CZALDFIL parameters

Specifies an optional comment indicator. Code a character string of one to eight characters that, if found in the first position (neglecting any LLBB positions) of a data set record, indicates that it is a comment, not a data record to be passed to BMC AMI Defender and the SIEM. The character string comparison is case-sensitive. This parameter is optional; if omitted, all data set records are passed to BMC AMI Defender.

Specifies the input data set using one of the formats under Dataset Specification in BMC AMI Defender documentation. As it is an input file, * (SYSOUT) is not allowed, nor are the output file variable symbols. There is no default PDS, so a member-only specification is not allowed. This parameter is optional; if omitted, it defaults to DD:CZAINFIL, that is, the data set or z/OS UNIX file referenced with the DD statement or dynamic allocation named CZAINFIL.

Specifies, for RECFM=Vxx data sets only, whether the LLBB field (the first four bytes of each record) is to be passed to BMC AMI Defender (PREfix) or is to be removed and only the data portion of each record passed to BMC AMI Defender (REMove). LENgth is checked for a valid value, but is otherwise ignored for all except RECFM=Vxx data sets. LENgth is always optional; if not specified for RECFM=Vxx data sets then the LLBB field becomes the first four bytes of the record passed to BMC AMI Defender (PREfix).

Specifies the action to be taken if CZALDFIL discovers that the BMC AMI Defender queue is too full to accept a data set record. (See Determining the QUEUE64 Size in BMC AMI Defender documentation.) See also the QUEUESLack parameter.

PURGE(Yes) specifies that if the queue is full then the oldest records in the queue are to be discarded to make room; PURGE(No) specifies that CZALDFIL is to wait a brief interval (computed to minimize both CPU time and elapsed time) and try again. BMC Defender strongly recommends the use of PURGE(No) as there is usually little benefit in discarding security events to make room for records that are resident on DASD. CZALDFIL logs a diagnostic message if any events are purged (for any reason) during its execution. PURGE is optional; if you omit PURGE then CZALDFIL waits for queue space to become available (subject to WAITQUEUEMax() below) rather than triggering a purge.

Specifies the amount of queue space that must be available before CZALDFIL attempts to queue a record; otherwise CZALDFIL waits a brief interval (computed to minimize both CPU time and elapsed time) and try again. Without queue slack, CZALDFIL would have the potential to fill the queue completely and almost instantly, causing subsequent real-time events to purge queued records in order to obtain space. (See Determining the QUEUE64 Size in BMC AMI Defender documentation.) Specify a free (or slack) percentage between 0 and 100 percent. A QUEUESLack value of 100 means the queue must be completely empty before CZALDFIL attempts to queue a record; a value of 0 means that CZALDFIL always attempts to queue records without regard for queue space (but see also PURGE). If you specify too great a percentage then CZALDFIL elapsed time might suffer needlessly; if you specify too low a value then real-time security events might be lost unnecessarily. CZALDFIL logs a diagnostic message if any events are purged (for any reason) during its execution. QUEUESLack is optional; if omitted, it defaults to fifty percent.

Specifies the syslog severity for the messages formatted from the records. See Syslog Facilities and Severities in order to obtain space. (See Determining the QUEUE64 Size in BMC AMI Defender documentation. You might also code DEFAULT. DEFAULT indicates that the severity is to default to the severity specified in the TYPE statement for the event (see TYPE and RETYPE Statements in BMC AMI Defender for z/OS Defining Your Own Fields). SEVerity is optional; if you omit SEVerity, it defaults to the severity specified in the TYPE statement for the event.

Specifies a BMC AMI Defender subtype for the loaded events. Subtypes might be formatted with the SIEM message (see Event_SubType in Fields of BMC AMI Defender documentation) or for qualifying the formatting of specific fields (see CSubTp() in BMC AMI Defender for z/OS Defining Your Own Fields). Specify a value between 0 and 32767. SUBType is optional; if omitted, it defaults to 0.

Specifies that CZALDFIL is to output additional diagnostic messages and the types of diagnostic messages, or not to output additional diagnostic messages, in the CZAPRINT data set. TRACE might be useful for diagnosing certain problems. If TRACE is completely omitted, then it defaults to the previous state of TRACE; if TRACE() or TRACE(-ALL) is specified, then all tracing is turned off.

Specify zero or more of the trace types described in Specifying TRACE of BMC AMI Defender documentation (in any order). Prefix any of the specifications with a minus sign ( - ) to indicate negation. The specifications are processed left to right. For instance, TRACE(ALL –XL –ENV) indicates all TRACE output except that related to translation and the operating environment.