Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support. BMC recommends upgrading to the latest version of the product.

TYPE and RETYPE statements

The TYPE and RETYPE statements provide the high-level definition of the processing of an API1 or SMF record type. Code one TYPE (or TYPE and RETYPE) statement for each API1 or SMF record type that BMC AMI Datastream is to have the ability to process.

TYPE|RETYPE eventType([fieldsContext]) specificationName([CAT(category)] CEF(NAME(eventName) [ID(sigID)]) [EXITSEL(code)] [FACILITY(facility)] [FIX(num]|VAR[num])] [ID(eventID)] [PROCess(processTag])) TRIPLETCONStraint(minimum [maximum [remainder] ] )


eventType

Specifies the event type name

Code a name 1–16 characters in length. The name must be unique across all event types. Do not use ALL as an event name.

fieldsContext

(Optional) Normally, the fields context for a given event is the same as the eventType. However, you can override that value here. Code an optional name of 1-16 characters.

specificationName

Specifies the underlying main logic for the event type

Specify one of the following specification names:

Name

Brief description

API1GENERAL

General API1 event processing.

CONTEXT

Specifies a field context only with no associated event processing. No other parameters are specified with CONTEXT.

SMFACF2

Processing of CA ACF2 records.

SMFDB2          

Processing of DB2 Type 100, 101 and 102 records.

SMFGENERAL

General SMF record processing.

SMFT110

Processing of CICS Audit Records.

SMFT30           

Processing of z/OS Work Unit records.

SMFT80           

Processing of RACF and CA Top Secret records.

CAT(category)

Certain event specifications support additional parameters beyond those shown here, and are as follows:

  • Specifies the event category formatted by the field SMFXXCAT. This field is critical to QRadar LEEF formatting.
  • Specifies a literal string of one or more characters. CEF(NAME(event-name) ID(sig-ID)).
  • Specifies the CEF event name field and optionally an overriding CEF Signature ID field name. The CEF name field operand is required and must specify the name of a field that is used to generate the CEF header name field. By convention CEF event name fields have names of the form CEF_Txxx_Name. If ID is coded, it specifies the name of a field that is used to generate the CEF signature ID field, overriding the specification in ID. By convention CEF unique signature ID fields have names of the form CEF_Txxx_SigID.

FACILITY(facility)

Specifies the default RFC 3164 or RFC 5427 facility code for the event type

Specify one of the facility names in the Syslog-facilities-and-severities.

The following table shows FACILITY defaults:

TYPE Specification_name

Facility default

API1GENERAL

console

CONTEXT

n/a

SMFACF2

auth

SMFDB2          

audit

SMFGENERAL

console

SMFT110

local0

SMFT30           

daemon

SMFT80           

auth

ID(eventID)

Specifies the name of a field that is used to generate the CEF Signature ID or LEEF event ID

By convention these fields have names of the form CEF_LEEF_Txxx_ID if common to CEF or LEEF_Txxx_EventID if unique to LEEF. If this field is omitted, the PROCess literal is used as an alternative.

PROCess(processTag)

Specifies the tag that appears at the start of syslog messages for the event, following the priority, timestamp, and host name, and preceding the formatted fields

Specify the exact process tag that you include in syslog messages, including any spaces and punctuation. The processTag might be of any length from the null string (‘’) to 32 characters.

If PROCess is omitted, the default value is used, as listed in the Supported-API-event-types-SMF-types-and-associated-process-tags topic.

TRIPLETCONStraint(minimum [maximum [remainder] ] )

(Optional) Provides additional validation of triplet, Get specifications at field definition time

There is no additional overhead during event processing. You can specify a minimum valid offset for triplets of this record type, a maximum valid offset, and the valid alignment of triplets. The alignment is specified as a remainder on division of the triplet offset by 8.

Example

A remainder of 4 would mean that an offset of 28 or 36 was valid, but that offsets of 24, 26, and 30 were not. Specify a value in the range 0–7. You can also specify -1 as a remainder to disable alignment validation, or simply omit the remainder.

This section contains the following topics : 

Related topics

Field-definition-file-statements

General-type-specifiers-for-definition-statements

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*