TYPE and RETYPE statements

The TYPE and RETYPE statements provide the high-level definition of the processing of an API1 or SMF record type. Code one TYPE (or TYPE and RETYPE) statement for each API1 or SMF record type that BMC AMI Defender is to have the ability to process.

TYPE|RETYPE event_type([fields_context]) specification_name([CAT(category)] CEF(NAME(event-name) [ID(sig-ID)]) [EXITSEL(code)] [FACILITY(facility)] [FIX(num]|VAR[num])] [ID(event-ID)] [PROCESS(process-tag])) TRIPLETCONStraint(minimum [maximum [remainder] ] )


Event_type

Specifies the event type name. Code a name 1–16 characters in length. The name must be unique across all event types. Do not use ALL as an event name.

Fields_context

Is optional. Normally the fields context for a given event is the same as the event_type. However, if you want, you might override that here. Code an optional name of 1-16 characters.

Specification_name

Specifies the underlying main logic for the event type. Specify one of the following specification names:

Name

Brief description

API1GENERAL

General API1 event processing.

CONTEXT

Specifies a field context only with no associated event processing. No other parameters are specified with CONTEXT.

SMFACF2

Processing of CA ACF2 records.

SMFDB2          

Processing of DB2 Type 100, 101 and 102 records.

SMFGENERAL

General SMF record processing.

SMFT110

Processing of CICS Audit Records.

SMFT30           

Processing of z/OS Work Unit records.

SMFT80           

Processing of RACF and CA Top Secret records.

CAT(category)

Certain Event specifications support additional parameters beyond those shown here, and are as follows:

  • Specifies the event category formatted by the field SMFXXCAT. This field is critical to QRadar LEEF formatting.
  • Specifies a literal string of one or more characters. CEF(NAME(event-name) ID(sig-ID)).
  • Specifies the CEF event name field and optionally an overriding CEF Signature ID field name. The CEF name field operand is required and must specify the name of a field that is used to generate the CEF header name field. By convention CEF event name fields have names of the form CEF_Txxx_Name. If ID is coded, it specifies the name of a field that is used to generate the CEF signature ID field, overriding the specification in ID. By convention CEF unique signature ID fields have names of the form CEF_Txxx_SigID.

FACILITY(facility)

Specifies the default RFC 3164 or RFC 5427 Facility code for the event type. Specify one of the Facility names in Syslog-facilities-and-severities in BMC AMI Defender documentation.

Following table shows FACILITY defaults:

TYPE Specification_name

Facility default

API1GENERAL

console

CONTEXT

n/a

SMFACF2

auth

SMFDB2          

audit

SMFGENERAL

console

SMFT110

local0

SMFT30           

daemon

SMFT80           

auth

ID(event-ID)

Specifies the name of a field that is used to generate the CEF Signature ID or LEEF event ID. By convention these fields have names of the form CEF_LEEF_Txxx_ID if common to CEF or LEEF_Txxx_EventID if unique to LEEF. If this field is omitted, the PROCess literal is used as an alternative.

PROCess(process-tag)

Specifies the tag that appears at the start of syslog messages for the event, following the priority, timestamp, and hostname, and preceding the formatted fields. Specify the exact process tag that you include in syslog messages, including any spaces and punctuation. Process-tag might be of any length from the null string (‘’) to 32 characters.

TRIPLETCONStraint(minimum [maximum [remainder] ] )

An optional parameter that provides additional validation of triplet, Get specifications at field definition time. (There is no additional overhead during event processing.) You might specify a minimum valid offset for triplets of this record type, a maximum valid offset, and the valid alignment of triplets. The alignment is specified as a remainder on division of the triplet offset by 8.

Example

A remainder of 4 would mean that an offset of 28 or 36 was valid, but that offsets of 24, 26, and 30 were not. Specify a value in the range 0–7. You can also specify -1 as a remainder to disable alignment validation, or simply omit the remainder.

This section contains the following topics : 

Related topic

General-definition-statements

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*