BMC AMI Defender Agent customization use cases
The use cases in this topic present different ways to customize the BMC AMI Defender agent, depending on the requirements of your environment:
Before you begin
- Make a backup of the CZDCONFG member that comes with the product installation.
- Do not edit the CZDEFINE member that comes with the product installation unless specifically directed by BMC Support. Instead of changing CZDEFINE, add or update field definitions in CZDUSER3, and override CZDCONFG through changes to CZDUSER2.
Use case: Running tasks started on more than one agent on the same LPAR
You want to start tasks on two different agents to run two separate tasks on the same LPAR:
- One agent transmits Splunk format messages to a Splunk server.
- One agent transmits RFC3164 BSD syslog protocol messages to BMC AMI Command Center for Security.
To start and run these tasks, you need to configure the agents as described in the followed example procedure. You can use the principles in the procedure to configure tasks on up to eight agents to run on the same LPAR.
To configure two agents to start and run separate tasks on the same LPAR
Edit #hlq.CZAGENT.CNTL(CZDUSER2) to define two CZDCONFG member definitions as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Agent for z/OS ;
; See "BMC AMI Defender for z/OS Defining Your Own Fields" ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
; See "Preserving Your Modifications Across BMC AMI Maintenance" ;
; in Chapter 12 of BMC AMI Defender for z/OS Configuration Reference ;
;**********************************************************************;
SAY "CZDUSER2 updated 3 July 2019"
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(CNF0&SYSNAME.)For an LPAR named LPRA, the configuration defines the following CZDCONFG members:
- CONFLPRA for the Splunk agent
- CNF0LPRA for the RFC3164 agent
- Create member CONFLPRA in the #hlq.CZAGENT.CNTL data set, and copy the content of the original CZDCONFG member into the new CONFLPRA member.
In the CONFLPRA member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment SMF switches as you require.
In the following example, the SMF switches for Compuware Abend-AID, Action Software EventAction, Compuware Application Audit, and Micro Focus ChangeMan events are commented:
;********************************************************************;
;********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;********************************************************************;
;********************************************************************;
Say "CONFLPRA v5.9.01 updated 18 July 2019"
;********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;********************************************************************;
;********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF89) ; SMF Type 89
- Create member CNF0LPRA in the #hlq.CZAGENT.CNTL data set and copy the original CZDCONFG member that comes with the installation into the new CNF0LPRA member.
In the CNF0LPRA member:
- Uncomment the SWITCH ON(RFC3164) statement as displayed in bold red text in the following example.
- Uncomment SMF switches as you require.
In the following example, all the SMF switches are uncommented:
;**********************************************************************;
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
Say "CNF0LPRA v5.9.01 updated 18 July 2019"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
SWITCH ON(Abend-AID) ; Compuware Abend-AID
SWITCH ON(Action) ; Action Software EventAction SMF Type 249
SWITCH ON(App_Audit) ; Compuware Application Audit
SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF89) ; SMF Type 89
Edit the original #hlq.CZAGENT.CNTL(CZAPARMS) member as displayed in bold red text in the following example:
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE LICENSE ; Do not remove this line
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.) %INCLUDE IF(RFC3164) DD:CZAPARMS(PRM0&SYSNAME.)
For an LPAR named LPRA, the configuration defines the following CZAPARMS members:
- PARMLPRA for the Splunk agent
- PRM0LPRA for the RFC3164 agent
Create member PRM0LPRA in the #hlq.CZAGENT.CNTL data set.
This member can contain only the SERVER statement specification for your RFC3164 agent, such as the specifications displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2018, 2019 BMC Software, Inc.
SAY "PRM0LPRA v5.9.01 updated 18 July 2019"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)
Create member PARMLPRA in the #hlq.CZAGENT.CNTL data set.
This new member can contain only the SERVER statement specification for your Splunk agent, such as the specifications displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2018, 2019 BMC Software, Inc.
SAY "PARMLPRA v5.9.01 updated 18 July 2019"
SERVER nnn.nn.nnn.nnn:mmmmm TRANS(UDP) MAXMSG(50000)
The mmmmm variable represents the required port number.
Copy the original sample PROC statement from the #hlq.CZAGENT.CNTL(CZAGENT) data set, and change the PROC statements as follows:
- For the RFC3164 agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=RFC3164.
- For the Splunk agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=SPLUNK.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following commands, in any order, to run the started tasks:
/S RFC3164agentName
/S SPLUNKagentName
Use case: Adding an agent to an LPAR running tasks started by existing agents
You already have two separate tasks that are started by two different agents:
- One agent transmits RFC3164 BSD syslog protocol messages to BMC AMI Command Center for Security.
- One agent transmits Splunk format messages to the Splunk server.
The agent that transmits RFC3164 BSD syslog protocol messages uses the UDP protocol. You now want to run on the same LPAR a task started on another agent that transmits RFC3164 BSD syslog protocol messages using the TCP protocol.
To add and configure an agent to start a task to run on the same LPAR on which tasks started by other agents are already running
Edit #hlq.CZAGENT.CNTL(CZDUSER2) to add a CZDCONF member definition as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Agent for z/OS ;
; See "BMC AMI Defender for z/OS Defining Your Own Fields" ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
; See "Preserving Your Modifications Across BMC AMI Maintenance" ;
; in Chapter 12 of BMC AMI Defender for z/OS Configuration Reference ;
;**********************************************************************;
SAY "CZDUSER2 updated 3 July 2019"
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(CNF0&SYSNAME.)
%INCLUDE IF(RFC3164T) DD:CZAPARMS(CNF4&SYSNAME.)
The variable RFC3164T represents any unique name that you choose.
Create member CNF4LPRA in the #hlq.CZAGENT.CNTL data set and copy the original CZDCONFG member that comes with the installation into the new CNF4LPRA member.
In the CNF4LPRA member:
- Uncomment the SWITCH ON(RFC3164T) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
Say "CNF4LPRA v5.9.01 updated 18 July 2019"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
SWITCH ON(RFC3164T) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF89) ; SMF Type 89
Edit the original #hlq.CZAGENT.CNTL(CZAPARMS) member as displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2018, 2019 BMC Software, Inc.
SAY "CZAPARMS v5.9.01 updated 17 August 2019"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent)
OPTIONS IF(RFC3164T) SIEM(RFC3164) TIMESTAMP INSTNAME(SIEM.Agent.TCP)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP INSTNAME(Agent.for.Splunk)
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
;%INCLUDE LICENSE ; Do not remove this line
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)
%INCLUDE IF(RFC3164) DD:CZAPARMS(PRM0&SYSNAME.)
%INCLUDE IF(RFC3164T) DD:CZAPARMS(PRM4&SYSNAME.)
Create member PRM4LPRA in the #hlq.CZAGENT.CNTL data set.
This member contains only the SERVER statement specification for your second RFC3164 agent, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2018, 2019 BMC Software, Inc.
SAY "PRM4LPRA v5.9.01 updated 18 July 2019"
SERVER nnn.nn.nnn.nnn TRANS(UDP) MAXMSG(50000)
Copy the original sample PROC statement from the #hlq.CZAGENT.CNTL(CZAGENT) data set. In the PROC statements for the second RFC3164 agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=RFC3164T.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following command to run the started tasks:
/S SecondRFC3164agentName
Use case: Running tasks started on multiple agents on different LPARs when the agents transmit to the same server
You want to run the following agents to a Splunk server:
- On an LPAR named LPRP, an agent that transmits Splunk format messages
- On an LPAR named LPRM, an agent that transmits Splunk format messages
- On an LPAR named LPRB, an angent that transmits CEF data
To run tasks started on multiple agents on different LPARs when the agents transmit to the same server
Edit #hlq.CZAGENT.CNTL(CZDUSER2) to add a CZDCONF member definition as displayed in bold red text in the following syntax:
;**********************************************************************;
;**********************************************************************;
; CZDUSER2: Fields Definitions for the BMC AMI Agent for z/OS ;
; See "BMC AMI Defender for z/OS Defining Your Own Fields" ;
;**********************************************************************;
;**********************************************************************;
;**********************************************************************;
; This member is available for user modifications. ;
; See "Preserving Your Modifications Across BMC AMI Maintenance" ;
; in Chapter 12 of BMC AMI Defender for z/OS Configuration Reference ;
;**********************************************************************;
SAY "CZDUSER2 updated 3 July 2019"
%INCLUDE IF(CEF) DD:CZAPARMS(CNF1&SYSNAME.)
%INCLUDE IF(Splunk) DD:CZAPARMS(CONF&SYSNAME.)The configuration defines the following CZDCONFG members:
- CNF1LPRB for a CEF agent on LPRB
- CONFLPRP for a Splunk agent on LPRP
- CONFLPRM for a Splunk agent on LPRM
- Create member CNF1LPRB in the #hlq.CZAGENT.CNTL data set and copy the original CZDCONFG member that comes with the installation into the new CNF1LPRB member.
In the CNF1LPRB member:
- Uncomment the SWITCH ON(CEF) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
Say "CNF1LPRB v5.9.01 updated 18 July 2019"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF89) ; SMF Type 89
- Create member CONFLPRP in the #hlq.CZAGENT.CNTL data set and copy the original CZDCONFG member that comes with the installation into the new CONFLPRP member.
In the CONFLPRP member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
Say "CONFLPRP v5.9.01 updated 18 July 2019"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF89) ; SMF Type 89
- Create member CONFLPRM in the #hlq.CZAGENT.CNTL data set and copy the original CZDCONFG member that comes with the installation into the new CONFLPRM member.
In the CONFLPRM member:
- Uncomment the SWITCH ON(Splunk) statement as displayed in bold red text in the following example.
- Uncomment the SMF switches as you require.
;**********************************************************************;
;**********************************************************************;
; CZDCONFG: Field configuration member for BMC AMI Defender ;
;**********************************************************************;
;**********************************************************************;
Say "CONFLPRM v5.9.01 updated 18 July 2019"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; included in both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by overtyping column 1 with a blank
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(App_Audit) ; Compuware Application Audit
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
SWITCH ON(IFCID002) ; DB2 IFCID 002
SWITCH ON(IFCID003) ; DB2 IFCID 003
SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
SWITCH ON(SMF113) ; SMF Type 113
SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
SWITCH ON(SMF89) ; SMF Type 89
Edit the original #hlq.CZAGENT.CNTL(CZAPARMS) member as displayed in bold red text in the following example:
; LEEF - TRANS(TCP) Required by QRadar
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
;
; SPLUNK - TRANS(TCP) Recommended
;
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
%INCLUDE LICENSE ; Do not remove this line
%INCLUDE IF(CEF) DD:CZAPARMS(PRM1&SYSNAME.)
%INCLUDE IF(Splunk) DD:CZAPARMS(PARM&SYSNAME.)The configuration defines the three separate CZAPARMS members:
- PRM1LPRB for the CEF agent on LPRB
- PARMLPRP for the Splunk agent on LPRP
- PARMLPRM for the Splunk agent on LPRM
Create member PRM1LPRB in the #hlq.CZAGENT.CNTL data set.
This member contains only the SERVER statement specification for your CEF agent on LPRB, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2018, 2019 BMC Software, Inc.
SAY "PRM1LPRB v5.9.01 updated 18 July 2019"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)
Create member PARMLPRP in the #hlq.CZAGENT.CNTL data set.
This member contains only the SERVER statement specification for your Splunk agent on LPRP, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2018, 2019 BMC Software, Inc.
SAY "PARMLPRP v5.9.01 updated 18 July 2019"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)
Create member PARMLPRM in the #hlq.CZAGENT.CNTL data set.
This member contains only the SERVER statement specification for your Splunk agent on LPRM, such as the specification displayed in bold red text in the following example:
; Parameter file for CZAGENT
; SIEMTYPE-independent
; Copyright 2014-2018, 2019 BMC Software, Inc.
SAY "PARMLPRM v5.9.01 updated 18 July 2019"
SERVER nnn.nn.nn.nnn TRANS(UDP) MAXMSG(2000)
Copy the original sample PROC statement from the #hlq.CZAGENT.CNTL(CZAGENT) data set and change the following agent PROC statements:
- For each Splunk agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=SPLUNK.
- For the CEF agent, change the symbolic override SWITCH from SWITCH=DEFLTCFG to SWITCH=CEF.
The following symbolic overrides in the PROC statement can remain unchanged:
DEFINES=CZDEFINE
PARMS=CZAPARMS- Use the following commands, in any order, to run the started tasks:
/S CEFagentName
/S SPLUNKagentNameOnLPRP
/S SPLUNKagentNameOnLPRM
Related topics