Customizing IND$Detect to report IND$FILE activity

IND$Detect is shipped and properly configured for most installations. The default configuration options are described in IND-Detect-configuration-parameters. If these options are correct for your installation, you can skip this topic.

  • Do not rename IBM IND$FILE or APVUFILE.
  • IBM IND$FILE, APVUFILE, or both are installed in a cataloged data set named SYS1.CMDLIB.
  • IND$Detect should log IND$FILE usage using SMF record type 202 (not the BMC AMI Datastream API).

Related topic

Customizing-after-installation

Configure IND$Detect by adding the IND$Detect configuration parameters to a small assembler module found in amihlq . CZAGENT.SAMP, then assemble it, and bind it with the distributed IND$Detect. To complete this task, you must be comfortable with programming in simple assembly language and understand the basics of using the z/OS binder (refer to IBM documentation for details).

Editing the IND$JCL module (formerly IND$CONF)

The following is the  IND$JCL module that is found in amihlq.SAMP.

IND$JCL TITLE 'Configuration options for BMC AMI IND$Detect'
* See manual "BMC AMI Datastream for z/OS SIEM Agent for IND$Detect"
IND$JCL AMODE ANY31
IND$JCL RMODE ANY
IND$JCL CSECT
DC C'IND$JCL: Config for BMC AMI IND$Detect' Eyecatcher
*
*     *** Do not alter the next four statements ***
      ENTRY   IND$DOPT
IND$DOPTDC    A(IND$PARM)
DC    A(0)                Required end-of-list delimiter
IND$PARM EQU  *
*    Place any configuration parameters here
DC    X'0'                End of parameters -Required

*
END

To add parameters to the module, open it in an editor and insert one or more parameters where indicated, formatted as character constants. Look at the following instance:

IND$PARM EQU   *
*    Place any configuration parameters here
DC      C'LIBRARY(SYS2.PROD.CMDLIB)'
DC    X'0'                End of parameters - Required

To separate multiple parameters with one or more blanks, look at the following instance:

IND$PARM EQU   *
*    
Place any configuration parameters here
  DC      C'INSTANCE(1)'
  DC      C' '                Separator blank
  DC      C'SEND(API SMF)'
  DC     X'0'   End of parameters - Required

Do not to delete or change the position of the X'0' that terminates the parameters.

Assembling, binding, and testing IND$JCL

After editing IND$JCL, run the following job, found in amihlq.SAMP as member IND$JCL. 

Warning

Do not alter the LKED PARM= options.


// appropriate JOB statement
//*
//* Re-configure IND$Detect
//*
//* Assemble the config module
//ASM EXEC PGM=ASMA90,COND=(12,LE),REGION=2M,
// PARM=''
//SYSLIB DD DISP=SHR,DSN=hlq. CZAGENT.SAMP
//SYSPUNCH DD DUMMY
//SYSIN DD DISP=SHR,DSN=hlq. CZAGENT.SAMP(IND$JCL)
//SYSLIN DD DISP=(NEW,PASS)
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(2,2))
//*
//* Re-bind IND$Detect
//REBIND EXEC PGM=IEWBLINK,REGION=2M,COND=(4,LE,ASM),
// PARM='AMODE=31,MAP,NORENT,NOREUS'
//OLDMOD DD DISP=SHR,DSN=hlq.CZAGENT.LOAD
//SYSLIN DD DSN=*.ASM.SYSLIN,DISP=(OLD,DELETE)
// DD *
INCLUDE OLDMOD(CZAIND$D)
REPLACE IND$JCL,IND$JCL
ALIAS IND$FILE(CEESTART)
ALIAS APVUFILE(CEESTART)
ENTRY CEESTART
NAME CZAIND$D(R)
/*
//SYSLMOD DD DSN=hlq.CZAGENT.LOAD,DISP=(OLD,KEEP)
//SYSUT1 DD UNIT=SYSALLDA,SPACE=(32000,(30,30))
//SYSPRINT DD SYSOUT=*

Configuring with BMC AMI Datastream

See also Customizing-for-IND-Detect.

You will need the following statements

  • For IND$FILE events written to SMF, SELECT SMF(CORRELOG) and SMF CORRELOG …
  • For IND$FILE events sent to API1, SELECT EVENT(IND$FILE) and EVENT IND$FILE …

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*