Using the CZALDFIL program

CZALDFIL is a program that sends or loads one or more MVS data sets or z/OS UNIX files into a SIEM console through BMC AMI Defender. CZALDFIL might be invoked with JCL, from a calling program, or from a Rexx script, although the latter two options require that the calling program be APF-authorized, and so are not generally recommended.

CZALDFIL supports the following types of data sets and files:

  • Traditional sequential data sets, including spooled, GDG, in-line, tape and Extended-Format data sets, of any z/OS-supported LRECL and BLKSIZE, and any RECFM, including VBS. ISO/ANSI (Format F) tapes and Large Format data sets are not supported.
  • PDS and PDSE members of any z/OS-supported LRECL, BLKSIZE and RECFM.
  • z/OS UNIX files.
  • VSAM clusters, including ESDS, KSDS and RRDS data sets.

In the remainder of this section, data set includes all types of data sets and files listed preceding, except where the context clearly implies otherwise.

The data set layout must have been previously defined to BMC AMI Defender as an API1 event type. For data sets that consist entirely of printable data, such as typical print reports, you should generally be able to use the predefined GENERIC-event-type. To define your own record layout, see TYPE-and-RETYPE-statements. You must enable the event type in BMC AMI Defender with the appropriate SELECT and EVENT statements. The event specifications are used for formatting the data set records as SIEM-appropriate messages.

The information about CZALDFIL operation does not apply to the BMC AMI Defender dbDefender Package.

CZALDFIL writes a listing of status, diagnostic and error messages on DD CZAPRINT, that typically should be defined as a spooled data set. The messages, numbered from CZA0000 to CZA0199, and from CZA0600 to CZA0699, are documented in the Messages library.

CZALDFIL returns a completion code to the job or the calling program. See the Messages library for a list of possible return codes and their meanings.

CZALDFIL must be APF-authorized.

CZALDFIL populates the API1 event identification field with the record number (absolute record number, before the effect of comments or zero-length records). See EventNonSMFIdent under API1-common-fields.

Invoking CZALDFIL with JCL

This section contains a simple example and a complex example of JCL for invoking CZALDFIL.

Simple example
//stepname EXEC PGM=CZALDFIL,
//    PARM='LOAD Siem.Agent OurEvent1'
//STEPLIB  DD   DSN=<amihlq>.CZAGENT.LOAD,DISP=SHR
//CZAPRINT DD   SYSOUT=*
//CZAINFIL DD   data set to be transmitted

The instance name and event name have been specified in PARM=; all other options have been allowed to default. The data set to be transmitted is defined in the default DD statement, CZAINFIL. (This sample JCL is available in amihlq.CZAGENT.CNTL as member CZALDFIL.)

Complex example
//stepname EXEC PGM=CZALDFIL,PARM='%INCLUDE DD:SYSIN'
//STEPLIB  DD   DSN=<amihlq>.CZAGENT.LOAD,DISP=SHR
//CZAPRINT DD   SYSOUT=*
//SYSIN    DD   *
 LOAD Siem.Agent OurEvent1 DATASET(DD:INFILE1) LEN(REM) +
TRACE(MISC)
 LOAD Siem.Agent OurEvent2 DATASET(SOME.DATASET.NAME) +
QUEUESLACK(80) TRACE() SUBT(2)
 LOAD Siem.Agent OurEvent3 DATASET(DD:STATUS)
/*
//INFILE1  DD   data set to be transmitted
//STATUS   DD   *
  All SIEM file loads completed
/*

In this jobstep the parameters are in an instream data set specified with PARM='%INCLUDE DD:SYSIN'.

Note

There are three loads:

  1. In the first, LEN(REM) has been specified to delete RECFM=Vxx LLBB fields and TRACE(MISC) has also been specified.
  2. In the second, a QUEUESLack value of 80 (percent) has been specified to help prevent queue purges, TRACE() has been specified to turn off the previous tracing, and a subtype of 2 has been specified.
  3. In the third, an in-stream data set of one record is to be sent to the SIEM.


Related topic

CZALDFIL-parameters


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*