Collection and processing of syslog data

Operations Manager may be configured to accept and process syslog data from any machine that supports forwarding syslog data. When Operations Manager receives syslog data, the data is processed in the same manner as SECUSER or OBSERVER data from a monitored user console; the data is filtered through the defined rules and triggers actions if any matching criteria is found. The collected syslog data may be viewed using the VIEWCON command.

To configure Linux, or other syslog capable machines, to forward syslog data to another system, please consult your Linux documentation. The data must be sent to the IP address of the system running Operations Manager.

To configure Operations Manager to process syslog data, issue the DEFIPCS command. DEFIPCS supports receiving syslog data using UDP and TCP protocol.
  • The processing program, GOMRSYL, supports receiving syslog data using UDP protocol.
  • The processing program, GOMRSYM, supports receiving syslog data using TCP protocol. The PTF for APAR PI74064 is required to use this function
To process syslog data using TCP protocol, the syslog data must be formatted according to the “octet counting” framing outlined in RFC 6587. To support receiving syslog data using UDP and TCP protocol, use separate DEFIPCS commands. The following command is an example for UDP protocol: 
DEFIPCS NAME RMTSYLGD +
APPL GOMRSYL + 
USER TCPIP +
ADDR 0.0.0.0 +
PORT 514 + 
PARM'SYSLOG 03330417UTF8'
The command above starts the syslog processing program, GOMRSYL, provided by Operations Manager (APPL GOMRSYL) and instructs the program to listen on UDP port 514 (PORT 514) of any available IP address (ADDR 0.0.0.0) assigned to the TCP/IP service machine named TCPIP (USER TCPIP). The PARM field establishes the following information:
  • the user ID the syslog data is collected under (SYSLOG)
  • the ASCII to EBCDIC translation table used (03330417)
  • the ASCII encoding scheme (UTF8)
The following command is an example for TCP protocol:
DEFIPCS NAME RMTSYLOG +
APPL GOMRSYM +
USER TCPIP +
ADDR 0.0.0.0 +
PORT 610 +
PARM ’SYSLOG 03330417UTF8’
The command above starts the syslog processing program, GOMRSYM, provided by Operations Manager (APPL GOMRSYM) and instructs the program to listen on TCP port 610 (PORT 610) of any available IP address (ADDR 0.0.0.0) assigned to the TCP/IP service machine named TCPIP (USER TCPIP). The PARM field establishes the following information:
  • the user ID the syslog data is collected under (SYSLOG)
  • the ASCII to EBCDIC translation table used (03330417)
  • the ASCII encoding scheme (UTF8)
Notes:
  • The PARM value is column specific. The DEFIPCS command provides more information on the available PARM values.
  • Depending on your z/VM TCP/IP configuration, you may need to authorize OPMGRM1 (and any user ID running GOMMAIN) to use the ports specified in your DEFIPCS statements. Refer to the PORT or OBEY statements in the z/VM TCP/IP Planning and Customization (SC24–6125) documentation for information on enabling an application to use specific ports.
To view the collected syslog data, issue the VIEWCON command:
GOMCMD OPMGRM1 VIEWCON USER SYSLOG
where OPMGRM1 is the user ID of the Operations Manager server running GOMMAIN.