Customizing for a BMC AMI Ops extension
You can enable only one SIEM type. If your organization requires more than one, use the sample CZAPAO member to create additional configuration members. For information about how to use the CZAPAO member, see the section To configure the selection parameters in Installing-the-BMC-AMI-Datastream-for-Ops-product-files.
The following is an example of the CZAPAO member:
;**********************************************************************;
;**********************************************************************;
; CZAPAO: Fields Definitions for the BMC AMI Agent for AMI Ops ;
; Copyright 2021-2021, BMC Software, Inc ;
;**********************************************************************;
SAY "v7.1.00 Updated 3 Aug 2022"
;OPTIONS INSTNAME(AMI.Ops.Agent) SIEM(SPLUNK) ; Splunk
;OPTIONS INSTNAME(AMI.Ops.Agent) SIEM(INFLUX_DB) ; BMC Helix InfluxDB
OPTIONS NONCANCELABLE ; Allow force but not cancel
OPTIONS SWAP(NO) ; Recommended default is NO
OPTIONS QUEUE64(1024) ; 1GB default
OPTIONS CLOCKMSG(COMMAND) ; No time sync message
OPTIONS NOSTATUSTOSIEM ; No agent status messages
OPTIONS FORMAT(ALL '" "') ; Pass null and blank fields
OPTIONS NOAPFENRich ; Do not add APF enrichment
OPTIONS NOSAFENRich ; Do not add SAF enrichment
OPTIONS NOSYSLIBENRich ; Do not add SYSLIB enrichment
OPTIONS NOENCRYPTENRich ; Do not add Encrypt. File enrichment
OPTIONS NOSIVSCANNER ; No System Integrity Violation reporting
OPTIONS NOUSSENRich ; Do not add USS Privileges Enrichment
OPTIONS NOTIMESTAMP ; Do not TIMESTAMP messages
OPTIONS NOSTATUSTOSIEM ; Do not send status messages
OPTIONS UNIQUETAG ; Force unique triplet tag names
OPTIONS FRAMING(LF) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
OPTIONS INTFORMAT(CANON) ; Do not scale integer fields
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) + ; You MUST edit per doc
; TIMEOUT(IDLE(1000)) +
; MAXMSG(32768)
;TIME UTC TIMEOFDAY(ISO8601_M) NORound; YYYY-MM-DDTHH:MM:SS.thmiju
; ---------------------------------------------------------------------
; INFLUXDB - TRANSport(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TIMEOUT(IDLE(1000)) +
; TRANS(REST) MAXMSG(32768)
;TIME UTC TIMEOFDAY(INFLUX_DB) NORound; YYYYMMDDHHMMSS.thmiju
SELECT EVENT(AO0100) ; BMC AMI Ops Statistics
SELECT EVENT(AO0200) ; BMC AMI Ops Statistics
%INCLUDE CZPAO
;**********************************************************************;
; CZAPAO: Fields Definitions for the BMC AMI Agent for AMI Ops ;
; Copyright 2021-2021, BMC Software, Inc ;
;**********************************************************************;
SAY "v7.1.00 Updated 3 Aug 2022"
;OPTIONS INSTNAME(AMI.Ops.Agent) SIEM(SPLUNK) ; Splunk
;OPTIONS INSTNAME(AMI.Ops.Agent) SIEM(INFLUX_DB) ; BMC Helix InfluxDB
OPTIONS NONCANCELABLE ; Allow force but not cancel
OPTIONS SWAP(NO) ; Recommended default is NO
OPTIONS QUEUE64(1024) ; 1GB default
OPTIONS CLOCKMSG(COMMAND) ; No time sync message
OPTIONS NOSTATUSTOSIEM ; No agent status messages
OPTIONS FORMAT(ALL '" "') ; Pass null and blank fields
OPTIONS NOAPFENRich ; Do not add APF enrichment
OPTIONS NOSAFENRich ; Do not add SAF enrichment
OPTIONS NOSYSLIBENRich ; Do not add SYSLIB enrichment
OPTIONS NOENCRYPTENRich ; Do not add Encrypt. File enrichment
OPTIONS NOSIVSCANNER ; No System Integrity Violation reporting
OPTIONS NOUSSENRich ; Do not add USS Privileges Enrichment
OPTIONS NOTIMESTAMP ; Do not TIMESTAMP messages
OPTIONS NOSTATUSTOSIEM ; Do not send status messages
OPTIONS UNIQUETAG ; Force unique triplet tag names
OPTIONS FRAMING(LF) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
OPTIONS INTFORMAT(CANON) ; Do not scale integer fields
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) + ; You MUST edit per doc
; TIMEOUT(IDLE(1000)) +
; MAXMSG(32768)
;TIME UTC TIMEOFDAY(ISO8601_M) NORound; YYYY-MM-DDTHH:MM:SS.thmiju
; ---------------------------------------------------------------------
; INFLUXDB - TRANSport(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TIMEOUT(IDLE(1000)) +
; TRANS(REST) MAXMSG(32768)
;TIME UTC TIMEOFDAY(INFLUX_DB) NORound; YYYYMMDDHHMMSS.thmiju
SELECT EVENT(AO0100) ; BMC AMI Ops Statistics
SELECT EVENT(AO0200) ; BMC AMI Ops Statistics
%INCLUDE CZPAO
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*