SERVER statement

The SERVER statement specifies the IP address of one or more syslog servers (such as a BMC Defender Server, BMC Defender SyslogDefender, or any standard syslog console) and other parameters related to communication with the syslog server. The SERVER statement is required by both BMC AMI Datastream and CZASEND.

Related topic

Parameter-file-statements

If you create more than one SERVER statement, then the latest SERVER statement replaces the earlier one.

Important

You can modify the $$$SERVR member in the amihlq.PARM data set.

This topic includes the following sections:

SERVER statement syntax diagrams

The following diagrams provide a visual representation of the code.

Syntax diagram 1 for the SERVER statement provides a visual representation of the command syntax and parameters.

Syntax diagram 2 for the SERVER statement provides a visual representation of the command syntax and parameters.

SERVER statement parameters

The following table describes the SERVER statement parameters:

Parameter

Description

hostSpecification

Address of the primary syslog server

Enter the address as a host name in either IPv4 dotted format or IPv6 colon format. The hostSpecification that is configured as the first operand of the SERVER statement is called the primary, and it is a required parameter.

If the port number does not match the default value of the TRANSport parameter (6514 for 1468 for TCP, or 514 for UDP), then append the name or address with a colon and port number without embedded spaces.

For information about how to configure hostSpecification, see Host specification parameters and  HostSpecification format types.

ALTERNate(hostSpecification)

Address of an alternate syslog server

You can choose to specify an alternate syslog server. For information about how to configure the hostSpecification value for the alternate syslog server, see Host specification parameters and  HostSpecification format types.

You can use the ALTERNate parameter to specify multiple alternate servers.

For information about how BMC AMI Datastream handles alternate servers, see Multiple-syslog-server-support.

Important

This parameter is ignored when you use TRANSport(KAFka).

ALTRevert(COMMand|AT(MIDNight)|EVERY(minutes))

Specifies when BMC AMI Datastream should attempt to revert from an alternate TCP/IP or SSL/TLS server to the primary server

The options are as follows:

  • COMMand directs that the reversion must be initiated manually with the SET(SERVER) command. For more information, see MODIFY-command.
  • AT(MIDNight) attempts the reversion at midnight, local time.
  • EVERY(minutes) attempts the reversion after the specified number of minutes. Specify a number of minutes from 5 through 1440 (24 hours).

The default option is COMMand because server connection switching is a fairly time-consuming process, especially if the primary server is still inoperable.

For more information, see Multiple-syslog-server-support.

Important

This parameter is ignored when you use TRANSport(KAFka).

APIKEY(bmcHelixInterfaceKey)

Programming interface security key used to connect with the BMC Helix Log Analytics and BMC Helix Operations Management environments

You must include APIKEY to use the SIEMtype extensions, AMIJson or INFLux_db. For more information, see OPTIONS-statement.

CONCURRent

Specifies that BMC AMI Datastream should connect concurrently to all defined SIEMs, both primary and alternate

This parameter applies only to server connections defined as TRANSport(TCP).

Use this parameter to duplicate your data concurrently across multiple servers. All messages are sent to all active, concurrent connections asynchronously. Messages are sent to active connections only. If a connection is inactive, it is bypassed. If all connections are inactive, the messages are queued until one or more of the connections become active.

All concurrent connections use the same SIEM type. For example, if your SIEM type is SPLUNK, all concurrent connections receive the same SPLUNK formatted message.

If you omit this parameter, alternate server connections are routed in a rollover manner. If the primary connection fails, the BMC AMI Datastream agent attempts to connect with the first alternate server. This continues until a connection is successful.

For more information, see Multiple-syslog-server-support.

Important

This parameter is ignored when you use TRANSport(KAFka).

CURRTime

Current time stamp derived from the metrics buffer

This parameter is applicable for only REST transport. It is ignored for all other transport types.

If you use REST and omit this parameter, the time stamp is derived from the source within the data buffer.

DEBUGContexts(contextList)

(SPE2501)

Comma-separated list of librdkafka debug contexts

Use this parameter to diagnose issues with Apache Kafka if you are not receiving Kafka messages.

Example

SERVER serverName:port +                     
  DEBUGContexts(all)               +  
  TOPIC(test1) TRANS(KAFKA) MAXMSG(34000)   

Important

We recommend that you disable this parameter after you complete your diagnosis because it uses spool space that is needed for jobs run by the agent task. 

KAFKA_SSL_Conf(kParameters)

(SPE2410)

SSL configuration file for Kafka authentication

You can use SSL authentication to protect data transmitted between the BMC AMI Datastream agent and Apache Kafka. Specify the keystore, password, and certificate files for the SSL configuration file residing in the UNIX System Services (USS) file system.

For a description of the kParameters, see Kafka SSL configuration parameters.

MAXMSGlen(length)

Maximum syslog message length, in bytes, for BMC AMI Datastream and CZASEND

For messages encoded in UTF-8, the length in bytes might be greater than the length in characters because some characters are encoded in more than one byte.

Use the XLATE parameter in the OPTIONS-statement to specify the message encoding. Specify a number between 512 and 2,500,000. Most SMF records can be formatted within the default message length of 1,024 bytes, but certain records, notably certain ACF2 and DB2 records, might require up to twice that number or more, depending on the fields specified and their values. If you receive message CZA0301W (indicating that the syslog message from the specified SMF record type overflowed the SERVER MAXMSGLEN length) consider increasing MAXMSGLEN.

Keep the following considerations in mind when you set this parameter:

  • The maximum message length specified in RFC 3164 is 1,024 bytes (but that standard is widely disregarded).
  • Datagrams (UDP messages) should not exceed the maximum transmission unit (MTU) size. The common Ethernet v2 MTU size is 1,500 bytes.
  • The maximum message length that the BMC Defender Server can process is 2,000 characters. Check the maximum message length that your syslog collector (and any intermediate load balancers, forwarders, or proxies) can accept; there is no point in formatting and transmitting data that is not received and processed.
  • The maximum MAXMSGlen supported by BMC AMI Datastream is 2,500,000 bytes, but that maximum is intended only for very specific situations. Generally, do not code a value over 4,000 bytes.
  • Increasing the MAXMSGLEN value increases the storage required by BMC AMI Datastream and CZASEND. For non-UTF-8 to-CCSIDs, the storage requirement is at least three times the length value. For UTF-8 to-CCSIDs, the requirement is at least seven times the length.

MSGLOADbalance(min max)(SPE2301)

Minimum and maximum number of IP subtasks used to send messages to the SIEM

Specify a number from 1 to 128 for both the min and max values. 

  • min —Number of IP client subtasks that start when the agent starts
  • max —Maximum number of IP client subtasks that can be attached to the agent

The agent distributes the messages among the client subtasks so that the message load is balanced. A balanced load enables messages in the agent queue to be sent in parallel and to the SIEM faster. If a client is busy and the maximum number of subtasks is not running, BMC AMI Datastream pushes additional subtasks to an available client automatically.

If a client subtask is idle for the time specified in TIMEOUT(IDLE(seconds)), the IP connection is terminated.

If the number of active client subtasks exceeds the minimum and one of the subtasks is idle, the idle subtask is terminated.

Example

The parameter is configured with the following values:

MSGLOADbalance(2 10)

Two client subtasks are started when the agent starts. As the message volume increases, BMC AMI Datastream starts a third client subtask. If the message volume decreases again and the third client subtask becomes idle, it is terminated.  


Important

  • If you use this parameter, you cannot use the ALTERNate parameter.
  • This parameter is ignored when you use TRANSport(KAFka).

PACE(No|msgs seconds)

Maximum number of messages to transmit in the specified number of seconds

The options are as follows:

  • No—no pacing
  • msg seconds
    • msg—20 or more messages
    • seconds—1 through 120 (two minutes)

If the PACE value is too restrictive, you might greatly increase the queue requirements.

Example

If you specify PACE(100 2), then BMC AMI Datastream sends no more than 100 messages every 2 seconds.

If you use PACE with the TIMEout options IDLE or SEND, the options are ignored and default values are used.

If you omit this parameter, No is used by default.

REXMIT(number)

(Optional) Number of retransmission buffers for TCP/IP and SSL/TLS connections

Specify a number from 1 through 20. For more information, see TCP/IP error recovery.

If you omit this parameter, 2 is used by default.

TIMEout(tOptions)

Type and length of connection before timeout

Configure one or more of the following options:

  • CONNect(DEFault|seconds)
  • IDLE(None|seconds)
  • RETRY(seconds)
  • SEND(seconds)

For a description of the tOptions, see the TIMEout optionstable.

TLS|SSL(tlsParameters)

Various parameters relevant only to TLS and SSL transport

Enter one or more parameters for either TLS or SSL. The TLS and SSL keywords are equivalent, and the choice of one or the other has no effect on the operation of the software.

If you specify TLS or SSL with TRANSport TCP or UDP, the parameters are validated but a warning message is issued and the parameters have no effect.

For a description of the tlsParameters, see TLS and SSL parameters.

TOPIC(topicName)

(SPE2401)

Name of the Apache Kafka topic to which to send the BMC AMI Datastream messages

TRANSport(REST|SSL|TCP|TLS|KAFka| UDP)

Transport protocol

Choose one of the following protocols:

Protocol

Considerations

REST

Required to connect with BMC Helix Log Analytics and BMC Helix Operations Management environments

Set TRANSport to REST to use the SIEMtype extensions AMIJson or INFLux_db in the OPTIONS-statement. REST uses a Hypertext Transfer Protocol (HTTP) interface through a Representational State Transfer (REST) programming interface. You can secure this interface by using AT-TLS.

Provides:

  • Reliable delivery, encryption, and authentication of syslog messages
  • Authentication of the SIEM console or other syslog receiver
  • (Optional) Client (BMC AMI Datastream) authentication to the console or receiver

This protocol has the greatest complexity and highest overhead. SSL is equivalent to TLS for this feature. For more information, see the section about TLS and SSL parameters.

Important

This protocol cannot run with zIIP enablement and u ses GSK functions only.

TCP

Provides reliable delivery of syslog messages

In most cases, an undeliverable message is diagnosed with an appropriate error message rather than being simply lost.

Provides:

  • Reliable delivery, encryption, and authentication of syslog messages
  • Authentication of the SIEM console or other syslog receiver
  • (Optional) Client (BMC AMI Datastream) authentication to the console or receiver

This protocol has the greatest complexity and highest overhead. TLS is equivalent to SSL for this feature. For more information, see the section about TLS and SSL parameters.

Important

This protocol:

  • Cannot run with zIIP enablement
  • Uses GSK functions only

Required to connect to the Kafka environment

Set TRANSport to KAFka and enter a topic name in the TOPIC parameter to send messages to Apache Kafka. The KAFka transport parameter uses the librdkafka interface to connect and send messages to the Kafka brokers.To configure KAFka transport protocol, see Sample-CZAKAFKA-JCL-for-running-BMC-AMI-Datastream-as-a-started-task-for-Apache-Kafka.

Important

The following parameters are ignored when you use TRANSport(KAFka):

  • ALTERNate
  • ALTRevert
  • CONCURRent
  • MSGLOADbalance

UDP

This protocol has the simplest and lowest overhead transport protocol that is supported by all SIEM consoles and syslog receivers

If you omit this parameter, UDP is used by default.

Host specification parameters

Configure the following parameters for hostSpecification :

Parameter

Description

ipAddress | [hostName]

Address of the primary syslog server

Specify the address as a host name in either IPv4 dotted format or IPv6 colon format. If the port number is not the default value for TRANSport (514 for UDP, 1468 for TCP, or 6514 for SSL/TLS), then append the name or address with a colon and port number without embedded spaces.

The host specification that is configured as the first operand of the SERVER statement is called the primary IP address and is required.

:port

Colon followed by the port number; no space between the ipAddress or hostName and colon

PROTOcol(IPV4|IPV6)

Internet Protocol (IP) version 4 or 6

If you omit this parameter and the protocol cannot be determined from the format of the IP address, then Ipv4 is used, unless no Ipv4 connection is available.

HostSpecification format types

The following table displays the different formats you can use for hostSpecification :

Format

Example

Explanation

Host name

server1.myco.com

The name must be known to your TCP/IP stack, or the stack must have access to a Domain Name Server (DNS) where the name is known.

Host name with port

server1.myco.com:514

Same considerations as for host name

Specify the port number if it is not the default for the specified TRANSport type:

  • 514 for UDP
  • 1468 for TCP
  • 6514 for SSL/TLS

Dotted IPv4 address

999.888.777.666

IPv4 addresses in dotted decimal notation

Dotted IPv4 address with port

999.888.777.666:8888

Specify the port number if it is not the default for the specified TRANSport type:

  • 514 for UDP
  • 1468 for TCP
  • 6514 for SSL/TLS

Colon-format IPv6 address

fe80::d932:83b4:a032:eea3
[fe80::d932:83b4:a032:eea3]

Native IPv6 colon hexadecimal address

The square brackets are optional.

Colon-format IPv6 address with port

[fe80::d932:83b4:a032:eea3]:1514

Specify the port number if it is not the default for the TRANSport type as described for IPv4. You must enclose the IPv6 address in brackets.


TIMEout options

TIMEout uses the following options:

Option

Description

CONNect(DEFault|seconds)

Number of seconds after which an attempt by BMC AMI Datastream or CZASEND to connect a TCP/IP session with the SIEM receiver is abandoned

Valid values are from 15 through 240 seconds (four minutes). Specify DEFault instead to enable the z/OS communication server to determine the timeout value.

Consider the following points when you set a value:

  • If the value is too low, the session might not connect.
  • If the value is too high, then BMC AMI Datastream cannot respond to the console’s MODIFY and STOP commands until the timeout completes.

TIMEout CONNect has no effect on UDP transport.

If you omit this parameter, 30 seconds is used by default.

IDLE(None|seconds)

Number of seconds after which an idle BMC AMI Datastream TCP/IP session (with no formatted messages) times out

Valid values are from 5 through 3600 seconds (one hour). Specify NONE instead to prevent a timeout.

One or more syslog messages might be lost each time a session is terminated by the SIEM receiver before being terminated by BMC AMI Datastream. But if the IDLE value is too high, you occupy resources for nonproductive sessions.

TIMEout IDLE has no effect on CZASEND or UDP transport.

If you omit this parameter, 300 seconds (five minutes) is used by default.

RETRY(seconds)

Number of seconds to delay after a TCP/IP error before BMC AMI Datastream tries to establish a new session and transmit a message

Valid values are from 0 through 600 seconds (ten minutes). Specifying 0 directs BMC AMI Datastream always to retry.

Consider the following points when you set a value:

  • A value that is too low might cause unnecessary attempts.
  • A value that is too high might cause unnecessary delays (when recovering from an error) and lost messages until the session reconnects.

TIMEout RETRY has no effect on CZASEND or UDP transport.

If you omit this parameter, 5 seconds is used by default. 

SEND(seconds)

Number of seconds for a TCP/IP send to complete

Valid values are from 5 through 60 seconds.

Consider the following points when you set a value:

  • A value that is too low might cause successful transmissions to be reported as an error.
  • A value that is too high might cause unnecessary delays when recovering from an error.

TIMEout SEND has no effect on UDP transport.

If you omit this parameter, 15 seconds is used by default. 

TLS and SSL parameters

Transport Layer Security (TLS) protocol provides privacy and security when sending information over the Internet. To use TLS, you generally have to modify your applications and incorporate the TLS toolkit. This can cause significant development overhead, entail ongoing maintenance, and require application-specific knowledge to implement TLS for each application that needs it.

Application Transparent Transport Layer Security (AT-TLS) protocol consolidates all of your TLS implementations into a single location and transparently implements them in the TCP layer of the stack. Except in certain cases, for example applications that specifically request secure sessions, most applications don’t need to be modified or even be aware of AT-TLS.

AT-TLS is totally transparent for BMC AMI Datastream , and the SERVER statement looks like a standard TCP connection.

AT-TLS provides the following benefits:

  • Enables security administrators to encrypt messages by using SAF security products, such as RACF, ACF2, and TopSecret
  • Reduces the configuration complexity of BMC AMI Datastream
  • According to IBM, provides overall better performance for message encryption
  • Standardizes message encryption using built-in z/OS facilities
  • Can be used with BMC AMI Datastream zIIP functionality

TLS and SSL protocols cannot be used with BMC AMI Datastream zIIP functionality.

tlsParameters includes the following parameters:

Parameter

Description

CIPHersuites(ciphers)

TLS and SSL  cipher suites that are acceptable to the SSL/TLS client software

The TLS or SSL server selects a cipher suite from this list that is mutually acceptable. If no cipher suites are mutually acceptable, the session initiation fails.

Specify one or more cipher suite numbers that are supported by your version of IBM z/OS Cryptographic Services in your order of preference. Cipher suite numbers are specified as one to four hexadecimal digits. For information about the supported cipher suites, see the relevant IBM documentation.

If you omit TLS(CIPHersuites), then Cryptographic Services uses an internal list of available ciphers, which might vary from release to release (and also vary for FIPS versus non-FIPS mode). You can determine the current list by running BMC AMI Datastream with TRANSport(Ssl|TLS) and OPTions TRACE(TLS). The available cipher suites are displayed in message CZA0104I. We recommend that you carefully review the default cipher suites because they might not be appropriate for your installation.

FIPS

TLS encryption run in FIPS mode

The FIPS mode encryption meets the NIST FIPS 140-2 criteria and enforces more restrictions than non-FIPS mode. For example, in FIPS mode, the key database must have been created in FIPS mode, and certain cipher suites are considered too weak. For more information, see System SSL and FIPS 140-2 in the IBM publication z/OS Cryptographic Services System Secure Sockets Layer Programming and the US Department of Commerce publication Security Requirements for Cryptographic Modules (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf).

Important

BMC AMI Datastream is not a validated cryptographic module, but an application that uses IBM z/OS cryptographic services for all cryptographic services. IBM z/OS cryptographic services is FIPS 140-2 certified.

If you are running a level of z/OS lower than V2R1 and require FIPS-compliant encryption, you might need to install the appropriate PTF for IBM APAR OA39422.

FIPS support is available only in the BMC AMI Datastream for z/OS product. For more information, see Federal-Information-Processing-Standards-support.

KEYRing(keyRingFile)

(Required) The z/OS key ring file name that BMC AMI Datastream or CZASEND uses to verify the signature of the server’s certificate, and to locate a client certificate if the server requests one

Specify the HFS file name of a gskkyman key database, or the name of a RACF key ring. If the RACF key ring is owned by another user, prefix the file name with userid/. If the key ring file begins with a slash (/), it is assumed to be the name of a gskkyman key database; otherwise, it is assumed to be a RACF key ring. HFS file names are case sensitive.

The user ID under which BMC AMI Datastream or CZASEND runs requires read access to RACF resource IRR.DIGTCERT.LISTRING to use its own key ring, or update access to IRR.DIGTCERT.LISTRING to use a different user ID’s key ring. If the key ring name contains /*, then be sure to enclose the name in quotation marks: KEYRing('*AUTH*/*').

LABel(keyRingLabel)

Label in the key ring of the client certificate to be presented if the server requests one

If the label contains space characters, you must enclose it in single or double quotation marks.

OCSP

Activates checks for revoked certificates by using the HTTP URI values in the certificate's AIA extension

Online Certificate Status Protocol (OCSP) requires z/OS V2R2 or later.

PASSword(password)

Password of the gskkyman key ring database

Do not specify PASSword with a RACF key ring.

Best practice

The PASSword parameter is provided as a convenience. The preferred method of specifying the gskkyman key ring database password is with a stashed password file (stash file).

The name of the stash file is automatically constructed by BMC AMI Datastream or CZASEND from the name of the database. If the key ring file name ends with .kdb, then the .kdb is removed and .sth is appended. If the name does not end with .kdb, then .sth is simply appended.

If you omit this parameter, then the key database must be a RACF key ring or it must have a stashed password file that is named as described.

SECurity(security)

Allowed SSL/TLS security protocols

The z/OS cryptographic client software presents the specified list to the SSL/TLS Server, and the server selects a protocol. If there is no mutually acceptable protocol, then session initiation fails. 

Use one or more of the specifications from the following table. Prefix a specification with a - (minus sign) to exclude it from the allowed protocols.

You can list the specifications in any order, however they are processed from left to right. For example, SECURITY (ALL –SSLv3) indicates all of the supported protocols except SSLv3.

Important

  • SSLv2, a severely flawed and deprecated protocol, is not supported.
  • SSLv3 has been deprecated because of its vulnerability to the POODLE attack.


Specification

SSL/TLS security protocol

ALL

All

SSLv3

SSLv3 (Not recommended because of vulnerability to POODLE attack

TLSV1.0

TLS Version 1.0

TLSV1.1

TLS Version 1.1

TLSV1.2

TLS Version 1.2

If you omit this parameter, ALL –SSLv3 is used by default.

Kafka SSL configuration parameters

(SPE2410)

For information about setting up certificates for Apache Kafka, see the librdkafka (Apache Kafka C/C++ client library) and Apache Kafka documentation.

To set up BMC AMI Datastream agent to use SSL with Apache Kafka

  1. Use file transfer protocol (FTP) to add the keystore file, in PKCS#12 format, to z/OS.
  2. Create a text file on z/OS with a password for the keystore file.
  3. Use FTP to add the certificate text file, ca.kafka-cert  to z/OS.

The BMC AMI Datastream must have read access to the password file. For security reasons, the password file must have restrictive access.

kParameters includes the following parameters:

Parameter

Description

ssl.keystore.location

File path of the keystore file

ssl.keystore.password

File path of the password file

ssl.ca.location

File path of the CA certificate file

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*