BMC AMI Datastream agent customization use cases
The use cases in this topic present different ways to customize the BMC AMI Datastream, depending on the requirements of your environment:
Before you begin
- Make a backup of the CZDCONFG member that comes with the product installation.
- Do not edit the CZDEFINE member that comes with the product installation unless specifically directed by BMC Support. Instead of changing CZDEFINE, add or update field definitions in CZDUSER3, and override CZDCONFG through changes to CZDUSER2.
Use case: Running tasks started on more than one agent on the same LPAR
You want to start tasks on two different agents to run two separate tasks on the same LPAR:
- One agent transmits Splunk format messages to a Splunk server.
- One agent transmits RFC3164 BSD syslog protocol messages to BMC AMI Command Center for Security.
To start and run these tasks, you need to configure the agents as described in the followed example procedure. You can use the principles in the procedure to configure tasks on up to eight agents to run on the same LPAR.
To configure two agents to start and run separate tasks on the same LPAR
Edit #hlq.CZAGENT.PARM(CZDUSER2) to define two CZDCONFG member definitions as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Datastream for z/OS ;
; Refer to the product documentation for information about defining ;
; fields. ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
;**********************************************************************;
SAY "v6.2.00 Updated 18 Apr 2022"
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(CNF0&SYSNAME.)For an LPAR named LPRA, the configuration defines the following CZDCONFG members:
- CONFLPRA for the Splunk agent
- CNF0LPRA for the RFC3164 agent
- Create member CONFLPRA in the #hlq.CZAGENT.PARM data set, and copy the content of the original CZDCONFG member into the new CONFLPRA member.
In the CONFLPRA member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment SMF switches as you require.
In the following example, the SMF switches for Compuware Abend-AID, Action Software EventAction, BMC AMI Security Session Monitor, and Micro Focus ChangeMan events are commented:
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 02 Mar 2022"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 Exit- Create member CNF0LPRA in the #hlq.CZAGENT.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CNF0LPRA member.
In the CNF0LPRA member:
- Uncomment the SWITCH ON(RFC3164) statement as displayed in bold red text in the following example.
- Uncomment SMF switches as you require.
In the following example, all the SMF switches are uncommented:
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 02 Mar 2022"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 ExitEdit the original #hlq.CZAGENT.PARM(CZAPARMS) member as displayed in bold red text in the following example:
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(PRM0&SYSNAME.)For an LPAR named LPRA, the configuration defines the following CZAPARMS members:
- PARMLPRA for the Splunk agent
- PRM0LPRA for the RFC3164 agent
Create member PRM0LPRA in the #hlq.CZAGENT.PARM data set.
This member can contain only the SERVER statement specification for your RFC3164 agent, such as the specifications displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2021, 2022 BMC Software, Inc.
SAY "PRM0LPRA v6.2.00 updated 02 Mar 2022"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Create member PARMLPRA in the #hlq.CZAGENT.PARM data set.
This new member can contain only the SERVER statement specification for your Splunk agent, such as the specifications displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2021, 2022 BMC Software, Inc.
SAY "PARMLPRA v6.2.00 updated 02 Mar 2022"
SERVER nnn.nn.nnn.nnn:mmmmm TRANS(UDP) MAXMSG(50000)The mmmmm variable represents the required port number.
Copy the original sample PROC statement from the #hlq.CZAGENT.PARM(CZAGENT) data set, and change the PROC statements as follows:
- For the RFC3164 agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=RFC3164.
- For the Splunk agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=SPLUNK.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following commands, in any order, to run the started tasks:
/S RFC3164agentName
/S SPLUNKagentName
Use case: Adding an agent to an LPAR running tasks started by existing agents
You already have two separate tasks that are started by two different agents:
- One agent transmits RFC3164 BSD syslog protocol messages to BMC AMI Command Center for Security.
- One agent transmits Splunk format messages to the Splunk server.
The agent that transmits RFC3164 BSD syslog protocol messages uses the UDP protocol. You now want to run on the same LPAR a task started on another agent that transmits RFC3164 BSD syslog protocol messages using the TCP protocol.
To add and configure an agent to start a task to run on the same LPAR on which tasks started by other agents are already running
Edit #hlq.CZAGENT.PARM(CZDUSER2) to add a CZDCONF member definition as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Datastream for z/OS ;
; Refer to the product documentation for information about defining ;
; fields. ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
;**********************************************************************;
SAY "v6.2.00 Updated 18 Apr 2022"
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(CNF0&SYSNAME.)
%INCLUDE IF(RFC3164T) DD:CZAPARMS(CNF4&SYSNAME.)The variable RFC3164T represents any unique name that you choose.
Create member CNF4LPRA in the #hlq.CZAGENT.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CNF4LPRA member.
In the CNF4LPRA member:
- Uncomment the SWITCH ON(RFC3164T) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 02 Mar 2022"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
SWITCH ON(RFC3164T) ; Uncomment for SIEM type RFC 3164- SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
- SWITCH ON(CEF) ; Uncomment for SIEM type CEF
Edit the original #hlq.CZAGENT.PARM(CZAPARMS) member as displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2021, 2022 BMC Software, Inc.
SAY "CZAPARMS v6.2.00 updated 02 Mar 2022"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent)
OPTIONS IF(RFC3164T) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent.TCP)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP INSTNAME(Agent.for.Splunk)
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(PRM0&SYSNAME.)
%INCLUDE IF(RFC3164T) DD:CZAPARMS(PRM4&SYSNAME.)Create member PRM4LPRA in the #hlq.CZAGENT.PARM data set.
This member contains only the SERVER statement specification for your second RFC3164 agent, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2021, 2022 BMC Software, Inc.
SAY "PRM4LPRA v6.2.00 updated 02 Mar 2022"
SERVER nnn.nn.nnn.nnn TRANS(UDP) MAXMSG(50000)Copy the original sample PROC statement from the #hlq.CZAGENT.PARM(CZAGENT) data set. In the PROC statements for the second RFC3164 agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=RFC3164T.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following command to run the started tasks:
/S SecondRFC3164agentName
Use case: Running tasks started on multiple agents on different LPARs when the agents transmit to the same server
You want to run the following agents to a Splunk server:
- On an LPAR named LPRP, an agent that transmits Splunk format messages
- On an LPAR named LPRM, an agent that transmits Splunk format messages
- On an LPAR named LPRB, an angent that transmits CEF data
To run tasks started on multiple agents on different LPARs when the agents transmit to the same server
Edit #hlq.CZAGENT.PARM(CZDUSER2) to add a CZDCONF member definition as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Datastream for z/OS ;
; Refer to the product documentation for information about defining ;
; fields. ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
;**********************************************************************;
SAY "v6.2.00 Updated 18 Apr 2022"
%INCLUDE IF(CEF) DD:CZAPARMS(CNF1&SYSNAME.)
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)The configuration defines the following $$$CONFG members:
- CNF1LPRB for a CEF agent on LPRB
- CONFLPRP for a Splunk agent on LPRP
- CONFLPRM for a Splunk agent on LPRM
- Create member CNF1LPRB in the #hlq.CZAGENT.PARM data set and copy the original $$$CONFG member that comes with the installation into the new CNF1LPRB member.
In the CNF1LPRB member:
- Uncomment the SWITCH ON(CEF) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 02 Mar 2022"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 Exit- Create member CONFLPRP in the #hlq.CZAGENT.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CONFLPRP member.
In the CONFLPRP member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 02 Mar 2022"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk- SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
- SWITCH ON(DAM) ; Uncomment for SIEM type DAM
- Create member CONFLPRM in the #hlq.CZAGENT.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CONFLPRM member.
In the CONFLPRM member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.2.00 Updated 02 Mar 2022"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk- SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
- SWITCH ON(DAM) ; Uncomment for SIEM type DAM
Edit the original #hlq.CZAGENT.PARM(CZAPARMS) member as displayed in bold red text in the following example:
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE IF(CEF) DD:CZAPARMS(PRM1&SYSNAME.)
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)The configuration defines the three separate CZAPARMS members:
- PRM1LPRB for the CEF agent on LPRB
- PARMLPRP for the Splunk agent on LPRP
- PARMLPRM for the Splunk agent on LPRM
Create member PRM1LPRB in the #hlq.CZAGENT.PARM data set.
This member contains only the SERVER statement specification for your CEF agent on LPRB, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2021, 2022 BMC Software, Inc.
SAY "PRM1LPRB v6.2.00 updated 02 Mar 2022"SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Create member PARMLPRP in the #hlq.CZAGENT.PARM data set.
This member contains only the SERVER statement specification for your Splunk agent on LPRP, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2021, 2022 BMC Software, Inc.
SAY "PARMLPRP v6.2.00 updated 02 Mar 2022"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Create member PARMLPRM in the #hlq.CZAGENT.PARM data set.
This member contains only the SERVER statement specification for your Splunk agent on LPRM, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2021, 2022 BMC Software, Inc.
SAY "PARMLPRM v6.2.00 updated 02 Mar 2022"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Copy the original sample PROC statement from the #hlq.CZAGENT.PARM(CZAGENT) data set and change the following agent PROC statements:
- For each Splunk agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=SPLUNK.
- For the CEF agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=CEF.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following commands, in any order, to run the started tasks:
/S CEFagentName
/S SPLUNKagentNameOnLPRP
/S SPLUNKagentNameOnLPRM
Related topics