Proprietary syslog format extensions

This topic provides information about the following extensions:

BMC Autonomous Digital Enterprise Influx DB (ADEInflux)

ADEInflux is a data interchange event format that converts BMC AMI Ops performance and monitoring data to a structured ADE format and uses REST API to transmit the data to BMC Helix.

ADEInflux does not support console or status messages. Therefore, when using ADEInflux , you should leave the following OPTIONS-statement parameters with these default values:

FORMAT(ALL, '"None"')
NOAPFENRich
NOSAFENRich
NOSYSLIBENRich
NOENCRYPTENRich
NOUSSENRich
CLOCKMSG(COMMAND)
NOSTATUSTOSIEM
NOTIMESTamp

If you alter these parameters, BMC AMI Datastream produces messages that BMC Helix cannot process. This results in unnecessary overhead and the messages are discarded.

The output of ADEInflux might appear as follows:

BBMUCE01,PLEXNAME=BMCPLEX1,SYSNAME=IMSA,ASRENAME=JOBNAME1,ASREJBID=S0087659,ASRETOKN=d9d5def1eb750001 LSOFFSET=0,ORECTZON=-420,ASRERDNO=0,ASRERENO=0,ASRELEVL=7,ASREASID=1,ASREPOEX=0,ASREASCT=1 1623262507730000000

To use the ADEInflux extension, specify ADEInflux for the SIEMtype parameter of the OPTIONS statement.

BMC Autonomous Digital Enterprise Logs (ADELog)

ADELog is a data interchange event format that converts SMF records to JSON and uses REST API to transmit the data to BMC Helix.

ADELog does not support console or status messages. Therefore, when using ADELog you should leave the following OPTIONS-statement parameters with these default values:

FORMAT(ALL, '"None"')
NOAPFENRich
NOSAFENRich
NOSYSLIBENRich
NOENCRYPTENRich
NOUSSENRich
CLOCKMSG(COMMAND)
NOSTATUSTOSIEM
NOTIMESTamp

If you alter these parameters, BMC AMI Datastream produces messages that BMC Helix cannot process. This results in messages being stored that provide no analytical purpose.

The output of ADELog might appear as follows:

{"RType": 119, "SID": "IMSA", "SAF": 1, "SAFD": "RACF", "SubT": 1, "Subtype": "Connect init", "Stack": "TCPIP", "RecordType": "Event record, complete", "RecordID": 0, "ResName": "MJEN001", "RemtIP": "::ffff:172.24.48.132"}

To use the ADELog extension, specify ADELog for the SIEMtype parameter of the OPTIONS statement.

Common Event Format (CEF)

CEF is a log management event format. It provides a standardized, normalized syslog-record format that is supported by the following applications:

ArcSight ESM SIEM correlation engine
RSA (EMC) Security Analytics SIEM
Intel Security McAfee Enterprise Security Manager

Both BMC AMI Datastream and CZASEND support ArcSight Common Event Format (CEF). BMC AMI Datastream optionally conforms to the CEF standard. For more information about CEF, see the relevant Micro Focus documentation.

A sample CEF-format message contains the following information:

CEF_message_6.2.png

Each color describes a section of the CEF-format message:

Color	Description
Yellow	Timestamp and hostname fields
Blue	Standard header
Green	An extension consisting of zero or more values identified by standardized CEF names, followed by an equal sign
Magenta	An optional message field (msg=) followed by additional, non-CEF standard tags and values

Standardized CEF names, if any apply, are displayed on the second line of the Tag CEF Name column for each field. A blank second line indicates a non-CEF standard field. For more information and a list of the field definition topics, see Supported-SMF-field-names.

When using the CEF extension, all time periods are reported as integral numbers of milliseconds since January 1, 1970. In the sample message, rt=1372718485293 represents UTC 22:41:25.293 on July 1, 2013.

To use the CEF extension, specify CEF for the SIEMtype parameter of the OPTIONS statement.

For information about parameter and field definition files, see Format-of-parameter-and-field-definition-files.

JavaScript Object Notation (JSON)

JSON is a lightweight data-interchange event format with a rigorously defined syntax (but not taxonomy). A mainframe security event formatted in JSON might appear as follows:

{“Time”: “2022-01-04T18:40:35.880”, “HostName”: “IBMSYSC”, “Cat”: “RACF”, “EventDesc”: “RESOURCE ACCESS: Insufficient Auth”, “Severity”: “Err”, “Auth_Audit”: false, “Auth_Bypass”: false, “Auth_Exit”: false, “Auth_Normal”: true, “Auth_Oper”: false, “Auth_Special”: false, “Auth_Trusted”: false, “Auth”: “Normal check”, “Violation”: true, “User_Warning”: false, “Group”: “RESTRICT”, “JobNm”: “SP003ATR”, “Vol”: “SYS001”, “Type”: “DATASET”, “Res”: “DV205B.R320.BLD”, “APF”: false, “Prof”: “DV205B.R320.BLD”, “Req”: “READ”, “Name”: “JOE SYSPROG”}

To use the JSON extension, specify JSON for the SIEMtype parameter of the OPTIONS statement.

Log Event Extended Format (LEEF)

LEEF is a customized event format for IBM Security QRadar. The RPM file name is DSM-BMCzOSAMIDatastream_qradar-version_build-number.noarch.rrpm. For more information, see the IBM Security QRadar documentation.

A sample LEEF-format message contains the following information:

LEEF_message_6.2.png

Each color describes a section of the LEEF-format message:

Color	Description
Yellow	Timestamp and hostname fields
Blue	Standard LEEF header
Green	An extension consisting of zero or more event attribute values identified by keys, followed by an equal sign and separated by tabs

To use the LEEF extension, specify LEEf for the SIEMtype parameter of the OPTIONS statement.

To use BMC AMI Datastream or CZASEND with IBM Security QRadar, see Customizing-for-a-proprietary-syslog-extension.

Splunk

Splunk is a structured indexing and correlating standard. It improves the usability of BMC AMI Datastream data in Splunk searches by formatting all fields as tag, tag=value, or tag="quoted value" and by introducing a field severity=.

To use the Splunk extension, specify SPLunk for the SIEMtype parameter of the OPTIONS statement.

The Splunk extension does not apply to CZASEND. For more information, see Customizing-for-a-proprietary-syslog-extension.