OPTIONS statement

BOOLValues(trueValue falseValue)

Specifies whether BMC AMI Datastream sends message CZA0352I to the SIEM console and at what interval

Message CZA0352I is intended to facilitate compliance with ISO 27000 (and similar standards). Make sure that the clocks of all relevant information processing systems at your organization are synchronized to an official or industry best practice source.

The message shows the clock setting of the z/OS system. The options in the message have the following meanings:

• AT(MIDNight) specifies that the message should be sent every midnight local time.
• COMMand specifies that the message should be sent only manually with the MODIFY CLOCK command. For more information, see MODIFY-command.
• EVERY(minutes) specifies that the message should be sent every specified number of minutes between 5 and 1440 (24 hours).

If you omit this parameter, the default MIDNight is used.

DATABase(filePath)

(SPE2310)

(Datastream for z/OS only)  Specifies the file path of the BMC AMI Security Policy Manager SQLite database(SPE2404)BMC AMI Datastream creates a separate $SQL subtask to handle the SQLite tasks. You can see the subtask by using the $mgr,list command.  

To use this parameter, you must first configure the following options:

• Enable the DATABase option in the $$$SERVR member.
• Turn on the SPM switch in the $$$CONFG member.

For examples of the $$$SERVR and $$$CONFG members, see Customizing-for-a-proprietary-syslog-extension.

DELIMit(‘lead’ ‘trail’ ‘innerLead’ ‘innerTrail’ ‘groupLead’ ‘groupTrail’ NOFINal|FINal)

Indicates the characters used to separate text strings in each syslog record

Specify zero to eight characters, enclosed in single quotation marks, for the six delimiter operands:

• lead specifies the characters that should appear between the tag and the field value. 
• trail specifies the characters that should appear between each field and the following tag. 
• innerLead specifies the characters that should appear between the tag and the field value for inner fields grouped within an outer field.
• innerTrail specifies the trailing characters for each inner field. 
• groupLead specifies the bracket characters that should precede a group of inner fields to enclose them.
• groupTrail specifies the bracket characters that should trail a group of inner fields to enclose them.

Use one of the following operands to indicate how to finalize the text strings for the particular syslog message:

• NOFINal specifies that no delimiter should appear after the last field in the record.
• FINal specifies that the trail delimiter should appear after the last field in the record.

Specifying NOFINal or omitting the DELIMit parameter altogether might produce a more esthetic display.

Specifying FINal might facilitate automated parsing of syslog messages.

For informaiton about the effect of SIEMtype parameters on DELIMit, see the SIEMtype extension table.

If you omit this parameter, the default ':' '–' ':' '–' '{' '}' NOFINAL is used.

FORMat(format)

Indicates whether fields that are zero or blank are to be formatted as part of syslog messages and if so, what string (if any) is to be used to indicate all-blank fields

If FORMAT(ERGO) is specified or allowed to default, then fields with a value of zero or all blanks are omitted from messages sent to the syslog console. Group fields are omitted when all of the subsidiary fields are suppressed (blank or zero). If FORMAT(ALL) is specified, then fields with a value of zero are formatted as Tag: 0 -. Fields with a value of blank are formatted as Tag: blank-indicator – where the value of blank-indicator is determined by the operand following ALL: if NONE is specified or allowed to default then the blank indicator is the word None; if NULL is specified then the blank indicator is the null string (Tag: -); if a value in quotes is specified then the specified value is used. The quoted value might be from zero to 20 characters in length.

For TCP/IP transport only, how individual messages are to be delimited or framed within the TCP/IP datastream

Specify one of CR (carriage return, X’0D’), LF (linefeed, X’0A’), CRLF (carriage return plus linefeed, X’0D0A’), Null (null, X’00’) or Octetcount. Make sure that whatever framing option you specify is supported by your syslog console. We believe that octet counting is superior to the use of delimiter characters and recommend its use whenever possible. Octet counting should always be used for BMC Defender SyslogDefender connections. If you do not specify FRAMing it defaults to LF (linefeed). See the description of SIEMtype for its effect on FRAMing.

BMC AMI Datastreamand CZASEND begin each syslog message with a proprietary header indicating the actual origin of the syslog message (as opposed to the device that forwarded the message to BMC AMI Datastream)

Use this parameter only if the ultimate destination of the syslog messages is BMC AMI Command Center for Security or BMC Defender SIEM Correlation Server (as opposed to some other syslog collector) and there is some intermediate node between the LPAR and BMC AMI Datastream such as a load balancer, tunnel, or proxy. Code CPUID, IPV4, IPV6, HOSTNAME, JESNODE, LPARNAME, NONE, SMFID, or SYSNAME to indicate the CPU ID (serial number), the IPv4 dotted address, the IPv6 colon-formatted address, the TCP/IP host name, the JES node name, the LPAR name, no host name, or the system name (&SYSNAME as defined in the IEASYSxx or IEASYMxx PARMLIB member) respectively, or code a literal character string enclosed in single or double quotation marks. The character literal might not contain embedded blanks and must not exceed 100 characters in length. Do not code LPARNAME if you are not running in logical partition mode. If you omit HEADer, no header is inserted. See the description of SIEMtype for its effect on HEADer.

How the origin (hostName) of syslog records generated by BMC AMI Datastream or CZASEND is to be identified

Code CPUID, IPV4, IPV6, HOSTNAME, JESNODE, LPARNAME, NONE, SMFID, or SYSNAME to indicate the CPU ID (serial number), the IPv4 dotted address, the IPv6 colon-formatted address, the TCP/IP host name, the JES node name, the LPAR name, no host name, or the system name (&SYSNAME as defined in the IEASYSxx or IEASYMxx PARMLIB member) respectively, or code a literal character string enclosed in single or double quotation marks. The character literal might not contain embedded blanks and must not exceed 1 characters in length. Do not code LPARNAME if you are not running in logical partition mode. If you omit HOSTNAME, the TCP/IP host name of the LPAR is used. See the description of SIEMtype for its effect on HOSTname.

IgnoreSingleWildCardESM

(SPE2407)

(Datastream for z/OS only)  Reports when the System Integrity Violation (SIV) scanner finds fully qualified generic RACF data set profiles that use a % wildcard

BMC AMI Datastreamreports sensitive data sets, such as APF-authorized libraries, PROCLIBS, and PARMLIBS that are protected by RACF profiles. By default, if a sensitive data set is protected by a profile that uses a % wildcard (for example AMIHLQ.V%%%.LOAD), SIV scanner does not report it.

Use this parameter to also report data sets that are protected by fully qualified generic RACF data set profiles that use a % wildcard. the SIV scanner identifies the data sets and reports them by issuing message SDV1000I.

If you omit IgnoreSingleWildCardESM, the SIV scanner ignores sensitive data sets that are protected by fully qualified generic RACF data set profiles that use a % wildcard.

INSTName(name)

Optional name for the running instance of BMC AMI Datastream (for more information, see START-command)

Specify a name of one to sixteen characters; the first character might not be numeric. The name might not be quoted; that is, the name might not contain blanks or parentheses nor begin with a quotation character. The name does not affect the operation of BMC AMI Datastream, but identifies BMC AMI Datastream in the DISPLAY(INSTances) output (see MODIFY-command) and might be used by API programs to identify BMC AMI Datastream . The name is displayed in the case you specify but name comparisons are case-insensitive (like a Windows filename). Any name you specify must not be a duplicate of the name of another BMC AMI Datastream running in the same LPAR.

If you omit this parameter the name of the CZAPARMS member is used. If that name is a duplicate of an already-running BMC AMI Datastream instance, it is ignored. The BMC AMI Datastream instance is unnamed and might not be accessible by some API programs. The instance number and instance name are available as SIEM syslog message fields. For more information, see Universal-fields.

Format in which integers are to be formatted

The two formats are canonical (CANONical – regular numbers) and scaled for better readability (SCALEd).

The first operand of INTFormat specifies how event (SMF and API record) integer fields are to be formatted and the second operand specifies how counters (see ) are to be formatted in SIEM messages. Certain event integer fields that represent codes or similar data always appear in canonical format, and counters always appear in scaled format on the console and in CZAPRINT.

See the description of SIEMtype for its effect on INTFormat.

If you omit this parameter, the default SCALEd SCALEd is used.

If you include this parameter but specify only the first operand, the value of the first operand is used for the second operand. For example, INTF(CANON) becomes INTF(CANON CANON). 

IPASYNCEnable|IPASYNCDisable

( BMC AMI Datastream for z/OS only) Whether asynchronous IP client data is enabled

The following values are valid:

• IPASYNCEnable—Enables asynchronous IP client data
• IPASYNCDisable—Disables asynchronous IP client data

If no value is specified, the default value is IPASYNCEnable.

LIMITOVERflowmsg(limitN)

(SPE2304)

Disables or limits the number of CZA0301W overflow messages printed to the CZAPRINT data set per day

Enter a number from 0 to 2000000000, where 0 indicates that no CZA0301W overflow messages are printed.

The counter is reset every night at midnight.

If you omit LIMITOVERflowmsg, the messages are printed with no limit.

Name of up to 32 SMF log streams to read and collect SMF records that are generated as part of the IPL process before BMC AMI Datastream starts

The agent address space reads the specified SMF log streams and scans for the following SMF records:

• SMF 00—IPL 
• SMF 08—I/O Configuration
• SMF 22—Device Configuration
• SMF 43—JES2 adn JES3 Start
• SMF 81—RACF Initialization
• SMF 119—TCP/IP Initialization (subtype 8)

The SMF log stream or log streams that contain these records are in your SYS1.PARMLIB(SMFPRMxx) member. Contact your system administrator for this information.

NOAPFENRich

Suppresses APF-status enrichment (for more information, see APF status enrichment in SMF-record-enrichment)APF-authorization status enrichment fields are treated as missing (see Missing Fields).

If you omit NOAPFENRich, APF status enrichment is enabled.

NOENCRYPTENRich

Suppresses encryption data set status enrichment (for more information, see Encryption enrichment status in SMF-record-enrichment)Encryption data set status enrichment fields are treated as missing (see Missing Fields).

If you omit NOENCRYPTENRich, encryption data set status enrichment is enabled.

NOIEBCOPYcapture

(SPE2407)

Disables capturing changes to the IEBCOPY member list

This parameter stops the BMC AMI Datastream agent from capturing PROCLIB and PARMLIB changes to the IEBCOPY member list. This helps to reduce overhead that might result from capturing changes made by using the IEBCOPY utility.

If you omit this parameter, changes made by the IEBCOPY utility are captured to the list.

NOKEEPEXITFirst|KEEPEXITFirst

(SPE2401)

Keeps CZAU8x modules before all other modules in the SYS.IEFU8x and SYSSTC.IEFU8x exits

If BMC AMI Datastream detects another exit before a CZAU8x module, it reinstalls the exit so that the CZAU8x module is first.

If you omit this parameter, the default NOKEEPEXITFirst is used.

NONCANcelable

Sets server to be noncancelable

If you specify NONCANcelable, then the BMC AMI Datastream server address space cannot be canceled. A Force command is still allowed.

If you omit NONCANcelable, the BMC AMI Datastream server address space can be canceled.

NOSAFENRich

Suppresses SAF data set status enrichment (for more information, see APF status enrichment in SMF-record-enrichment) SAF data set status enrichment fields are treated as missing (see Missing Fields).

If you omit NOSAFENRich, SAF status enrichment is enabled.

 NOSIVSCANNER|SIVSCANNER

Specifies whether to start the System Integrity Violation (SIV) scanner

The SIV scanner identifies data sets and system settings that might be vulnerable to an outside attack. It scans for:

• Sensitive data sets, such as APF, Linklist, PARMLIB, and PROCLIB
• Security settings for data access subsystems, such as MQ, DB2, IMS, and CICS

For more information, see Using-the-System-Integrity-Violation-scanner.If you omit this parameter, the default NOSIVSCANNER is used.

NOSIVSRC|SIVSRC

(SPE2307)

Specifies whether the source comparison subtask, $SRCC, should track and report changes to PROCLIB and PARMLIB: 

• SIVSRC—$SRCC tracks the changes and prints the delta to the CZASCMP DD of the agent task. CZASCMP DD is dynamically allocated; you do not need to modify the agent PROC to enable this feature. CZASCMP DD has a size limit. If that limit is reached, the DD closes automatically and a new DD is opened. Otherwise, CZASCMP DD closes every day at midnight and a new DD is opened so that you can clear unwanted DDs. For an example of the CZASCMP DD and corresponding SIVSRC record, see Sample CZASCMP DD, SIVSRC, and SRCCMP.
• NOSIVSRC—$SRCC does not track changes and no data is printed to CZASCMP DD.

To enable this parameter, first switch on the SIV and SRCC options in the $$$CONFG member. For more information, see "Specifying the configuration type" in Customizing-for-a-proprietary-syslog-extension.

If you omit this parameter, the default NOSIVSRC is used.

NOSRCCMPOutput

(SPE2307)

NOSRCCMPSend

(SPE2307)

NOSYSLIBENRich

Suppresses system data set status enrichment (for more information, see System library enrichment status in SMF-record-enrichment)System data set status enrichment fields are treated as missing (see Missing Fields).

If you omit NOSYSLIBENRich, system data set status enrichment is enabled.

In the event that BMC AMI Datastream determines that the default, only, or specified (with TCPNAME) TCP/IP stack is not active, BMC AMI Datastream does not wait for it to become active

NOTCPWAIT is ignored by CZASEND (that never waits for the TCP/IP stack; if the TCP/IP stack is not active, CZASEND always terminates). If BMC AMI Datastream is waiting for TCP/IP to become active it might be terminated with the STOP console command.

NOUNIQUETAG|UNIQUETAG

Specifies whether to collect information on z/OS Unix System Services (USS) superuser privileges for SMF records written by address spaces on the system(SPE2307)Only SMF records configured using the USSSMF parameter are enriched with USS information.

To enable this parameter, first switch on the USSENRICH option in the $$$CONFG member. For more information, see "Specifying the configuration type" in Customizing-for-a-proprietary-syslog-extension.

If you omit this parameter, the default NOUSSENRICH is used.

NOVERIFYExit|VERIFYExit

(SPE2401)

Verifies whether the SMF exit modules are modified

If BMC AMI Datastream detects a modification to an exit, it reloads the exits.

If you omit this parameter, the default NOVERIFYExit is used.

Identifies the tag that appears at the start of general syslog messages issue by BMC AMI Datastream to indicate its own status, following the priority, time stamp and host name, and preceding the formatted fields

Specify the exact process tag that you want to include in syslog messages including any spaces and punctuation. The process tag can be any length from the null string (‘’) to 32 characters.

CZASEND always uses the process tag CZASEND followed by the leading delimiter from the DELIMit parameter. It is not possible to change CZASEND’s process tag.

If you omit this parameter, the default is to Internal followed by the leading delimiter from the DELIMit parameter.

For more information about the Internal process tag, see Syslog-internal-messages.

Number of megabytes (MB) allocated to store the captured SMF data

QUEUE64(1) is 1MB or 1,048,576 bytes. This queue is allocated in above-the-bar (64-bit) storage. 

For information about determining an optimal value for QUEUE64, see Determining-the-QUEUE64-size. If you omit QUEUE64, it defaults to QUEUE64(1024) or 1,073,741,824 bytes.

Deprecated

It is scanned for valid syntax, and a diagnostic message is issued, but QUEUE is otherwise ignored and has no effect on BMC AMI Datastream operation.

REFResh(AT(MIDNight|COMMand|EVERY(minutes))

Specifies whether BMC AMI Datastream should automatically refresh (reread and process) the parameter file

A parameter refresh is equivalent in effect to using the PARMs parameter in the MODIFY command.

• AT(MIDNight)—The parameter file is refreshed every midnight, local time.
• COMMand—The parameter file is refreshed only manually by using the PARMS parameter.
• EVERY(minutes)—The parameter file is refreshed at the expiration of the specified number of minutes, from between 5 and 1440 (24 hours).

If you omit REFResh, the default COMMand is used.

SIEMtype(RFC3164|INFLux_db|AMIJson|CEF|JSON|LEEf|SPLunk)

Specifies whether to use a standardized syslog format (RFC3164) or one of the INFLux_db, AMIJson, CEF, JSON, LEEF, or Splunk extensions

Use RFC3164 for a standard Berkeley Software Distribution (BSD) format. Use an extension for a set of preconfigured parameters specific to the named SIEM type.

For more information about the extension types, see Proprietary-syslog-format-extensions.

If you omit this parameter, the default is RFC3164.

SNDAGTCONFSiem | NOSNDAGTCONFSiem

(SPE2407)

NOSNDAGTCONFSiem does not send configuration settings sent after these events occur.

If you omit this parameter, the default SNDAGTCONFSiem is used.

When BMC AMI Datastream should display operating statistics in CZAPRINT, and optionally reset the counters to zero and send them to the syslog server (see Counters)

AT(MIDNight) specifies that the statistics should be produced at midnight local time; COMMand specifies that statistics should be produced only manually with the MODIFY STATs command (see MODIFY-command); EVERY(minutes) specifies that statistics should be produced repeatedly at the expiration of the specified number of minutes. Specify a number of minutes between 5 and 1440 (24 hours).

If you omit STATs, it defaults to AT(MIDNIGHT). RESET and SEND might be specified with COMMand but have no effect; BMC AMI Datastream instead honors the parameters of the MODIFY command.

SUBSYS(subsysName)

For each subsystem named in your active SMFPRMxx record, if the SUBSYS statement in SMFPRMxx contains the keyword EXITS and you want BMC AMI Datastream to forward SMF events for that subsystem, then you must code that subsystem name here

SUBSYS is ignored by CZASEND and by MODIFY czagentName,PARMS. If you are missing all syslog records for a particular subsystem such as TSO, you should try coding its name here, for instance SUBSYS(SYS SYSTSO). Contact BMC technical support if you would like assistance with the use of this parameter. Specify ALL, or allow SUBSYS to default, to cause BMC AMI Datastream to automatically pick up all of the subsystems configured in SMF.

It is highly recommended that you allow SUBSYS to default. However, you might determine appropriate SUBSYS values by issuing the D SMF,O console command and examining the output. Look for SUBSYS(xxx,EXITS … statements. If any such statements appear, and xxx is the name of a subsystem from that you would like events forwarded to your syslog console, then you must code SYSxxx as the operand of an BMC AMI Datastream parameter file SUBSYS parameter. For instance, if SUBSYS(SLS0,EXITS(IEFU83)) appears in the D SMF,O output then SYSSLS0 should be included as an operand of SUBSYS.

Specifies whether z/OS workload manager swapping of BMC AMI Datastream should be allowed

For more information about swapping, see the following resources:

• IBM z/OS MVS Initialization and Tuning Guide for information about swapping
• Determining-the-QUEUE64-size for the benefits of a non-swappable address space

Use the SWAPpable parameter with caution because making an address space non-swappable might have an impact on the performance of the LPAR as a whole.Specify the swapping status for 

BMC AMI Datastream

:

• No–to be non-swappable
• Yes–to be swappable
• ASIS–to leave the swapping status unchanged

SWAPpable is ignored by CZASEND.

If you omit this parameter, the default No is used.

TCPname(tcpName)

Specifies the name of the TCP/IP stack, other than the default, to use for your connection

This parameter is available to customers with multiple TCP/IP stacks and a requirement that BMC AMI Datastream and CZASEND use a specific stack that is not the default stack. Most customers should not need to use this parameter.

This parameter is ignored if zIIP is enabled.

(SPE2307)If you are running an IBM z Systems Integrated Information Processor (zIIP) enabled environment and you want to specify a TCP/IP stack other than the default, you can use the TCPNAME parameter in the started task for the product . For more information about enabling zIIP and using the TCPNAME parameter, see " Control parameters" in Sample-CZAGENT-JCL-for-running-BMC-AMI-Datastream-as-a-started-task.

BMC AMI Datastreamand CZASEND are to output additional diagnostic messages and the types of diagnostic messages, or not to output additional diagnostic messages, in the CZAPRINT data set

TRACE might be useful for diagnosing certain problems. If TRACE is completely omitted then it defaults to the previous state of TRACE; if TRACE() or TRACE(-ALL) is specified then all tracing is turned off.

Specify zero or more of the trace types described in Using-the-TRACE-facility (in any order). Prefix any of the specifications with - (a minus sign or hyphen) to indicate negation. The specifications are processed left to right. For instance, TRACE(ALL –XL –ENV) indicates all TRACE output except that related to translation and the operating environment.

USSSMF(number)

(SPE2307)

Specifies the SMF records selected for USSENRICH processing

The value for number indicates the SMF record type. To select multiple SMF records, configure one USSSMF parameter for each SMF type.

XLATE(from-ccsid to-ccsid ‘technique’)

How data is to be translated from its EBCDIC representation on a z System to the ASCII representation of syslog messages

Specify a valid EBCDIC single-byte CCSID and optionally a valid UTF-8 or ASCII single-byte CCSID. You might also specify (enclosed within quotation marks) a list of desired code conversion (translation) techniques. If you want to specify a UTF-8 or ASCII CCSID then you must also specify an EBCDIC CCSID. The valid conversion techniques are:

• E—Enforced Subset conversion
  An enforced subset conversion occurs when a character in the source CCSID does not have a corresponding code point in the target CCSID. In this case, the character is converted to a single substitution character. The default substitution characters (SUB) are: X’1A’ or X’7F’ for SBCS ASCII and  X’1A’ for UTF-8. The use of the E conversion technique is recommended for syslog messages.
• L—Language Environment-Behavior conversion
• M—Modified Language Environment-Behavior conversion

• R—Roundtrip conversion
  A round-trip conversion ensures the integrity of all character data from the source CCSID to the target CCSID and back to the source. Even if the target CCSID does not support a given character, the character regains its original hexadecimal value after it is converted back to the source CCSID.

  Important

  Because of the way IBM defines roundtrip conversions to UTF-8, unprintable characters in the EBCDIC data will be translated to X’1A’, more like an enforced subset conversion than a roundtrip conversion.

• 0-9—User-defined conversions

CCSID stands for coded character set identifier. For more information about CCSIDs and conversion techniques, see the IBM Manual z/OS Support for Unicode: Using Unicode Services. CCSIDs are traditionally specified as five-digit numbers with leading zeros if necessary but you might omit the zeros if you prefer: 00819 and 819 are equivalent CCSID specifications. If you omit XLATE then BMC AMI Datastream and CZASEND use CCSIDs 01047 and 01208 and a conversion techniques priority list of ERLM. CCSID 01208 is a UTF-8 CCSID. (UTF-8 CCSIDs can represent every character in use anywhere in the world.) If you are using BMC AMI Datastream, make sure Message Encoding (under Edit Define Info after clicking on the hostname or TCP/IP address of the LPAR) is set to UTF-8. If you are using a different syslog console make the equivalent configuration selection. If you cannot or do not want to do so, then you should specify the ASCII code page appropriate for your culture, such as 01252 for standard U.S. English.

BMC AMI Datastreamand CZASEND attempt to validate the supplied CCSIDs based on the following criteria:

• The CCSIDs are supported by the local installation of Unicode Services.
• The from-CCSID is an EBCDIC single-byte CCSID and the to-CCSID is either a UTF-8 or an ASCII single-byte CCSID.
• The local Unicode Services installation supports translation from one to the other.

z/OS releases earlier than V1R10.0 do not support the z/OS Unicode Services function CUNLINFO that allows BMC AMI Datastream and CZASEND to perform these validations. If you are running an earlier release, be careful when coding the operands of XLATE as BMC AMI Datastream. Otherwise, CZASEND cannot validate them and errors during execution might result.

If you omit XLATE, it defaults to 01047 01208 ‘ERLM’. See the description of SIEMtype for its effect on XLATE.