Getting Data In

How do I CIM tag mainframe Z/OS audit logs sent in via syslog?

gjanders
SplunkTrust
SplunkTrust

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup.

This is how I achieved the CIM compliance for the z/OS mainframe audit logs sent via syslog (UDP traffic), hopefully someone will find this useful as CIM tagging data can be quite time consuming!

Please see the answer for the solution information.

1 Solution

gjanders
SplunkTrust
SplunkTrust

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

View solution in original post

gjanders
SplunkTrust
SplunkTrust

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

becksyboy
Communicator

Thanks, this was very helpful

0 Karma

jdumont33
Explorer

Thanks, that saves us a lot of time !

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...