Parameters common to DEFAULTs, JOBLOG, and MODIFY JOBLOG

This topic provides information about parameters that you can use with DEFAULTs, JOBLOG, and MODIFY JOBLOG statements for CZAJOBLG.

The CZAJOBLG parameter file can also contain the following statements:

 ParmsCommonDEFAULTs.png

The parameters are explained in the following table:

Parameter

Description

CCs(No|Yes)

Whether to include the carriage control character in the record sent to the SIEM

This parameter applies to spooled data sets with carriage control characters (RECFM=xxA or xxM). It has no effect on spooled data sets without carriage control characters.

If not specified, the default is No.

CLASSes(sysoutClass)

Up to 36 single-character SYSOUT classes (A-Z, 0-9) to use when searching for a ddname to select

  • Classes is not case sensitive. The characters are converted to upper case automatically.
  • If you specify more than one class on MODIFY JOBLOG, separate them with commas and do not include blank spaces, for example, CLASS(A,C,F).
  • If you specify more than one class in a parameter file statement, you can separate them with blanks or commas.

If you omit this parameter, the default is to use all SYSOUT classes.

DATADelay(seconds)

Number of seconds, from 1 through 86400 (one day), that CZAJOBLG should wait before checking if the job has spooled more data

CZAJOBLG performs this check after reading all of the data available in the data set.

If you omit this parameter, the default is 15 seconds.

DDname

ddname

stepNameDdname

stepNameProcstepNameDdname

Name of the data definition (DD) statement that defines the spooled SYSOUT data set to be streamed to the SIEM

  • Specify the ddname in one of the indicated formats.
  • DDname is not case sensitive. The characters are converted to uppercase automatically.
  • To nullify a default name, enter two single quotation marks ( ' and ' with no space between them).
  • To nullify only the ddname, enter a zero-length ddname such as, DDname(STEP1..

For information about the effect of DDname on the JOBLOG name, see JOBLOG Names.

If you omit this parameter, the default is the first or only user-entered DD statement in the job matching any of the classes specified in the CLASSes parameter. (There are several system spool data sets that appear in the spool as though they were ddnames, such as JESMSGLG and JESJCL. You can specify them by name but they are never used as the default if you omit DDname.)

EVENT (event)

Name of the API1 event type (the unique identifier provided by the API1 program author or vendor)

Specify the name as you would in a BMC AMI Defender SELECT or EVENT-statement. Enter the name without the API_ prefix.

If you omit this parameter, the default is the JOBLOG API1.

IDENT(number)

Unsigned number from 0 through 65535 that identifies the event record

If used, this value, entered in the API1 event identifier field of the API1 control block, must match the value specified in the FIELDS parameter of the EVENT statement. For additional information, see:

If you omit this parameter, the default is 0.

INSTance(instance)

Currently running BMC AMI Defender instance used to send the data set records

Specify an instance name, as described under INSTName in the OPTIONS-statement (recommended), or an instance number from 0 to 7, as described under INSTANCE in the START-command.

If not specified, the default is 0.

JESName(name)

Name of the secondary JES2 system (poly-JES) under which the specified job is running

JESName is not case sensitive and the characters are converted to uppercase automatically. To nullify a name coded in a preceding DEFAULTs statement, code two single quotation marks (''). JESName does not apply to JES3 installations.

If not specified, the default is the primary JES system.

JOBDelay(seconds)

Amount of time to wait before checking if the specified job does not exist, the specified instance of BMC AMI Defender is not running, or the specified event name is not configured

Enter the number of seconds, from 5 to 86400 (one day).

If not specified, the default is 300 seconds (5 minutes).

PURGE(No|Yes)

What to do if CZAJOBLG discovers that the BMC AMI Defender queue is too full to accept a data set record

For more information, see Determining the QUEUE64 Size and the QUEUESLack parameter, below.

Note

No matter what value is specified for QUEUESLack, it is possible for the queue to become full in the brief interval between when CZAJOBLG checks it and when the API attempts to allocate space for it in the queue.

Use No, if you want CZAJOBLG to wait the interval specified by QUEUEDelay before checking the queue again. BMC strongly recommends using No so you do not discard real-time events to make room for records that are resident on DASD.

Use Yes, if you want CZAJOBLG to discard the oldest records in the queue if the queue is full.

If not specified, the default is No, so that CZAJOBLG waits for queue space to become available rather than triggering a purge.

QUEUEDelay(seconds)

Number of seconds to wait before checking the queue again in one of the following situations:

  • The amount of space specified by QUEUESLack is not available
  • The PURGE value is No and the queue is too full to accept another record

Enter the number of seconds, from 1 to 60 (one minute).

If not specified, the default is 5 seconds.

QUEUESLack(percent)

Amount of queue space that must be available before CZAJOBLG attempts to queue a record

If the specified amount of queue space is not available, CZAJOBLG waits the amount of time specified in QUEUEDelay before trying again. Without queue slack (room in the queue), CZAJOBLG could fill the queue completely and almost instantly, causing real-time events to purge queued records to make space. For more information, see Determining the QUEUE64 Size.

Specify a percentage from 0 to 100. A value of 100 means that the queue must be completely empty before CZAJOBLG attempts to queue a record. A value of 0 means that CZAJOBLG might always attempt to queue records without regard for queue space. If you specify too great a percentage, then CZAJOBLG performance might suffer needlessly. If you specify too low a value, real-time security events might be lost unnecessarily. CZAJOBLG logs a diagnostic message if any events are purged for any reason during its execution.

Note

No matter what value is specified for QUEUESLack, it is possible for the queue to become full in the brief interval between when CZAJOBLG checks it and when the API attempts to allocate space for it in the queue.

If not specified, the default is 50%.

SEVerity(severity)

Syslog severity for the messages formatted from the records

For more information, see Syslog-facilities-and-severities and Determining the QUEUE64 Size.

If you use the value DEFAULT, the severity takes the value specified in the TYPE statement for the event. For more information, see TYPE and RETYPE Statements.

If not specified, the default is the severity specified in the TYPE statement for the event.

SUBType(subtype)

BMC AMI Defender subtype for the forwarded records

Subtypes might be formatted with the SIEM message. For more information, see Event_SubType in Universal-fields. For information on the validity and formatting of specific fields, see CSubTp in Condition-specifications.

Specify a value from 0 to 32767.

If not specified, the default is 0.

SYSName(sysname)

Name of the system on which to search for the specified job

The system name is not case sensitive and the characters are converted to uppercase automatically.

If not specified, the default is * so that all systems are visible to the JES on the system on which CZAJOBLG is running.

This section also contains the following topics: 

Related topic

CZAJOBLG-parameters


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*