the subsystems configured in SMF.

It is highly recommended that you allow SUBSYS to default. However, you might determine appropriate SUBSYS values by issuing the D SMF,O console command and examining the output. Look for SUBSYS(xxx,EXITS … statements. If any such statements appear, and xxx is the name of a subsystem from that you would like events forwarded to your syslog console, then you must code SYSxxx as the operand of an BMC AMI Defender parameter file SUBSYS parameter. For instance, if SUBSYS(SLS0,EXITS(IEFU83)) appears in the D SMF,O output then SYSSLS0 should be included as an operand of SUBSYS.

SWAPpable(No|Yes|ASIS))

Specifies whether z/OS workload manager swapping of BMC AMI Defender should be allowed

For more information about swapping, see the following resources:

• IBM z/OS MVS Initialization and Tuning Guide for information about swapping
• Determining-the-QUEUE64-size for the benefits of a non-swappable address space

Use the SWAPpable parameter with caution because making an address space non-swappable might have an impact on the performance of the LPAR as a whole.Specify the swapping status for BMC AMI Defender:

• No–to be non-swappable
• Yes–to be swappable
• ASIS–to leave the swapping status unchanged

SWAPpable is ignored by CZASEND.

If you omit this parameter, the default No is used.

TAGCase(case NOBLanks)

Specifies whether tags (field labels) in the syslog messages are to be displayed in mixed, upper, or lower case, or with an initial capital, and whether any blank characters occurring in tags are to be converted to underscores (NOBLanks)

The following table shows how the JobNm (Job Name) and IEFU83 driven tag and data would be displayed under various TAGCASE options:

If you omit this parameter, the default MIXED is used. See the description of SIEMtype for its effect on TAGCase.

TCPname(tcpName)

Available to customers with multiple TCP/IP stacks and a requirement that BMC AMI Defender and CZASEND use a specific stack that is not the default stack

Most customers should not need to code this parameter. If you want BMC AMI Defender and CZASEND to use a specific TCP/IP stack, code TCPNAME with the name of the desired TCP/IP image stack.

TRACE(traceSpecifications)

BMC AMI Defender and CZASEND are to output additional diagnostic messages and the types of diagnostic messages, or not to output additional diagnostic messages, in the CZAPRINT data set

TRACE might be useful for diagnosing certain problems. If TRACE is completely omitted then it defaults to the previous state of TRACE; if TRACE() or TRACE(-ALL) is specified then all tracing is turned off.

Specify zero or more of the trace types described in Using-the-TRACE-facility (in any order). Prefix any of the specifications with - (a minus sign or hyphen) to indicate negation. The specifications are processed left to right. For instance, TRACE(ALL –XL –ENV) indicates all TRACE output except that related to translation and the operating environment.

VERBose|NOVERBose

Deprecated

VERBOSE is equivalent to TRACE(PARM ENV CSA) and NOVERBOSE is equivalent to TRACE(‑ALL).

XLATE(from-ccsid to-ccsid ‘technique’)

How data is to be translated from its EBCDIC representation on a z System to the ASCII representation of syslog messages

Specify a valid EBCDIC single-byte CCSID and optionally a valid UTF-8 or ASCII single-byte CCSID. You might also specify (enclosed within quotation marks) a list of desired code conversion (translation) techniques. If you want to specify a UTF-8 or ASCII CCSID then you must also specify an EBCDIC CCSID. The valid conversion techniques are:

• E—Enforced Subset conversion
  An enforced subset conversion occurs when a character in the source CCSID does not have a corresponding code point in the target CCSID. In this case, the character is converted to a single substitution character. The default substitution characters (SUB) are: X’1A’ or X’7F’ for SBCS ASCII and  X’1A’ for UTF-8. The use of the E conversion technique is recommended for syslog messages.
• L—Language Environment-Behavior conversion

• M—Modified Language Environment-Behavior conversion

• R—Roundtrip conversion
  A round-trip conversion ensures the integrity of all character data from the source CCSID to the target CCSID and back to the source. Even if the target CCSID does not support a given character, the character regains its original hexadecimal value after it is converted back to the source CCSID.

  Important

  Because of the way IBM defines roundtrip conversions to UTF-8, unprintable characters in the EBCDIC data will be translated to X’1A’, more like an enforced subset conversion than a roundtrip conversion.

  
  

  
  

• 0-9—User-defined conversions

CCSID stands for coded character set identifier. For more information about CCSIDs and conversion techniques, see the IBM Manual z/OS Support for Unicode: Using Unicode Services. CCSIDs are traditionally specified as five-digit numbers with leading zeros if necessary but you might omit the zeros if you prefer: 00819 and 819 are equivalent CCSID specifications. If you omit XLATE then zDefender and CZASEND use CCSIDs 01047 and 01208 and a conversion techniques priority list of ERLM. CCSID 01208 is a UTF-8 CCSID. (UTF-8 CCSIDs can represent every character in use anywhere in the world.) If you are using BMC AMI Defender, make sure Message Encoding (under Edit Define Info after clicking on the hostname or TCP/IP address of the LPAR) is set to UTF-8. If you are using a different syslog console make the equivalent configuration selection. If you cannot or do not want to do so, then you should specify the ASCII code page appropriate for your culture, such as 01252 for standard U.S. English.

BMC AMI Defender and CZASEND attempt to validate the supplied CCSIDs based on the following criteria:

• The CCSIDs are supported by the local installation of Unicode Services.
• The from-CCSID is an EBCDIC single-byte CCSID and the to-CCSID is either a UTF-8 or an ASCII single-byte CCSID.
• The local Unicode Services installation supports translation from one to the other.

z/OS releases earlier than V1R10.0 do not support the z/OS Unicode Services function CUNLINFO that allows BMC AMI Defender and CZASEND to perform these validations. If you are running an earlier release, be careful when coding the operands of XLATE as BMC AMI Defender. Otherwise, CZASEND cannot validate them and errors during execution might result.

If you omit XLATE, it defaults to 01047 01208 ‘ERLM’. See the description of SIEMtype for its effect on XLATE.

OPTions

BOOLvalues

True|False

True|False

Yes|No

True|False

Yes|Omit

Yes|No

DELIMit

"", ",", "", ",", "", ""

"", ",", "", ",", "{", "}"

':' '-' ':' ',' '' ''

This delimiter applies to non-CEF fields in msg=; CEF fields are always delimited with ‘=’ and ‘ ’

'' ',' '' ',' '{' '}'

'=' <Tab> ':' ',' ' ' '' FINal

'=' ' ' ':' ',' '' ''

FRAMing

LF

LF

LF

HEADer

None

None

None

None

None

None

HOSTname

None

None

Set to HOSTname if None; okay to override to any value except None

None

Set to HOSTname if None or Ipv6; okay to override to any value except Ipv6 or None

Set to HOSTname if None; okay to override to any value except None

INTFormat

CANONical

CANONical

CANONical CANONical

CANONical CANONical

CANONical CANONical

TAGCase

Mixed

Mixed

Not applicable

Mixed

NOBLanks

Lower NOBLanks; okay to override case but not NOBLanks

TIMESTamp

NOTIMESTamp

NOTIMESTamp

TIMESTamp

NOTIMESTamp

TIMESTamp

TIMESTamp

XLATE

To-CCSID 1208

SERVER

MAXMSGlen

32768

32768

2000

3000

2000

3000

TRANSport

ADE

ADE

TCP

TCP

TCP

TCP

TIME

TIME UTC TIMEOFDAY(
"%Y%m%d
%H%M%S
.%Q6")

TIME UTC TIMEOFDAY(
ISO8601_M)

TIME and TIMEOFDay Ignored; forced to milliseconds since January 1, 1970

UTC TIMEOFDay(“%b %d %Y %H:%M:%S.%Q3 GMT”)