Getting Data In

How do I CIM tag mainframe Z/OS audit logs sent in via syslog?

gjanders
SplunkTrust
SplunkTrust

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup.

This is how I achieved the CIM compliance for the z/OS mainframe audit logs sent via syslog (UDP traffic), hopefully someone will find this useful as CIM tagging data can be quite time consuming!

Please see the answer for the solution information.

1 Solution

gjanders
SplunkTrust
SplunkTrust

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

View solution in original post

gjanders
SplunkTrust
SplunkTrust

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

becksyboy
Communicator

Thanks, this was very helpful

0 Karma

jdumont33
Explorer

Thanks, that saves us a lot of time !

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...