Using LOADFILE Subsystem Writer
You can use the LOADFILE Subsystem Writer to send output to the remote SIEM using override commands and the local BMC AMI Defender for z/OS agent. Using LOADFILE Subsystem Writer, you can send a QSAM (or flat) file directly to the SIEM without having to run the CZALDFIL utility.
The benefits of using the LOADFILE Subsystem Writer over using the CZALDFIL utility are:
- The interface can be SAF-secured using RACF, ACF2, or TopSecret
- It can be used by most IBM or third-party vendor utilities that write output using a standard IBM QSAM interface
- It does not require APF authorization for the caller
This topic contains the following information:
Enabling LOADFILE Subsystem Writer
To enable LOADFILE Subsystem Writer, specify the target subsystem of the BMC AMI Defender agent address space in the DD statement for the output file.
Using z/OS SAF
You can use the SECPFX parameter in the CZAGENT JCL to enable System Authorization Facility (SAF) security to validate users and groups accessing BMC AMI Defender agent data sets. Specify a unique prefix that, when added to the subsystemName and LOADFILE parameters, builds a data set name that can be defined as a DATASET class resource for a SAF security system, such as RACF, TopSecret, or ACF/2. Your z/OS Security Administrator can then define the user IDs and groups that are permitted to access the resource.
For example, if you specify the prefix AMIZOS.AGT for subsystemName CZAS, the data set name is AMIZOS.AGT.CZAS.LOADFILE on volume BMCSEC.
For more information about the SECPFX parameter in the CZAGENT JCL, see Sample-CZAGENT-JCL-for-running-BMC-AMI-Defender-as-a-started-task.
DD statement parameters
As shown in the example in Enabling LOADFILE Subsystem Writer, the first SUBSYS parameter must be the subsystem name of the BMC AMI Defender agent.
The second parameter must be LOADFILE enclosed in single quotation marks. You must enclose additional Subsystem Writer subparameters in single quotation marks and separate them by commas.
For more information about the SUBSYS parameter, see the section about the SUBSYS parameter in the IBM z/OS MVS JCL Reference manual.
Subsystem Writer subparameters
LOADFILE Subsystem Writer uses the following optional subparameters:
Parameter | Description | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
FACILITY(facilityName|facilityNumber) | Indicates the RFC3164 message type for the syslog messages For information about facility codes, see Syslog-facilities-and-severities. If you omit FACILITY, the default USER (1 – User-level message) is used. | ||||||||||||||||||||||||||||||||||||||||||
MAJOR(majorName|majorNumber) | Major code used to uniquely identify the functional purpose of the records You can choose from the following codes:
If you omit MAJOR, the default LoadFile (23) is used. | ||||||||||||||||||||||||||||||||||||||||||
MAXWAIT(numberOfSeconds) | The maximum number of seconds, from 0 to 86400, to wait for sufficient queue space to become available before bypassing the command to add the message to the queue If there is not enough room in the queue (see the SLACK parameter), the Subsystem Writer recalculates the available space every 0.25 of a second until the total number of seconds expires. MAXWAIT(0) waits for a very long time (actually, 4,294,967,295 seconds or approximately 136 years). If you omit MAXWAIT, the default 300 is used. | ||||||||||||||||||||||||||||||||||||||||||
MINOR(minorNumber) | From 0 to 32767, provides additional granularity for identifying records You can create your own message TYPE definitions for specific MINOR codes. For more information, see General-SMF-record-type-statement. If you omit MINOR, the default 11 is used. | ||||||||||||||||||||||||||||||||||||||||||
PURGE(YES|NO) | Indicates whether to purge old records from the queue in order to add a new record Generally, you shouldn't discard real-time security (SMF and EVENT data) records for LOADFILE messages. Use this option only if you have a reason to force messages onto the queue. If you omit PURGE, the default NO is used. | ||||||||||||||||||||||||||||||||||||||||||
SEVERITY(severityName|severityNumber) | Syslog severity code for the forwarded messages For information about severity codes, see Syslog-facilities-and-severities. If you omit SEVERITY, the default severity code from the TYPE statement is used. For more information, see TYPE-and-RETYPE-statements. | ||||||||||||||||||||||||||||||||||||||||||
SLACK(percentageOfQueue) | The percentage, from 0 to 100, of the total queue space that must be available before adding new records to the queue If you omit SLACK, the default 50 is used. | ||||||||||||||||||||||||||||||||||||||||||
SUBTYPE(subtype) | From 0 to 32767, provides additional granularity for identifying data fields in the records You can create your own message field definitions for specific SUBTYPE codes. For more information, see General-SMF-record-type-statement. If you omit SUBTYPE, the default 0 is used. |
Subsystem Writer example
In the following example, we pass an output file to the active BMC AMI Defender agent CZAT subsystem.
// 'MAJOR(CUST)',
// 'MINOR(99)',
// 'SUBTYPE(22)',
// 'FACILITY(USER)',
// 'SEVERITY(CRITICAL)'),
// DCB=RECFM=V
Limitations
Files routed to the Subsystem Writer are routed directly to the BMC AMI Defender agent and out to the SIEM. They are not available for downstream processing by subsequent jobs or jobsteps because no physical file is created.
Related topic