Local JOBLOG statement


The Local JOBLOG statement uses selection masks to capture JES SYSOUT messages from active jobs on the local system. The captured messages are then forwarded to your SIEM.

You define the Local JOBLOG statement using the $$$JOBLG member in the amihlq.PARM data set. You can find a sample of the Local JOBLOG statement in amihlq.PARM(CZAJOBLG), which you can copy into $$$JOBLG and customize as required.

Enabling Local JOBLOG

To enable Local JOBLOG, set the JOBLOG and LOCALJL switches to On in the $$$CONFG member located in the amihlq.PARM data set. You can find a sample of the switches in amihlq.PARM(CZDCONFG), which you can copy into $$$CONFIG and customize as required. For more information about the $$$CONFG member, see Customizing-for-a-proprietary-syslog-extension

Using Local JOBLOG

You can define from 1 through 255 Local JOBLOG statements.

Syntax diagram for the JOBLOG statement provides a visual representation of the command syntax and parameters.

You can use JOBLOG statements to scan for overlapping criteria. In this sample, the JOBLOG statements are all selecting the same jobs and scanning the same SYSOUT records, but each is looking for a different message string. Using these sample JOBLOG statements, BMC AMI Datastream for z/OS selects the following records and passes them to the SIEM:

DFS810A IMS READY 20358/0027582 I15654CT.I15654CT I156
 DFS058I 00:29:49 NRESTART COMMAND IN PROGRESS I156

Statement parameters

Local JOBLOG uses the following parameters. The capitalized letters in the parameter names indicate the minimum number of characters required for the command. 

Parameter

Description

NAME(joblogName)

Name of the JOBLOG statement

From 1 to 20 characters, the name must be unique and cannot contain embedded spaces or parentheses. 

Important

If you create a JOBLOG statement with the same name as an existing JOBLOG statement, the second (newer) statement supersedes the existing (older) statement.

This parameter is required.

JOBName(nameOfJob)

Name of the job that you want to locate

Use this selection mask to scan for active jobs by name. Try to be as specific as possible. The mask accepts from 1 to 8 charracters. You can use an asterisk (*) in conjunction with another character, but you cannot use a single, lone asterisk, as that would select every active job on the system.

This parameter is required.

STEPName(nameOfStep)

Name of a step in the job that you want to locate

Use this selection mask to scan for a particular step within the active jobs. This mask accepts from 1 to 8 characters. You can also use a single asterisk (*) for a generic scan.

DDName(ddName)

Name of a DDname in the job that you want to locate

Use this selection mask to scan for a particular DDname within the active jobs. This mask accepts from 1 to 8 characters. You can also use a single asterisk (*) for a generic scan.

MSGString(searchString)

Text contained in the SYSOUT record

Use this selection mask to scan for a specific message ID or string of characters contained within the SYSOUT record for the active jobs. This mask accepts from 1 to 20 characters.

JESName(secondaryJES2)

Name of the secondary JES2 system

Specify the secondary JES2 (poly-JES) system under which the job you want to locate is running. JESNAME does not apply to JES3 installations. BMC AMI Datastream scans only a single JES subsystem.

If you omit JESNAME, the default primary JES system is used.

SEVerity(severityCode)

Syslog severity code for the job that you want to locate

For information about severity codes, see Syslog-facilities-and-severities and Determining-the-QUEUE64-size.

If you omit SEVERITY, the default severity code from the TYPE statement is used. For more information, see TYPE-and-RETYPE-statements.

SUBType(subtype)

BMC AMI Datastreamsubtype for the job that you want to locate

Specify a value from 1 to 32767. Subtypes might be formatted with the SIEM message. For more information, see Event_SubType in Universal-fields. For information about the validity and formatting fo specific fields, see CSubTp in Condition-specifications.

If you omit SUBTYPE, the default 0 is used.

DATADelay(numberOfSeconds)

Number of seconds that BMC AMI Datastream should wait before checking if the job has spooled more data

Specify a value from 1 to 600 (10 minutes). BMC AMI Datastream performs this check iteratively to capture any SYSOUT data generated since the previous check.

Important

The DATADELAY interval determines the relevant nature of the messages sent to the SIEM. For example, a 10-minute old message might not be acceptable for your security and auditing requirements.

If you omit DATADELAY, the default 15 seconds is used.

JOBDelay(numberOfSeconds)

Number of seconds that BMC AMI Datastream should wait before checking if a job is active on the system.

Specify a value from 1 to 600 (10 minutes). If you have multiple JOBLOG statements with varying JOBDELAY values, BMC AMI Datastream uses the shortest interval (smallest value) for all the JOBLOG statements.

Important

The JOBDELAY interval determines your ability to select and capture active jobs. If the value is too small, you might not be able to process short-running jobs. A longer interval might allow more jobs to be active within the JOBDELAY window.

If you omit JOBDELAY, the default 15 seconds is used.

Sample $$$JOBLG

;**********************************************************************;
;**********************************************************************;
; $$$JOBLG: User agent parameter member for BMC AMI Datastream         ;
;           This is a copy of CZAJOBLG and made available for          ;
;           user modification.  It will be included in CZAPARMS        ;
; SIEMTYPE-independent                                                 ;
; Copyright (c) 2020-2025 BMC Software, Inc.                           ;
;**********************************************************************;
;**********************************************************************;

SAY "v7.1.03 Updated 29 October 2023"

; ---------------------------------------------------------------------
; JOBLOG statements to select Jes2/Jes3 sysout to be captured and
; passed to the remote SIEM.
;   NAME(...)      - 20 byte description of the report
;                    Defaults to spaces
;   JOBNAME(...)   - 8 byte Jobname selection mask
;                    Defaults to asterisk
;   STEPNAME(...)  - 8 byte Stepname selection mask
;                    Defaults to asterisk
;   DDNAME(...)    - 8 byte DDName selection mask
;                    Defaults to asterisk
;   MSGSTRING(...) - 20 byte Message selection mask
;                    Defaults to asterisk
;   JESNAME(...)   - 4 byte Jes Subsystem Name
;                    Defaults to the primary Jes subsystem
;   SEVERITY(...)  - Desired Syslog Output severity passed to SIEM
;                    Defaults to value in EVENT specification
;   SUBTYPE(...)   - Event subtype
;                    Defaults to zero (0)
;   DATADELAY(...) - Delay between Jes Sysout Read Cycles
;                    Defaults to 15 seconds.  Must be 1 - 600
;   JOBDELAY(...)  - Delay between scans looking for selected jobs
;                    Defaults to 15 seconds.  Must be 1 - 600
;
;   Selection masks use a question mark (?) to represent a single
;   wild character and an asterisk (*) to match any remaining
;   characters
;
;   Jobname selection mask cannot specify unqualified selection
;   criteria.  There must be at least 1 character besides a question
;   mark and/or asterisk.
;
; ---------------------------------------------------------------------
JOBLOG                         +
    NAME(WIDGET_STATUS)        + ;JOBLOG statement identifier
;   MSGSTRING(CZA*)            + ;Message filtering criteria
;   JESNAME(JEST)              + ;Jes Subsystem Name
;   SEVERITY(0)                + ;SYSLOG message severity
;   SUBTYPE(1)                 + ;SYSLOG message subtype
    DATADELAY(15)              + ;Seconds between Jes Sysout Reads
    JOBDELAY(15)               + ;Seconds between Active Job Scans
    DDNAME(SYSPRINT)           + ;DDName selection mask
    STEPNAME(*)                + ;Step Name selection mask
    JOBNAME(PROD*)               ;Job Name selection mask
JOBLOG                         +
    NAME(OTHER_STATUS)         + ;JOBLOG statement identifier
;   MSGSTRING(ABC*)            + ;Message filtering criteria
;   JESNAME(JESP)              + ;Jes Subsystem Name
;   SEVERITY(0)                + ;SYSLOG message severity
;   SUBTYPE(1)                 + ;SYSLOG message subtype
    DATADELAY(15)              + ;Seconds between Jes Sysout Reads
    JOBDELAY(15)               + ;Seconds between Active Job Scans
    DDNAME(SYSPRINT)           + ;DDName selection mask
    STEPNAME(*)                + ;Step Name selection mask
    JOBNAME(T???1*)              ;Job Name selection mask

Example using $$$JOBLG

JOBLOG                                 +
    NAME(IMS_READY)                    + ;JOBLOG statement identifier
    MSGSTRING(DFS810A)                 + ;IMS Ready for restart command
    DDNAME(JESMSGLG)                   + ;DDName selection mask
    JOBNAME(IMS*)                        ;Any IMS job, start task

JOBLOG                                 +
    NAME(IMS_COMMAND_ISSUED)           + ;JOBLOG statement identifier
    MSGSTRING(DFS058I)                 + ;IMS command issued
    DDNAME(JESMSGLG)                   + ;DDName selection mask
    SEVERITY(1)                        + ;May be critical
    JOBNAME(IMS*)                        ;Any IMS job, start task

JOBLOG                                 +
    NAME(IMS_COMMAND_ISSUED)           + ;JOBLOG statement identifier
    MSGSTRING('COMMAND IN PROGRESS')   + ;IMS command issued
    DDNAME(JESMSGLG)                   + ;DDName selection mask
    SEVERITY(1)                        + ;May be critical
    JOBNAME(IMS*)                        ;Any IMS job

Working with selection masks

Consider the following information when using selection masks in the Local JOBLOG statement:

  • You can use wild card characters, such as an asterisk (*) and question mark (?).
  • A question mark anywhere in the string indicates that any character in that position is valid. 
  • An asterisk anywhere in the string indicates that any remaining characters in the string are valid.
  • When using a wild card for MSGSTRING, the selection mask includes all characters between the parentheses. Leading, trailing, and embedded spaces in the string are included in the search criteria.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*