Using LOADFILE Subsystem Writer

You can use the LOADFILE Subsystem Writer to send output to the remote SIEM using override commands and the local BMC AMI Datastream for z/OS agent. Using LOADFILE Subsystem Writer, you can send a QSAM (or flat) file directly to the SIEM.

(SPE2307)The data set layout must have been previously defined to BMC AMI Datastream for z/OS as an API1 event type. For data sets that consist entirely of printable data, such as typical print reports, you should generally be able to use the predefined GENERIC-event-type. To define your own record layout, see TYPE-and-RETYPE-statements. You must enable the event type in BMC AMI Datastream for z/OS with the appropriate SELECT and EVENT statements. The event specifications are used for formatting the data set records as SIEM-appropriate messages.

Related topics

Using

Command-and-syntax-reference

(SPE2304) Once a job finishes sending records, it prints a message showing the job name, job ID, Subsystem Writer interface, and the number of records sent to the SIEM.

The benefits of using the LOADFILE Subsystem Writer over using the CZALDFIL utility are:

  • The interface can be SAF-secured using RACF, ACF2, or Top Secret
  • It can be used by most IBM or third-party vendor utilities that write output using a standard IBM QSAM interface
  • It does not require APF authorization for the caller

This topic contains the following information:

Enabling LOADFILE Subsystem Writer

To enable LOADFILE Subsystem Writer, specify the target subsystem of the BMC AMI Datastream agent address space in the DD statement for the output file.

Example

//SENDSIEM EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY,DCB=BLKSIZE=80
//SYSUT1 DD DISP=SHR,DSN=MY.INPUT.FILE
//SYSUT2 DD SUBSYS=(subsystemName,’LOADFILE’)

Important

CZAS is the default BMC AMI Datastream subsystem name. You can override this name when you start your agent address space by using the AMISSID parameter to specify the subsystem name of the target BMC AMI Datastream agent. For more information on the AMISSID parameter, see Sample-CZAGENT-JCL-for-running-BMC-AMI-Datastream-as-a-started-task.

Using z/OS SAF

You can use System Authorization Facility (SAF) security to validate users and groups accessing your agent's resource data sets. To do this, configure the following parameters in the CZAGENT JCL:

  • (SPE2307) SECCLS—Indicates the security class your system uses. Accepted classes are DATASET (for RACF and Top Secret) and APPL (for ACF2).
  • SECPFX—Specifies a unique prefix that, when added to the subsystemName and LOADFILE parameters, builds a data set name for the agent address space, which can be used by security systems, such as RACF and Top Secret. For example, if you specify the prefix AMIZOS.AGT for subsystemName CZAS, the data set name is AMIZOS.AGT.CZAS.LOADFILE on volume BMCSEC.

Important

The DATASET class uses SECPFX as the resource data set name. The APPL class uses the AMISSID as the resource name. 

After you configure the SECCLS and SECPFX parameters, your z/OS Security Administrator can define the user IDs and groups that are permitted to access the resource.

For more information about the SECCLS and SECPFX parameters, see Sample-CZAGENT-JCL-for-running-BMC-AMI-Datastream-as-a-started-task.

DD statement parameters

As shown in the example in Enabling LOADFILE Subsystem Writer, the first SUBSYS parameter must be the subsystem name of the BMC AMI Datastream agent.

The second parameter must be LOADFILE enclosed in single quotation marks. You must enclose additional Subsystem Writer subparameters in single quotation marks and separate them by commas.

Important

The executing job step does not require APF authorization to implement LOADFILE Subsystem Writer.

For more information about the SUBSYS parameter, see the section about the SUBSYS parameter in the IBM z/OS MVS JCL Reference manual.

Subsystem Writer subparameters

LOADFILE Subsystem Writer uses the following optional subparameters:

Parameter

Description

FACILITY(facilityName|facilityNumber)

Indicates the RFC3164 message type for the syslog messages

For information about facility codes, see Syslog-facilities-and-severities.

If you omit FACILITY, the default USER (1 – User-level message) is used.

COMMENT(commentIndicator)

(SPE2307)

Character string used to prevent passing a record to BMC AMI Datastream and the SIEM

The string is compared with incoming records. If the string is found in the first position of a record, not counting the LLBB position (record length and two reserve bytes), the string indicates that the record is a comment and not a data set record, so the record is not passed to BMC AMI Datastream and the SIEM.

The character string consists of 1 to 20 characters and is case sensitive.

If you omit this parameter, all records are passed to BMC AMI Datastream and the SIEM.

MAJOR(majorName|majorNumber)

Major code used to uniquely identify the functional purpose of the records

You can choose from the following codes:

Major Name

Major Number

Description

CorMisc

12

BMC AMI Various

CZ1MajCorIMS

13

BMC AMI IMS

Cust

14

Reserved for use by customers

VIP

15

Vanguard Integrity Professionals

NewEra

16

NewEra Software, Inc.

Serena

17

Serena Software Inc.

BMC Compuware

18

BMC Compuware

Log4j

19

Log4j user data

SPM

20

Security Policy Manager(SPM)

SIV

21

System Integrity Violation (SIV)

AO

22

AMI Ops

Loadfile

23

Loadfile

IMSConn

24

IMS Connect

If you omit MAJOR, the default LoadFile (23) is used.

MAXWAIT(numberOfSeconds)

The maximum number of seconds, from 0 to 86400, to wait for sufficient queue space to become available before bypassing the command to add the message to the queue

If there is not enough room in the queue (see the SLACK parameter), the Subsystem Writer recalculates the available space every 0.25 of a second until the total number of seconds expires. MAXWAIT(0) waits for a very long time (actually, 4,294,967,295 seconds or approximately 136 years).

If you omit MAXWAIT, the default 300 is used.

MINOR(minorNumber)

From 0 to 32767, provides additional granularity for identifying records

You can create your own message TYPE definitions for specific MINOR codes. For more information, see General-SMF-record-type-statement.

If you omit MINOR, the default 11 is used.

PURGE(YES|NO)

Indicates whether to purge old records from the queue in order to add a new record

Generally, you shouldn't discard real-time security (SMF and EVENT data) records for LOADFILE messages. Use this option only if you have a reason to force messages onto the queue.

If you omit PURGE, the default NO is used.

SEVERITY(severityName|severityNumber)

Syslog severity code for the forwarded messages

For information about severity codes, see Syslog-facilities-and-severities.

If you omit SEVERITY, the default severity code from the TYPE statement is used. For more information, see TYPE-and-RETYPE-statements.

SLACK(percentageOfQueue)

The percentage, from 0 to 100, of the total queue space that must be available before adding new records to the queue

If you omit SLACK, the default 50 is used.

SUBTYPE(subtype)

From 0 to 32767, provides additional granularity for identifying data fields in the records

You can create your own message field definitions for specific SUBTYPE codes. For more information, see General-SMF-record-type-statement.

If you omit SUBTYPE, the default 0 is used.

Subsystem Writer example

In the following example, we pass an output file to the active BMC AMI Datastream agent CZAT subsystem.

//OUTFILE  DD SUBSYS=(CZAT,'LOADFILE',
//            'MAJOR(CUST)',
//            'MINOR(99)',
//            'SUBTYPE(22)',
//            'FACILITY(USER)',
//            'SEVERITY(CRITICAL)'),
//            DCB=RECFM=V

Limitations

Files routed to the Subsystem Writer are routed directly to the BMC AMI Datastream agent and out to the SIEM. They are not available for downstream processing by subsequent jobs or jobsteps because no physical file is created.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*