Customizing the syslog server address
The following code shows the $$$SERVR member:
;**********************************************************************;
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Datastream ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 27 Feb 2025"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(AMIJSON) SIEM(AMIJSON) +
INSTNAME(Agent.AMIJSON)
OPTIONS IF(INFLUXDB) SIEM(INFLUX_DB) +
INSTNAME(Agent.INFLUXDB)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
;OPTIONS IPASYNCDisable ; Disable Asynchronous IP processing
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(AMIJSON) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(INFLUXDB) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(AMIJSON) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(INFLUXDB) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(SRCC) SIVSRC ; Enable Sys. Int. Src Compare
OPTIONS IF(-SRCC) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(AMIJSON) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(INFLUXDB) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(-SIV) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(AMIJSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(IEFU86) IEFU86Enable ; Enable the IEFU86 SMF exit
;OPTIONS NOSRCCMPOutput ; Disable print Src Compare output
;OPTIONS NOSRCCMPSend ; Disable send Src Compare output
;OPTIONS NOIEBCOPYcapture ; Disable capturing IEBCOPY member list
;OPTIONS KEEPEXITFirst ; Keep CZAU8x exits first before
; all other CZAU8x exits.
;OPTIONS VERIFYExit ; Verify SMF Exits haven't been
; modified. Reload if they have.
;OPTIONS IGNOREACCENTMARKS ; Treat various alphabet accent marks
; as valid characters in source compare
; abnormal binary value check logic
;OPTIONS NOSNDAGTCONFSiem ; Disable Sending Datastream configuration
; event record to SIEM during startup as well
; as after execution of PARMs modify command
OPTIONS LIMITOVERflowmsg(10) ; Disable or limit the number of
; overflow messages CZA0301W.
;OPTIONS IF(SPM) VMDATABase(filepath) ; Database filepath of BMC AMI
; Security Policy Manager
; ---------------------------------------------------------------------
; Select which SMF records will be enriched with USS information
; ---------------------------------------------------------------------
OPTIONS IF(USSENRICH) USSSMF(92) ; Enrich zFS - File system activity
OPTIONS IF(USSENRICH) USSSMF(109) ; Enrich USS Syslog
OPTIONS IF(USSENRICH) USSSMF(230) ; Enrich ACF2
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; HTTP - TRANS(HTTP) Required
; ---------------------------------------------------------------------
;SERVER hostname:port/path/to/dest + ; You MUST edit per doc
; TRANS(HTTP) MAXMSG(3000) + ;
; HECToken("Splunk 11111111-1111-1111-1111-111111111111") + ; Token
; HTTPBatchSize(250000) + ; Batch size for HTTP Transport
; HTTPScheme(HTTPS) + ; Default Scheme that HTTP will use
; HTTP_SSL_Conf( + ; Optional SSL config
; ssl.ca.location(filepath) + CA location
; ssl.keystore.location(filepath) + Keystore location
; ssl.keystore.password(filepath) + Keystore passwd file (ascii)
; ssl.keystore.type("PEM") + Keystore type
; ssl.clientcert.location(filepath) + Client Certificate Location
; ssl.clientcert.type("PEM") + Client Certificate type
; )
; ---------------------------------------------------------------------
; AMIJSON - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
;TIME UTC +
; DUR(ISO8601_T) +
; TIMEOFDAY('%Y-%m-%dT%H:%M:%S.%Q3Z') +
; ZONE('CST6CDT') ; Review TIME statement ZONE parameter
; ---------------------------------------------------------------------
; INFLUXDB - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
; ---------------------------------------------------------------------
; KAFKA - TRANS(KAFka) Required
; ---------------------------------------------------------------------
;SERVER broker.address.example:port +
; KAFKA_SSL_Conf( + ; Optional SSL config
; ssl.keystore.location(filepath) +
; ssl.keystore.password(filepath) +
; ssl.ca.location(filepath)) +
; TOPIC(topicname ) +
; TRANS(KAFKA) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired extra
; precision
; ---------------------------------------------------------------------
; TIME UTC DUR(' %H:%M:%S:%Q6 ') TIMEOFDAY('%d%b%Y %H:%M:%S:%Q6') +
; ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Datastream for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Datastream ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.03 Updated 27 Feb 2025"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(AMIJSON) SIEM(AMIJSON) +
INSTNAME(Agent.AMIJSON)
OPTIONS IF(INFLUXDB) SIEM(INFLUX_DB) +
INSTNAME(Agent.INFLUXDB)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
;OPTIONS IPASYNCDisable ; Disable Asynchronous IP processing
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(AMIJSON) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(INFLUXDB) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(AMIJSON) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(INFLUXDB) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(SRCC) SIVSRC ; Enable Sys. Int. Src Compare
OPTIONS IF(-SRCC) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(AMIJSON) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(INFLUXDB) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(-SIV) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(AMIJSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(IEFU86) IEFU86Enable ; Enable the IEFU86 SMF exit
;OPTIONS NOSRCCMPOutput ; Disable print Src Compare output
;OPTIONS NOSRCCMPSend ; Disable send Src Compare output
;OPTIONS NOIEBCOPYcapture ; Disable capturing IEBCOPY member list
;OPTIONS KEEPEXITFirst ; Keep CZAU8x exits first before
; all other CZAU8x exits.
;OPTIONS VERIFYExit ; Verify SMF Exits haven't been
; modified. Reload if they have.
;OPTIONS IGNOREACCENTMARKS ; Treat various alphabet accent marks
; as valid characters in source compare
; abnormal binary value check logic
;OPTIONS NOSNDAGTCONFSiem ; Disable Sending Datastream configuration
; event record to SIEM during startup as well
; as after execution of PARMs modify command
OPTIONS LIMITOVERflowmsg(10) ; Disable or limit the number of
; overflow messages CZA0301W.
;OPTIONS IF(SPM) VMDATABase(filepath) ; Database filepath of BMC AMI
; Security Policy Manager
; ---------------------------------------------------------------------
; Select which SMF records will be enriched with USS information
; ---------------------------------------------------------------------
OPTIONS IF(USSENRICH) USSSMF(92) ; Enrich zFS - File system activity
OPTIONS IF(USSENRICH) USSSMF(109) ; Enrich USS Syslog
OPTIONS IF(USSENRICH) USSSMF(230) ; Enrich ACF2
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; HTTP - TRANS(HTTP) Required
; ---------------------------------------------------------------------
;SERVER hostname:port/path/to/dest + ; You MUST edit per doc
; TRANS(HTTP) MAXMSG(3000) + ;
; HECToken("Splunk 11111111-1111-1111-1111-111111111111") + ; Token
; HTTPBatchSize(250000) + ; Batch size for HTTP Transport
; HTTPScheme(HTTPS) + ; Default Scheme that HTTP will use
; HTTP_SSL_Conf( + ; Optional SSL config
; ssl.ca.location(filepath) + CA location
; ssl.keystore.location(filepath) + Keystore location
; ssl.keystore.password(filepath) + Keystore passwd file (ascii)
; ssl.keystore.type("PEM") + Keystore type
; ssl.clientcert.location(filepath) + Client Certificate Location
; ssl.clientcert.type("PEM") + Client Certificate type
; )
; ---------------------------------------------------------------------
; AMIJSON - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
;TIME UTC +
; DUR(ISO8601_T) +
; TIMEOFDAY('%Y-%m-%dT%H:%M:%S.%Q3Z') +
; ZONE('CST6CDT') ; Review TIME statement ZONE parameter
; ---------------------------------------------------------------------
; INFLUXDB - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
; ---------------------------------------------------------------------
; KAFKA - TRANS(KAFka) Required
; ---------------------------------------------------------------------
;SERVER broker.address.example:port +
; KAFKA_SSL_Conf( + ; Optional SSL config
; ssl.keystore.location(filepath) +
; ssl.keystore.password(filepath) +
; ssl.ca.location(filepath)) +
; TOPIC(topicname ) +
; TRANS(KAFKA) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired extra
; precision
; ---------------------------------------------------------------------
; TIME UTC DUR(' %H:%M:%S:%Q6 ') TIMEOFDAY('%d%b%Y %H:%M:%S:%Q6') +
; ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Datastream for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*