Customizing for a proprietary syslog extension
This topic describes how to customize BMC AMI Defender for z/OS to be compatible with the following products:
- ArcSight
- RSA Security Analytics
- IBM Security QRadar
- JSON
- Splunk
Selecting product compatibility
To make BMC AMI Defender compatible with the listed SIEM products, begin your testing by customizing the $$$SERVR member in your amihlq.CZAGENT.PARM data set. The amihlq variable is the high-level qualifier that you choose during installation.
The following code shows the $$$SERVR member:
;**********************************************************************;
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Defender ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2021 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.1.00 Updated 29 Sep 2021"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(ADELOG) SIEM(ADELOG) +
INSTNAME(Agent.ADELog)
OPTIONS IF(ADEINFLUX) SIEM(ADEINFLUX) +
INSTNAME(Agent.ADEInf)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADELOG) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADEINFLUX) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADELOG) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADEINFLUX) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(ADELOG) UNIQUETAG ; Make repeating field tags unique
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center or BMC AMI SyslogDefender
; with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; ADELog - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
; ---------------------------------------------------------------------
; ADEInflux - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Defender for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Defender ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2021 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.1.00 Updated 29 Sep 2021"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(ADELOG) SIEM(ADELOG) +
INSTNAME(Agent.ADELog)
OPTIONS IF(ADEINFLUX) SIEM(ADEINFLUX) +
INSTNAME(Agent.ADEInf)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADELOG) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(ADEINFLUX) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADELOG) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(ADEINFLUX) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(ADELOG) UNIQUETAG ; Make repeating field tags unique
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center or BMC AMI SyslogDefender
; with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; ADELog - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
; ---------------------------------------------------------------------
; ADEInflux - TRANS(ADE) Required
; ---------------------------------------------------------------------
;SERVER BMC.ADE.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(ADE) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Defender for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
Specifying the configuration type
With the PARM file member named $$$CONFG, you can control the SIEM type and other optional record definitions by setting switches.
To enable the SIEM type and other record definitions, uncomment (remove the leading semicolon) the required switches. Ensure that you enable only one SIEM type.
The following code shows the $$$CONFG member:
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Defender ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.1.00 Updated 29 SEP 2021"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Defender ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright 2014-2018, 2019-2020 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v6.1.00 Updated 29 SEP 2021"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(ADELOG) ; Uncomment for SIEM type ADELog
; SWITCH ON(ADEINFLUX) ; Uncomment for SIEM type ADEInflux
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For CZALDFIL
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/CZAJOBLG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; CZALSPAC
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from CZALDFIL
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
Related topic
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*