Event record considerations

When processing event records, keep the following in mind. 

Event types

Every event BMC AMI Defender processes has both a major and a minor type.

Major types

Major types can be organizational or administrative. BMC usually assigns major type numbers to an organization or class of events. For example, both of the following statements can be true:

  • All SMF records constitute a single major type (3)
  • All API events generated by a single vendor partner constitute a single major type

To specify a major type you must perform both of the following actions:

  • When the event type number 3 is defined in CZDEFINE member, use the TYPE statement.
  • When the event record is called to API1, use the CZ1Major field in the API1 control block.

For more information, see TYPE-and-RETYPE-statements and Defining-fields.

For examples of major types, see the list of equate (EQU) names that follow CZ1Major in the sample API1 control block, in Calling the API through an assembler program.

Minor types

Minor types are arbitrary divisions of major types. For example, an individual SMF record type (for example, Type 80, Type 30, and others) constitutes a minor type event. 

To specify a minor type, perform one of the following actions:

  • When the event type is defined in CZDEFINE member, use the TYPE statement.
  • When the event record is called to API1, use the CZ1Minor field in the API1 control block.

Subtypes

Subtypes are optional divisions of minor types. You can use conditional formatting to specify that a particular field belongs to a particular minor type, but that the field is relevant only to one or more subtypes of that minor type.  For more information, see Conditional formatting.

Event record length

Event records cannot exceed the length specified in the CONFIG MAXEVENTLENgth option. For details, see CONFIG-statement. Even so, BMC recommends keeping event record lengths as short as possbile. This is helpful, for example, when the outgoing syslog message length is limited to 2,000 or fewer bytes and formatting data as syslog approximately doubles the number of bytes the data occupies.

Data field types

BMC AMI Defender supports a wide range of data field types. BMC might add more data field types on request. You can use Format specifications to define how data fields will be formatted during processing. For more information about each specification type, see Format Specifications.

Note

You can define the same data fields multiple times with different formatting options.

Record layouts

BMC AMI Defender uses Get specifications to specify where data fields are located in the processed event records. For the list of Get specifications, see Get-specifications.

Conditional formatting

You can use conditional formatting to define fields that are relevant only under certain conditions.

You can base conditional formatting on any addressable field in the record. However, basing conditional formatting on the event record subtype is particularly convenient.

You can base conditional formatting on multiple conditions joined with the boolean operators And and Or.

Example

An SMF 119 event record contains data that is formatted as either a character (LU name) field or a binary (IPv6 address) field. The format depends on whether another field contains an S or a T. Conditional formatting determines that if the field contains an S, the format is x, and if the field contains a T, the format is y.

Because of conditional formatting, certain fields might be present in an event record only for certain subtypes.

You can use condition specifications, like CSubTp, to define a field as belonging to a particular event minor type, but relevant only to one or more subtypes of that minor type. For additional options, see Condition-specifications.

Related topic

Using-the-API


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*