Archive

How do I CIM tag mainframe Z/OS audit logs sent in via syslog?

SplunkTrust
SplunkTrust

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup.

This is how I achieved the CIM compliance for the z/OS mainframe audit logs sent via syslog (UDP traffic), hopefully someone will find this useful as CIM tagging data can be quite time consuming!

Please see the answer for the solution information.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

View solution in original post

0 Karma

Communicator

Thanks, this was very helpful

0 Karma

Explorer

Thanks, that saves us a lot of time !

0 Karma