SERVER statement

The SERVER statement specifies the IP address of one or more syslog servers (such as a BMC Defender Server, BMC Defender SyslogDefender, or any standard syslog console) and other parameters related to communication with the syslog server. The SERVER statement is required by both BMC AMI Datastream and CZASEND.

SERVER statement syntax diagrams

The following diagrams provide a visual representation of the code.

SERVER statement parameters

The following table describes the SERVER statement parameters:

Parameter

Description

hostSpecification

Address of the primary syslog server

Enter the address as a host name in either IPv4 dotted format or IPv6 colon format. The hostSpecification coded as the first operand of the SERVER statement is called the primary and it is a required parameter.

If the port number does not match the default value of the TRANSport parameter (6514 for SSL/TLS, 1468 for TCP, or 514 for UDP), then append the name or address with a colon and port number without embedded spaces.

For information about how to code hostSpecification and examples of how to use it, see HostSpecification parameter and HostSpecification format types.

ALTERNate(hostSpecification)

Address of an alternate syslog server

You can choose to specify an alternate syslog server. For information about how to code hostSpecification and examples of how to use it, see HostSpecification parameter and HostSpecification format types.

You can use the ALTERNate parameter to specify multiple alternate servers.

For information about how BMC AMI Datastream handles alternate servers, see Multiple-syslog-server-support.

ALTRevert(COMMand|AT(MIDNight)|EVERY(minutes))

Specifies when BMC AMI Datastream should attempt to revert from an alternate TCP/IP or SSL/TLS server to the primary server

The options are as follows:

COMMand directs that the reversion must be initiated manually with the SET(SERVER) command. For more information, see MODIFY-command.
AT(MIDNight) attempts the reversion at midnight, local time.
EVERY(minutes) attempts the reversion after the specified number of minutes. Specify a number of minutes from 5 through 1440 (24 hours).

The default option is COMMand because server connection switching is a fairly time-consuming process, especially if the primary server is still inoperable.

For more information, see Multiple-syslog-server-support.

APIKEY(bmcHelixInterfaceKey)

Programming interface security key used to connect with the BMC Helix Log Analytics and BMC Helix Operations Management environments

You must include APIKEY to use the SIEMtype extensions, ADELog or ADEInflux. For more information, see OPTIONS-statement.

CONCURRent(SPE2207)

Specifies that BMC AMI Datastream should connect concurrently to all defined SIEMs, both primary and alternate

This parameter applies only to server connections defined as TRANSport(TCP).

Use this parameter to duplicate your data concurrently across multiple servers. All messages are sent to all active, concurrent connections asynchronously. Messages are sent to active connections only. If a connection is inactive, it is bypassed. If all connections are inactive, the messages are queued until one or more of the connections become active.

All concurrent connections use the same SIEM type. For example, if your SIEM type is SPLUNK, all concurrent connections receive the same SPLUNK formatted message.

If you omit this parameter, alternate server connections are routed in a rollover manner. If the primary connection fails, the BMC AMI Datastream agent attempts to connect with the first alternate server. This continues until a connection is successful.

For more information, see Multiple-syslog-server-support.

CURRTime

Current time stamp derived from the metrics buffer

This parameter is applicable for only ADE transport. It is ignored for all other transport types.

If you use ADE and omit this parameter, the time stamp is derived from the source within the data buffer.

MAXMSGlen(length)

Maximum syslog message length, in bytes, for BMC AMI Datastream and CZASEND

For messages encoded in UTF-8, the length in bytes might be greater than the length in characters because some characters are encoded in more than one byte.

Use the XLATE parameter in the OPTIONS-statement to specify the message encoding. Specify a number between 512 and 2,500,000. Most SMF records can be formatted within the default message length of 1,024 bytes, but certain records, notably certain ACF2 and DB2 records, might require up to twice that number or more, depending on the fields specified and their values. If you receive message CZA0301W (indicating that the syslog message from the specified SMF record type overflowed the SERVER MAXMSGLEN length) consider increasing MAXMSGLEN.

Keep the following considerations in mind when you set this parameter:

The maximum message length specified in RFC 3164 is 1,024 bytes (but that standard is widely disregarded).
Datagrams (UDP messages) should not exceed the maximum transmission unit (MTU) size. The common Ethernet v2 MTU size is 1,500 bytes.
The maximum message length that the BMC Defender Server can process is 2,000 characters. Check the maximum message length that your syslog collector (and any intermediate load balancers, forwarders, or proxies) can accept; there is no point in formatting and transmitting data that is not received and processed.
The maximum MAXMSGlen supported by BMC AMI Datastream is 2,500,000 bytes, but that maximum is intended only for very specific situations. Generally, do not code a value over 4,000 bytes.
Increasing the MAXMSGLEN value increases the storage required by BMC AMI Datastream and CZASEND. For non-UTF-8 to-CCSIDs, the storage requirement is at least three times the length value. For UTF-8 to-CCSIDs, the requirement is at least seven times the length.

PACE(No|msgs seconds)

Maximum number of messages to transmit in the specified number of seconds

The options are as follows:

No—no pacing
msg seconds
- msg—20 or more messages
- seconds—1 through 120 (two minutes)

If the PACE value is too restrictive, you might greatly increase the queue requirements.

Example

If you specify PACE(100 2), then BMC AMI Datastream sends no more than 100 messages every 2 seconds.

If you use PACE with the TIMEout options IDLE or SEND, the options are ignored and default values are used.

If you omit this parameter, No is used by default.

REXMIT(number)

(Optional) Number of retransmission buffers for TCP/IP and SSL/TLS connections

Specify a number from 1 through 20. For more information, see TCP/IP error recovery.

If you omit this parameter, 2 is used by default.

TIMEout(tOptions)

Type and length of connection before timeout

Choose from the following options:

CONNect(DEFault|seconds)
IDLE(None|seconds)
RETRY(seconds)
SEND(seconds)

For more information, see full descriptions in the TIMEout options table.

TLS|SSL(tlsParameters)

Various parameters relevant only to SSL and TLS transport

The SSL and TLS keywords are equivalent and the choice of one or the other has no effect on the operation of the software.

If you specify TLS or SSL with TRANSport TCP or UDP, the SSL and TLS parameters are validated but a warning message is issued and the parameters have no effect.

For a description of the tlsParameters, see TLS and SSL parameters.

TRANSport(ADE|SSL|TCP|TLS|UDP)

Transport protocol

Choose one of the following protocols:

Protocol	Considerations
ADE	Protocol required to connect with BMC Helix Log Analytics and BMC Helix Operations Management environments Set TRANSport to ADE to use the SIEMtype extensions ADELog or ADEInflux in the OPTIONS-statement. ADE uses a Hypertext Transfer Protocol (HTTP) interface through a Representational State Transfer (REST) programming interface. You can secure this interface by using AT-TLS.
SSL	Provides reliable delivery, encryption, and authentication of syslog messages, as well as authentication of the SIEM console or other syslog receiver, and (optional) client (BMC AMI Datastream) authentication to the console or receiver. This protocol has the greatest complexity and highest overhead. SSL is equivalent to TLS for this feature. For more information, see the section about TLS and SSL parameters.
TCP	Provides reliable delivery of syslog messages. In most cases, an undeliverable message is diagnosed with an appropriate error message rather than being simply lost.
TLS	This protocol provides reliable delivery, encryption, and authentication of syslog messages, as well as authentication of the SIEM console or other syslog receiver, and (optional) client (BMC AMI Datastream) authentication to the console or receiver. This protocol has the greatest complexity and highest overhead. TLS is equivalent to SSL for this feature. For more information, see the section about TLS and SSL parameters.
UDP	This protocol has the simplest and lowest overhead transport protocol that is supported by all SIEM consoles and syslog receivers.

If your SIEM console or syslog receiver supports TLS, we recommend that you specify TLS or at least TCP.

If you omit this parameter, UDP is used by default unless, you specify SERVER SSL() or TLS(). In that case, SSL or TLS is used by default.

HostSpecification parameter

The hostSpecification parameter uses the following options:

Option	Description
ipAddress \| [hostName]	Address of the primary syslog server Specify the address as a host name in either IPv4 dotted format or IPv6 colon format. If the port number is not the default value for TRANSport (514 for UDP, 1468 for TCP, or 6514 for SSL/TLS), then append the name or address with a colon and port number without embedded spaces. For more information about hostSpecification and examples of how to use it, see Host specification. The host specification coded as the first operand of the SERVER statement is called the primary IP address and is required.
:port	Colon followed by the port number; no space between the ipAddress or hostName and colon
PROTOcol(IPV4\|IPV6)	Internet Protocol (IP) version 4 or 6 If you omit this parameter and the protocol cannot be determined from the format of the IP address, then Ipv4 is used, unless no Ipv4 connection is available.

HostSpecification format types

The following examples display the different formats you can use for the hostSpecification parameter:

Format	Example	Explanation
Host name	server1.myco.com	The name must be known to your TCP/IP stack, or the stack must have access to a Domain Name Server (DNS) where the name is known.
Host name with port	server1.myco.com:514	Same considerations as for host name Specify the port number if it is not the default for the specified TRANSport type: 514 for UDP 1468 for TCP 6514 for SSL/TLS
Dotted IPv4 address	262.35.1.80	IPv4 addresses in dotted decimal notation
Dotted IPv4 address with port	262.35.1.80:1514	Specify the port number if it is not the default for the specified TRANSport type: 514 for UDP 1468 for TCP 6514 for SSL/TLS
Colon-format IPv6 address	fe80::d932:83b4:a032:eea3 [fe80::d932:83b4:a032:eea3]	Native IPv6 colon hexadecimal address The square brackets are optional.
Colon-format IPv6 address with port	[fe80::d932:83b4:a032:eea3]:1514	Specify the port number if it is not the default for the TRANSport type as described for IPv4. You must enclose the IPv6 address in brackets.

TIMEout options

TIMEout uses the following options:

Option	Description
CONNect(DEFault\|seconds)	Number of seconds after which an attempt by BMC AMI Datastream or CZASEND to connect a TCP/IP session with the SIEM receiver is abandoned Valid values are from 15 through 240 seconds (four minutes). Specify DEFault instead to enable the z/OS communication server to determine the timeout value. Consider the following points when you set a value: If the value is too low, the session might not connect. If the value is too high, then BMC AMI Datastream cannot respond to the console’s MODIFY and STOP commands until the timeout completes. TIMEout CONNect has no effect on UDP transport. If you omit this parameter, 30 seconds is used by default.
IDLE(None\|seconds)	Number of seconds after which an idle BMC AMI Datastream TCP/IP session (with no formatted messages) times out Valid values are from 5 through 3600 seconds (one hour). Specify NONE instead to prevent a timeout. One or more syslog messages might be lost each time a session is terminated by the SIEM receiver before being terminated by BMC AMI Datastream. But if the IDLE value is too high, you occupy resources for nonproductive sessions. TIMEout IDLE has no effect on CZASEND or UDP transport. If you omit this parameter, 300 seconds (five minutes) is used by default.
RETRY(seconds)	Number of seconds to delay after a TCP/IP error before BMC AMI Datastream tries to establish a new session and transmit a message Valid values are from 0 through 600 seconds (ten minutes). Specifying 0 directs BMC AMI Datastream always to retry. Consider the following points when you set a value: A value that is too low might cause unnecessary attempts. A value that is too high might cause unnecessary delays (when recovering from an error) and lost messages until the session reconnects. TIMEout RETRY has no effect on CZASEND or UDP transport. If you omit this parameter, 5 seconds is used by default.
SEND(seconds)	Number of seconds for a TCP/IP send to complete Valid values are from 5 through 60 seconds. Consider the following points when you set a value: A value that is too low might cause successful transmissions to be reported as an error. A value that is too high might cause unnecessary delays when recovering from an error. TIMEout SEND has no effect on UDP transport. If you omit this parameter, 15 seconds is used by default.

TLS and SSL parameters

Important

We recommend using Application Transparent Transport Layer Security (AT-TLS). It provides the following benefits:

Enables security administrators to encrypt messages by using SAF security products, such as RACF, ACF2, and TopSecret
Reduces the configuration complexity of BMC AMI Datastream
According to IBM, provides overall better performance for message encryption
Standardizes message encryption using built-in z/OS facilities

TLS and SSL use the following parameters:

Parameter

Description

CIPHersuites(ciphers)

SSL or TLS cipher suites that are acceptable to the SSL/TLS client software

The SSL/TLS server selects a cipher suite from this list that is mutually acceptable. If no cipher suites are mutually acceptable, the session initiation fails.

Specify one or more cipher suite numbers that are supported by your version of IBM z/OS Cryptographic Services in your order of preference. Cipher suite numbers are specified as one to four hexadecimal digits. Starting with z/OS V1R13, the supported cipher suites are tabulated in the IBM publication z/OS Cryptographic Services System Secure Sockets Layer Programming.

If you omit TLS(CIPHersuites), then Cryptographic Services uses an internal list of available ciphers, which might vary from release to release (and also vary for FIPS versus non-FIPS mode). You can determine the current list by running BMC AMI Datastream with TRANSport(Ssl|TLS) and OPTions TRACE(TLS). The available cipher suites are displayed in message CZA0104I. We recommend that you carefully review the default cipher suites because they might not be appropriate for your installation.

FIPS

TLS encryption run in FIPS mode

The FIPS mode encryption meets the NIST FIPS 140-2 criteria and enforces more restrictions than non-FIPS mode. For example, in FIPS mode, the key database must have been created in FIPS mode, and certain cipher suites are considered too weak. For more information, see System SSL and FIPS 140-2 in the IBM publication z/OS Cryptographic Services System Secure Sockets Layer Programming and the US Department of Commerce publication Security Requirements for Cryptographic Modules (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf).

Important

BMC AMI Datastream is not a validated cryptographic module, but an application that uses IBM z/OS cryptographic services for all cryptographic services. IBM z/OS cryptographic services is FIPS 140-2 certified.

If you are running a level of z/OS lower than V2R1 and require FIPS-compliant encryption, you might need to install the appropriate PTF for IBM APAR OA39422.

FIPS support is available only in the BMC AMI Datastream for z/OS product. For more information, see Federal-Information-Processing-Standards-support.

KEYRing(keyRingFile)

(Required) The z/OS key ring file name that BMC AMI Datastream or CZASEND uses to verify the signature of the server’s certificate, and to locate a client certificate if the server requests one

Specify the HFS file name of a gskkyman key database, or the name of a RACF key ring. If the RACF key ring is owned by another user, prefix the file name with userid/. If the key ring file begins with a slash (/), it is assumed to be the name of a gskkyman key database; otherwise, it is assumed to be a RACF key ring. HFS file names are case sensitive.

The user ID under which BMC AMI Datastream or CZASEND runs requires read access to RACF resource IRR.DIGTCERT.LISTRING to use its own key ring, or update access to IRR.DIGTCERT.LISTRING to use a different user ID’s key ring. If the key ring name contains /*, then be sure to enclose the name in quotation marks: KEYRing('*AUTH*/*').

LABel(keyRingLabel)

Label in the key ring of the client certificate to be presented if the server requests one

If the label contains space characters, you must enclose it in single or double quotation marks.

OCSP

Activates checks for revoked certificates by using the HTTP URI values in the certificate's AIA extension

Online Certificate Status Protocol (OCSP) requires z/OS V2R2 or later.

PASSword(password)

Password of the gskkyman key ring database

Do not specify PASSword with a RACF key ring.

Best practice

The PASSword parameter is provided as a convenience. The preferred method of specifying the gskkyman key ring database password is with a stashed password file (stash file).

The name of the stash file is automatically constructed by BMC AMI Datastream or CZASEND from the name of the database. If the key ring file name ends with .kdb, then the .kdb is removed and .sth is appended. If the name does not end with .kdb, then .sth is simply appended.

If you omit this parameter, then the key database must be a RACF key ring or it must have a stashed password file that is named as described.

SECurity(security)

Allowed SSL/TLS security protocols

The z/OS cryptographic client software presents the specified list to the SSL/TLS Server, and the server selects a protocol. If there is no mutually acceptable protocol, then session initiation fails.

Use one or more of the specifications from the following table. Prefix a specification with a - (minus sign) to exclude it from the allowed protocols.

You can list the specifications in any order, however they are processed from left to right. For example, SECURITY (ALL –SSLv3) indicates all of the supported protocols except SSLv3.

Important

SSLv2, a severely flawed and deprecated protocol, is not supported.
SSLv3 has been deprecated because of its vulnerability to the POODLE attack.

Specification	SSL/TLS security protocol
ALL	All
SSLv3	SSLv3 (Not recommended because of vulnerability to POODLE attack
TLSV1.0	TLS Version 1.0
TLSV1.1	TLS Version 1.1
TLSV1.2	TLS Version 1.2

If you omit this parameter, ALL –SSLv3 is used by default.

SERVER statement

SERVER statement syntax diagrams

SERVER statement parameters

HostSpecification parameter

HostSpecification format types

TIMEout options

TLS and SSL parameters

On this page