Overview of the API

BMC AMI Defender API passes requests to BMC AMI Defender to format records representing z/OS events as syslog messages, and then transmits them to your organization's Security Information and Event Management (SIEM) service. In this context, syslog refers to the IETF BSD syslog protocol RFC 3164, and not to the SYSLOG from the z/OS JES spool. The calling program does not specify the destination of the syslog message; the destination is specified in the BMC AMI Defender configuration.

External SIEMs, such as ArcSight, RSA CEF, and IBM Security QRadar LEEF support, can use the API to take full advantage of BMC AMI Defender features.

The API has the following characteristics:

• Called using z/OS assembler or C/C++—Programs making calls in these languages must be APF-authorized. For more information about APF-authorized programs, see IBM's: Assembler Services Guide.
• Stateless—Every API call is independent of any preceding or subsequent API call. There is no initialize or terminate call, no OPEN or CLOSE, and no connect or disconnect.
• Asynchronous and non-blocking interface—The API provides an immediate return code to the calling program, without waiting for the record to be formatted and transmitted. The transmitted record is stored in a location owned by BMC AMI Defender and the calling program is free to modify the record area without affecting the record just processed.
   An asynchronous and non-blocking interface has both advantages and disadvantages:
  • Performance advantage—TCP/IP communication is slow relative to the speed at which events can occur on z/OS.
  • Verification disadvantage—A successful return code indicates only that the record was accepted for transmission. The calling program has no way of knowing whether the record was transmitted without errors.

This section provides information about the following topics: