This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup.
This is how I achieved the CIM compliance for the z/OS mainframe audit logs sent via syslog (UDP traffic), hopefully someone will find this useful as CIM tagging data can be quite time consuming!
Please see the answer for the solution information.
This is the props.conf I used to achieve CIM compliance.
props.conf
[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)
eventtypes.conf
[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*
[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*
tags.conf
[eventtype=mainframe_audit_acct]
change = enabled
account = enabled
[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled
You may need to change this depending on your exact requirements but hopefully it helps someone...
This is the props.conf I used to achieve CIM compliance.
props.conf
[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)
eventtypes.conf
[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*
[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*
tags.conf
[eventtype=mainframe_audit_acct]
change = enabled
account = enabled
[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled
You may need to change this depending on your exact requirements but hopefully it helps someone...
Thanks, this was very helpful
Thanks, that saves us a lot of time !