SMF ACF2 statement
ACF2 SMF records are written for security events. Security events include both problems such as a user attempting to log on with an invalid password as well as non-problem events such as ACF2’s granting access to a particular resource to a particular user. You might want to monitor ACF2 records to keep track of security events. The SMF ACF2 statement indicates that ACF2 records are to be collected and forwarded to your syslog console. If you code an SMF ACF2 statement, then all ACF2 SMF records are forwarded to your BMC Defender Server or syslog console with a facility of Security (4) and severity of informational, except for Invalid password or authority and Resource Violation records that are forwarded with a severity of error.
If you code more than one SMF ACF2 statement, then a subsequent SMF ACF2 statement replaces any SMF ACF2 statement(s) that came before.
SMF ACF2(recordtype) | Must be specified. For record type, code a single numeric value between 0 and 255 (usually a value between 128 and 255) that specifies the SMF record type number that you have configured your installation of ACF2 to use. If (recordtype) is omitted it defaults to 230. |
FACILITY(facility-name) | Specifies the RFC 3164 facility that is to be indicated as the origin of the syslog records corresponding to ACF2 SMF records. If you omit this parameter, it defaults to SECURITY4. If you would like a different facility indicated, code one of the RFC 3164 facility names as listed in Syslog-facilities-and-severities. |
FIELDs(fieldname…) | Specifies the names of the ACF2 SMF record fields that are to be transmitted to the BMC Defender Server or other syslog console, and the order in that they are to appear in the message. Specify one or more of the fields as described in FIELDS-parameter. |
filter-specification | |
INHibit | Specifies that the writing of the specified SMF record type to the SMF data sets, logstream or both are to be inhibited by BMC AMI Defender. The specified SMF record type is processed by BMC AMI Defender, but then inhibited from further processing by SMF. |
LOG | |
LOG(HEX) | Specifies that the selected SMF records are to be logged on CZAPRINT and optionally dumped in hexadecimal and character format. This parameter is intended primarily for diagnostic purposes. Be careful while specifying LOG(HEX) as it might generate a large volume of print records, especially if BMC AMI Defender is left running for several hours or more. |
PROCess(‘process-tag’) | Specifies the tag that appears at the start of ACF2 syslog messages, following the priority, timestamp and hostname, and preceding the formatted fields. Specify the exact process tag that you wish to include in syslog messages including any spaces and punctuation. Process-tag might be any length from the null string (‘’) to 32 characters. If SMF ACF2 PROCess is omitted, it defaults to ACF2 followed by the leading delimiter from OPTIONS DELIM. |
SEVerity(severity) | Specifies the default syslog severity. See Syslog-facilities-and-severities. You might also code SUPPRESS. SUPPRESS indicates that the default is that records are not to be formatted and forwarded to the syslog server at all. If you omit SEVerity, it defaults as described under Subtype Default Severities. |
SUBTypes | Specifies one or more SMF record subtypes and the syslog severity to be assigned to them. Specify the subtype or subtypes in one or more of the following formats. |
subtype | Specifies a single record subtype. |
subtype:subtype | Specifies a range of record subtypes. For both of the previous formats, subtype must be in the indicated. |
SEVerity(severity) | Specifies the syslog severity for the specified record subtypes. See Syslog-facilities-and-severities. You might also code DEFAULT or SUPPRESS. DEFAULT indicates that the severity is to default to the defined severity; SUPPRESS indicates that the specified event records are not to be forwarded to the syslog server at all. If you omit SEVerity, it defaults as described as follows. Subtype Default Severities
|