Solved: How do I CIM tag mainframe Z/OS audit logs sent in...

gjanders · ‎09-15-2016

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup.

This is how I achieved the CIM compliance for the z/OS mainframe audit logs sent via syslog (UDP traffic), hopefully someone will find this useful as CIM tagging data can be quite time consuming!

Please see the answer for the solution information.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

gjanders · ‎09-15-2016

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

gjanders · ‎09-15-2016

This is the props.conf I used to achieve CIM compliance.

props.conf

[mainframe:audit]
FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user
EVAL-command = coalesce(whatRACFCMD, whatACTION)
EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME)
EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID)
EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category)
EXTRACT-result = Alert: (?P<result>.*)$
EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[
EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem")
EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM)

eventtypes.conf

[mainframe_audit_acct]
search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=*

[mainframe_audit_filesys]
search = sourcetype=mainframe:audit onWhatDSNAME=*

tags.conf

[eventtype=mainframe_audit_acct]
change = enabled
account = enabled

[eventtype=mainframe_audit_filesys]
change = enabled
endpoint = enabled

You may need to change this depending on your exact requirements but hopefully it helps someone...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

becksyboy · ‎10-09-2018

Thanks, this was very helpful

jdumont33 · ‎03-17-2017

Thanks, that saves us a lot of time !

How do I CIM tag mainframe Z/OS audit logs sent in via syslog?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life