BMC AMI Datastream agent customization use cases
Before you begin
- Make a backup of the CZDCONFG member that comes with the product installation.
- Do not edit the CZDEFINE member that comes with the product installation unless specifically directed by BMC Support. Instead of changing CZDEFINE, add or update field definitions in CZDUSER3, and override CZDCONFG through changes to CZDUSER2.
Use case: Running tasks started on more than one agent on the same LPAR
You want to start tasks on two different agents to run two separate tasks on the same LPAR:
- One agent transmits Splunk format messages to a Splunk server.
- One agent transmits RFC3164 BSD syslog protocol messages to BMC AMI Command Center for Security.
To start and run these tasks, you need to configure the agents as described in the followed example procedure. You can use the principles in the procedure to configure tasks on up to eight agents to run on the same LPAR.
To configure two agents to start and run separate tasks on the same LPAR
Edit #hlq.PARM(CZDUSER2) to define two CZDCONFG member definitions as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Datastream for z/OS ;
; Refer to the product documentation for information about defining ;
; fields. ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
;**********************************************************************;
SAY "v7.1.03 Updated 20 September 2023"
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(CNF0&SYSNAME.)For an LPAR named LPRA, the configuration defines the following CZDCONFG members:
- CONFLPRA for the Splunk agent
- CNF0LPRA for the RFC3164 agent
- Create member CONFLPRA in the #hlq.PARM data set, and copy the content of the original CZDCONFG member into the new CONFLPRA member.
In the CONFLPRA member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment SMF switches as you require.
In the following example, the SMF switches for Compuware Abend-AID, Action Software EventAction, BMC AMI Security Session Monitor, and Micro Focus ChangeMan events are commented:
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 07 Apr 2025";**********************************************************************;
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(SS) ; SuperSession
SWITCH ON(IAM) ; BMC AMI Storage IAM
SWITCH ON(BACKLOG) ; BACKLOG messages
SWITCH ON(CONSOLE) ; Selected CONSOLE messages
SWITCH ON(VMCON) ; Selected VM Console Messages
SWITCH ON(VMSEC) ; Selected VM Secure Messages
SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
SWITCH ON(GENERIC) ; For LOADFILE
SWITCH ON(IND$FILE) ; API1 IND$FILE
SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
SWITCH ON(MODIFY) ; MODIFY from API1--see manual
SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
SWITCH ON(DIAG) ; Diagnostic message display
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(INTGRBUS) ; SMF Type 117 (IBM Integration Bus)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
SWITCH ON(JES3) ; Executing in Jes3 environment
SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
SWITCH ON(TSO) ; SMF 32 and 119
SWITCH ON(USS) ; SMF 109
SWITCH ON(CRYPTO) ; SMF 82
SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
SWITCH ON(SMF30LES) ; SMF Type 30 LE statistics Section
SWITCH ON(SMF89) ; SMF Type 89
SWITCH ON(IMSLOG) ; IMS Log Record Events
SWITCH ON(IMSConn) ; IMS Connect Events
SWITCH ON(LOG4J) ; Log4j data from LOADFILE
SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
SWITCH ON(OPS) ; Enable Operations Events
SWITCH ON(FAM) ; Enable File Access Monitoring
SWITCH ON(HFTS) ; Enable HFTS data SMF 98
SWITCH ON(SRMC) ; Enable SRM data SMF 99
SWITCH ON(ICF) ; Enable Integrated Catalog Facility
SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
SWITCH ON(CICS) ; Enable CICS SMF 110 collection
SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
SWITCH ON(CD) ; Connect Direct SMF 132
SWITCH ON(SPM) ; Policy Manager data
SWITCH ON(AUTOMATE) ; Enable Alert Automation
SWITCH ON(RECEIVER) ; Enable VM Receiver
SWITCH ON(VMCLIENT) ; Enable VM Client
SWITCH ON(AMIOPS) ; AMI Ops Events
SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
SWITCH ON(PAM) ; Privileged Access Manager
SWITCH ON(ECOKTA) ; EC for OKTA SMF Record
SWITCH ON(SIV) ; System Integrity Violation Scanner
SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
SWITCH ON(USSENRICH) ; USS Privileges Enrichment
SWITCH ON(LOADFILE) ; Loadfile Events
SWITCH ON(SMF123) ; SMF Type 123
SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
SWITCH ON(RACFCmd) ; Enable RACF Command Intercept- Create member CNF0LPRA in the #hlq.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CNF0LPRA member.
In the CNF0LPRA member:
- Uncomment the SWITCH ON(RFC3164) statement as displayed in bold red text in the following example.
- Uncomment SMF switches as you require.
In the following example, all the SMF switches are uncommented:
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 07 Apr 2025";**********************************************************************;
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
SWITCH ON(Abend-AID) ; Compuware Abend-AID
SWITCH ON(Action) ; Action Software EventAction SMF Type 249
SWITCH ON(SessMon) ; BMC Security Session Monitor
SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(SS) ; SuperSession
SWITCH ON(IAM) ; BMC AMI Storage IAM
SWITCH ON(BACKLOG) ; BACKLOG messages
SWITCH ON(CONSOLE) ; Selected CONSOLE messages
SWITCH ON(VMCON) ; Selected VM Console Messages
SWITCH ON(VMSEC) ; Selected VM Secure Messages
SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
SWITCH ON(GENERIC) ; For LOADFILE
SWITCH ON(IND$FILE) ; API1 IND$FILE
SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
SWITCH ON(MODIFY) ; MODIFY from API1--see manual
SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
SWITCH ON(DIAG) ; Diagnostic message display
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(INTGRBUS) ; SMF Type 117 (IBM Integration Bus)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
SWITCH ON(JES3) ; Executing in Jes3 environment
SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
SWITCH ON(TSO) ; SMF 32 and 119
SWITCH ON(USS) ; SMF 109
SWITCH ON(CRYPTO) ; SMF 82
SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
SWITCH ON(SMF30LES) ; SMF Type 30 LE statistics Section
SWITCH ON(SMF89) ; SMF Type 89
SWITCH ON(IMSLOG) ; IMS Log Record Events
SWITCH ON(IMSConn) ; IMS Connect Events
SWITCH ON(LOG4J) ; Log4j data from LOADFILE
SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
SWITCH ON(OPS) ; Enable Operations Events
SWITCH ON(FAM) ; Enable File Access Monitoring
SWITCH ON(HFTS) ; Enable HFTS data SMF 98
SWITCH ON(SRMC) ; Enable SRM data SMF 99
SWITCH ON(ICF) ; Enable Integrated Catalog Facility
SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
SWITCH ON(CICS) ; Enable CICS SMF 110 collection
SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
SWITCH ON(CD) ; Connect Direct SMF 132
SWITCH ON(SPM) ; Policy Manager data
SWITCH ON(AUTOMATE) ; Enable Alert Automation
SWITCH ON(RECEIVER) ; Enable VM Receiver
SWITCH ON(VMCLIENT) ; Enable VM Client
SWITCH ON(AMIOPS) ; AMI Ops Events
SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
SWITCH ON(PAM) ; Privileged Access Manager
SWITCH ON(ECOKTA) ; EC for OKTA SMF Record
SWITCH ON(SIV) ; System Integrity Violation Scanner
SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
SWITCH ON(USSENRICH) ; USS Privileges Enrichment
SWITCH ON(LOADFILE) ; Loadfile Events
SWITCH ON(SMF123) ; SMF Type 123
SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
SWITCH ON(RACFCmd) ; Enable RACF Command InterceptEdit the original #hlq.PARM(CZAPARMS) member as displayed in bold red text in the following example:
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(PRM0&SYSNAME.)For an LPAR named LPRA, the configuration defines the following CZAPARMS members:
- PARMLPRA for the Splunk agent
- PRM0LPRA for the RFC3164 agent
Create member PRM0LPRA in the #hlq.PARM data set.
This member can contain only the SERVER statement specification for your RFC3164 agent, such as the specifications displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright (c) 2014-2025 BMC Software, Inc.
SAY "PRM0LPRA v7.1.03 Updated 07 Apr 2025"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Create member PARMLPRA in the #hlq.PARM data set.
This new member can contain only the SERVER statement specification for your Splunk agent, such as the specifications displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright (c) 2014-2025 BMC Software, Inc.
SAY "PARMLPRA v7.1.03 Updated 07 Apr 2025"
SERVER nnn.nn.nnn.nnn:mmmmm TRANS(UDP) MAXMSG(50000)The mmmmm variable represents the required port number.
Copy the original sample PROC statement from the
#hlq.PARM(CZAMIOPS) data set, and change the PROC statements as follows:
- For the RFC3164 agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=RFC3164.
- For the Splunk agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=SPLUNK.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following commands, in any order, to run the started tasks:
/S RFC3164agentName
/S SPLUNKagentName
Use case: Adding an agent to an LPAR running tasks started by existing agents
You already have two separate tasks that are started by two different agents:
- One agent transmits RFC3164 BSD syslog protocol messages to BMC AMI Command Center for Security.
- One agent transmits Splunk format messages to the Splunk server.
The agent that transmits RFC3164 BSD syslog protocol messages uses the UDP protocol. You now want to run on the same LPAR a task started on another agent that transmits RFC3164 BSD syslog protocol messages using the TCP protocol.
To add and configure an agent to start a task to run on the same LPAR on which tasks started by other agents are already running
Edit #hlq.PARM(CZDUSER2) to add a CZDCONF member definition as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Datastream for z/OS ;
; Refer to the product documentation for information about defining ;
; fields. ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
;**********************************************************************;
SAY "v7.1.03 Updated 20 September 2023"
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(CNF0&SYSNAME.)
%INCLUDE IF(RFC3164T) DD:CZAPARMS(CNF4&SYSNAME.)The variable RFC3164T represents any unique name that you choose.
Create member CNF4LPRA in the #hlq.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CNF4LPRA member.
In the CNF4LPRA member:
- Uncomment the SWITCH ON(RFC3164) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 07 Apr 2025";**********************************************************************;
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(SS) ; SuperSession
SWITCH ON(IAM) ; BMC AMI Storage IAM
SWITCH ON(BACKLOG) ; BACKLOG messages
SWITCH ON(CONSOLE) ; Selected CONSOLE messages
SWITCH ON(VMCON) ; Selected VM Console Messages
SWITCH ON(VMSEC) ; Selected VM Secure Messages
SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
SWITCH ON(GENERIC) ; For LOADFILE
SWITCH ON(IND$FILE) ; API1 IND$FILE
SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
SWITCH ON(MODIFY) ; MODIFY from API1--see manual
SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
SWITCH ON(DIAG) ; Diagnostic message display
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(INTGRBUS) ; SMF Type 117 (IBM Integration Bus)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
SWITCH ON(JES3) ; Executing in Jes3 environment
SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
SWITCH ON(TSO) ; SMF 32 and 119
SWITCH ON(USS) ; SMF 109
SWITCH ON(CRYPTO) ; SMF 82
SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
SWITCH ON(SMF30LES) ; SMF Type 30 LE statistics Section
SWITCH ON(SMF89) ; SMF Type 89
SWITCH ON(IMSLOG) ; IMS Log Record Events
SWITCH ON(IMSConn) ; IMS Connect Events
SWITCH ON(LOG4J) ; Log4j data from LOADFILE
SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
SWITCH ON(OPS) ; Enable Operations Events
SWITCH ON(FAM) ; Enable File Access Monitoring
SWITCH ON(HFTS) ; Enable HFTS data SMF 98
SWITCH ON(SRMC) ; Enable SRM data SMF 99
SWITCH ON(ICF) ; Enable Integrated Catalog Facility
SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
SWITCH ON(CICS) ; Enable CICS SMF 110 collection
SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
SWITCH ON(CD) ; Connect Direct SMF 132
SWITCH ON(SPM) ; Policy Manager data
SWITCH ON(AUTOMATE) ; Enable Alert Automation
SWITCH ON(RECEIVER) ; Enable VM Receiver
SWITCH ON(VMCLIENT) ; Enable VM Client
SWITCH ON(AMIOPS) ; AMI Ops Events
SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
SWITCH ON(PAM) ; Privileged Access Manager
SWITCH ON(ECOKTA) ; EC for OKTA SMF Record
SWITCH ON(SIV) ; System Integrity Violation Scanner
SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
SWITCH ON(USSENRICH) ; USS Privileges Enrichment
SWITCH ON(LOADFILE) ; Loadfile Events
SWITCH ON(SMF123) ; SMF Type 123
SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
SWITCH ON(RACFCmd) ; Enable RACF Command InterceptEdit the original #hlq.PARM(CZAPARMS) member as displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright (c) 2014-2025 BMC Software, Inc.
SAY "CZAPARMS v7.1.03 Updated 07 Apr 2025"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent)
OPTIONS IF(RFC3164T) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent.TCP)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP INSTNAME(Agent.for.Splunk)
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(PRM0&SYSNAME.)
%INCLUDE IF(RFC3164T) DD:CZAPARMS(PRM4&SYSNAME.)Create member PRM4LPRA in the #hlq.PARM data set.
This member contains only the SERVER statement specification for your second RFC3164 agent, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright (c) 2014-2025 BMC Software, Inc.
SAY "PRM4LPRA v7.1.03 Updated 07 Apr 2025"
SERVER nnn.nn.nnn.nnn:mmmmm TRANS(UDP) MAXMSG(50000)Copy the original sample PROC statement from the
#hlq.PARM(CZAMIOPS) data set. In the PROC statements for the second RFC3164 agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=RFC3164T.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following command to run the started tasks:
/S SecondRFC3164agentName
Use case: Running tasks started on multiple agents on different LPARs when the agents transmit to the same server
You want to run the following agents to a Splunk server:
- On an LPAR named LPRP, an agent that transmits Splunk format messages
- On an LPAR named LPRM, an agent that transmits Splunk format messages
- On an LPAR named LPRB, an angent that transmits CEF data
To run tasks started on multiple agents on different LPARs when the agents transmit to the same server
Edit #hlq.PARM(CZDUSER2) to add a CZDCONF member definition as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Datastream for z/OS ;
; Refer to the product documentation for information about defining ;
; fields. ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
;**********************************************************************;
SAY "v7.1.03 Updated 20 September 2023"
%INCLUDE IF(CEF) DD:CZAPARMS(CNF1&SYSNAME.)
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)The configuration defines the following $$$CONFG members:
- CNF1LPRB for a CEF agent on LPRB
- CONFLPRP for a Splunk agent on LPRP
- CONFLPRM for a Splunk agent on LPRM
- Create member CNF1LPRB in the #hlq.PARM data set and copy the original $$$CONFG member that comes with the installation into the new CNF1LPRB member.
In the CNF1LPRB member:
- Uncomment the SWITCH ON(CEF) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 07 Apr 2025";**********************************************************************;
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(SS) ; SuperSession
SWITCH ON(IAM) ; BMC AMI Storage IAM
SWITCH ON(BACKLOG) ; BACKLOG messages
SWITCH ON(CONSOLE) ; Selected CONSOLE messages
SWITCH ON(VMCON) ; Selected VM Console Messages
SWITCH ON(VMSEC) ; Selected VM Secure Messages
SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
SWITCH ON(GENERIC) ; For LOADFILE
SWITCH ON(IND$FILE) ; API1 IND$FILE
SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
SWITCH ON(MODIFY) ; MODIFY from API1--see manual
SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
SWITCH ON(DIAG) ; Diagnostic message display
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(INTGRBUS) ; SMF Type 117 (IBM Integration Bus)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
SWITCH ON(JES3) ; Executing in Jes3 environment
SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
SWITCH ON(TSO) ; SMF 32 and 119
SWITCH ON(USS) ; SMF 109
SWITCH ON(CRYPTO) ; SMF 82
SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
SWITCH ON(SMF30LES) ; SMF Type 30 LE statistics Section
SWITCH ON(SMF89) ; SMF Type 89
SWITCH ON(IMSLOG) ; IMS Log Record Events
SWITCH ON(IMSConn) ; IMS Connect Events
SWITCH ON(LOG4J) ; Log4j data from LOADFILE
SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
SWITCH ON(OPS) ; Enable Operations Events
SWITCH ON(FAM) ; Enable File Access Monitoring
SWITCH ON(HFTS) ; Enable HFTS data SMF 98
SWITCH ON(SRMC) ; Enable SRM data SMF 99
SWITCH ON(ICF) ; Enable Integrated Catalog Facility
SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
SWITCH ON(CICS) ; Enable CICS SMF 110 collection
SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
SWITCH ON(CD) ; Connect Direct SMF 132
SWITCH ON(SPM) ; Policy Manager data
SWITCH ON(AUTOMATE) ; Enable Alert Automation
SWITCH ON(RECEIVER) ; Enable VM Receiver
SWITCH ON(VMCLIENT) ; Enable VM Client
SWITCH ON(AMIOPS) ; AMI Ops Events
SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
SWITCH ON(PAM) ; Privileged Access Manager
SWITCH ON(ECOKTA) ; EC for OKTA SMF Record
SWITCH ON(SIV) ; System Integrity Violation Scanner
SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
SWITCH ON(USSENRICH) ; USS Privileges Enrichment
SWITCH ON(LOADFILE) ; Loadfile Events
SWITCH ON(SMF123) ; SMF Type 123
SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
SWITCH ON(RACFCmd) ; Enable RACF Command Intercept- Create member CONFLPRP in the #hlq.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CONFLPRP member.
In the CONFLPRP member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 07 Apr 2025";**********************************************************************;
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(SS) ; SuperSession
SWITCH ON(IAM) ; BMC AMI Storage IAM
SWITCH ON(BACKLOG) ; BACKLOG messages
SWITCH ON(CONSOLE) ; Selected CONSOLE messages
SWITCH ON(VMCON) ; Selected VM Console Messages
SWITCH ON(VMSEC) ; Selected VM Secure Messages
SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
SWITCH ON(GENERIC) ; For LOADFILE
SWITCH ON(IND$FILE) ; API1 IND$FILE
SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
SWITCH ON(MODIFY) ; MODIFY from API1--see manual
SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
SWITCH ON(DIAG) ; Diagnostic message display
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(INTGRBUS) ; SMF Type 117 (IBM Integration Bus)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
SWITCH ON(JES3) ; Executing in Jes3 environment
SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
SWITCH ON(TSO) ; SMF 32 and 119
SWITCH ON(USS) ; SMF 109
SWITCH ON(CRYPTO) ; SMF 82
SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
SWITCH ON(SMF30LES) ; SMF Type 30 LE statistics Section
SWITCH ON(SMF89) ; SMF Type 89
SWITCH ON(IMSLOG) ; IMS Log Record Events
SWITCH ON(IMSConn) ; IMS Connect Events
SWITCH ON(LOG4J) ; Log4j data from LOADFILE
SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
SWITCH ON(OPS) ; Enable Operations Events
SWITCH ON(FAM) ; Enable File Access Monitoring
SWITCH ON(HFTS) ; Enable HFTS data SMF 98
SWITCH ON(SRMC) ; Enable SRM data SMF 99
SWITCH ON(ICF) ; Enable Integrated Catalog Facility
SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
SWITCH ON(CICS) ; Enable CICS SMF 110 collection
SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
SWITCH ON(CD) ; Connect Direct SMF 132
SWITCH ON(SPM) ; Policy Manager data
SWITCH ON(AUTOMATE) ; Enable Alert Automation
SWITCH ON(RECEIVER) ; Enable VM Receiver
SWITCH ON(VMCLIENT) ; Enable VM Client
SWITCH ON(AMIOPS) ; AMI Ops Events
SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
SWITCH ON(PAM) ; Privileged Access Manager
SWITCH ON(ECOKTA) ; EC for OKTA SMF Record
SWITCH ON(SIV) ; System Integrity Violation Scanner
SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
SWITCH ON(USSENRICH) ; USS Privileges Enrichment
SWITCH ON(LOADFILE) ; Loadfile Events
SWITCH ON(SMF123) ; SMF Type 123
SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
SWITCH ON(RACFCmd) ; Enable RACF Command Intercept- Create member CONFLPRM in the #hlq.PARM data set and copy the original CZDCONFG member that comes with the installation into the new CONFLPRM member.
In the CONFLPRM member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 07 Apr 2025";**********************************************************************;
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(SS) ; SuperSession
SWITCH ON(IAM) ; BMC AMI Storage IAM
SWITCH ON(BACKLOG) ; BACKLOG messages
SWITCH ON(CONSOLE) ; Selected CONSOLE messages
SWITCH ON(VMCON) ; Selected VM Console Messages
SWITCH ON(VMSEC) ; Selected VM Secure Messages
SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
SWITCH ON(GENERIC) ; For LOADFILE
SWITCH ON(IND$FILE) ; API1 IND$FILE
SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
SWITCH ON(MODIFY) ; MODIFY from API1--see manual
SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
SWITCH ON(DIAG) ; Diagnostic message display
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(INTGRBUS) ; SMF Type 117 (IBM Integration Bus)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
SWITCH ON(JES3) ; Executing in Jes3 environment
SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
SWITCH ON(TSO) ; SMF 32 and 119
SWITCH ON(USS) ; SMF 109
SWITCH ON(CRYPTO) ; SMF 82
SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
SWITCH ON(SMF30LES) ; SMF Type 30 LE statistics Section
SWITCH ON(SMF89) ; SMF Type 89
SWITCH ON(IMSLOG) ; IMS Log Record Events
SWITCH ON(IMSConn) ; IMS Connect Events
SWITCH ON(LOG4J) ; Log4j data from LOADFILE
SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
SWITCH ON(OPS) ; Enable Operations Events
SWITCH ON(FAM) ; Enable File Access Monitoring
SWITCH ON(HFTS) ; Enable HFTS data SMF 98
SWITCH ON(SRMC) ; Enable SRM data SMF 99
SWITCH ON(ICF) ; Enable Integrated Catalog Facility
SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
SWITCH ON(CICS) ; Enable CICS SMF 110 collection
SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
SWITCH ON(CD) ; Connect Direct SMF 132
SWITCH ON(SPM) ; Policy Manager data
SWITCH ON(AUTOMATE) ; Enable Alert Automation
SWITCH ON(RECEIVER) ; Enable VM Receiver
SWITCH ON(VMCLIENT) ; Enable VM Client
SWITCH ON(AMIOPS) ; AMI Ops Events
SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
SWITCH ON(PAM) ; Privileged Access Manager
SWITCH ON(ECOKTA) ; EC for OKTA SMF Record
SWITCH ON(SIV) ; System Integrity Violation Scanner
SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
SWITCH ON(USSENRICH) ; USS Privileges Enrichment
SWITCH ON(LOADFILE) ; Loadfile Events
SWITCH ON(SMF123) ; SMF Type 123
SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
SWITCH ON(RACFCmd) ; Enable RACF Command InterceptEdit the original #hlq.PARM(CZAPARMS) member as displayed in bold red text in the following example:
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE IF(CEF) DD:CZAPARMS(PRM1&SYSNAME.)
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)The configuration defines the three separate CZAPARMS members:
- PRM1LPRB for the CEF agent on LPRB
- PARMLPRP for the Splunk agent on LPRP
- PARMLPRM for the Splunk agent on LPRM
Create member PRM1LPRB in the #hlq.PARM data set.
This member contains only the SERVER statement specification for your CEF agent on LPRB, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright (c) 2014-2025 BMC Software, Inc.
SAY "PRM1LPRB v7.1.03 Updated 07 Apr 2025"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Create member PARMLPRP in the #hlq.PARM data set.
This member contains only the SERVER statement specification for your Splunk agent on LPRP, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright (c) 2014-2025 BMC Software, Inc.
SAY "PARMLPRP v7.1.03 Updated 07 Apr 2025"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Create member PARMLPRM in the #hlq.PARM data set.
This member contains only the SERVER statement specification for your Splunk agent on LPRM, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright (c) 2014-2025 BMC Software, Inc.
SAY "PARMLPRM v7.1.03 Updated 07 Apr 2025"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)Copy the original sample PROC statement from the
#hlq.PARM(CZAMIOPS) data set and change the following agent PROC statements:
- For each Splunk agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=SPLUNK.
- For the CEF agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=CEF.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following commands, in any order, to run the started tasks:
/S CEFagentName
/S SPLUNKagentNameOnLPRP
/S SPLUNKagentNameOnLPRM