The BMC AMI Defender App for Splunk product consists of two data handlers, SPLN and CEF, that consume syslog messages from the BMC AMI Defender for z/OS product and map the data so that any Splunk Enterprise dashboard that supports the Splunk Common Information Model (CIM) can use the data.
Choose the data handler that is appropriate for the message format you want Splunk to handle. All the dashboard apps that are a part of the BMC AMI Defender App for Splunk product work with either data handler. BMC recommends that you use the SPLN data handler.
SPLN data handler
SPLN syslog messages are in the key=value format as displayed in the following example:
Example
<69>Nov 14 14:25:40 epocsys1 TCP/IP
subtype="Connect init"
severity=Notice stack=TCPIP resname=FTPD1 remtip=127.0.0.10 aceeadsp=no aceeaudt=no aceeflg1="Defined" aceelogu=no aceeoper=no
aceepriv=no aceeracf=yes aceeroa=no aceespec=no privstatd="Normal user" jobid=OXN332
jsauth=no jobnm=TCPIP sesstype="Started Procedure" tokflg1="Pre 1.9" tokflg2="Trusted" tokflg3="Default
SECLABEL" tokpriv=no tokrspec=no toksus=no toktrst=yes
tokudus=no userid=ADMIN name="STARTED DEFAULT
" worktyped="Started task"
CEF data handler
Common Event Format (CEF) syslog messages use the ArcSight CEF format as displayed in the following example:
Example
<69>Jan 09 14:22:20 epocsys1 CEF:0|BMC|Agent for z/OS|5.8.1|TCP/IP Connect init|Connect init|3|dhost= epocsys1 cat=TCP/IP c6a2Label=RemtIP
c6a2=127.0.0.10 cs3Label=JobID
cs3= OXN332 sproc=TCPIP suid=ADMIN
suser=STARTED DEFAULT msg=Stack: TCPIP -
ResName: TMQ33G - ACEEADSP: NO - ACEEAUDT: NO - ACEEFLG1: Defined - ACEELOGU:
NO - ACEEOPER: NO - ACEEPRIV: NO - ACEERACF: YES - ACEEROA: NO - ACEESPEC: NO -
PrivStatD: Normal user - JSauth: NO - SessType: Started Procedure - TokFlg1:
Pre 1.9 - TokFlg2: Trusted - TokFlg3: Default SECLABEL - TokPRIV: NO -
TokRSPEC: NO - TokSUS: NO - TokTRST: YES - TokUDUS: NO - WorkType: Started task