Configuring IBM IMS

You can integrate IBM® IMS with QRadar:

Procedure

  1. From the IBM support website (http://www.ibm.com/support), download the following compressed file:

    QexIMS_bundled.tar.gz

  2. On a Linux®-based operating system, extract the file:

    tar -zxvf qexims_bundled.tar.gz

    The following files are contained in the archive:

    • qexims_jcl.txt - Job Control Language file
    • qeximsloadlib.trs - Compressed program library (requires IBM TRSMAIN)
    • qexims_trsmain_JCL.txt - Job Control Language for TRSMAIN to decompress the .trs file
  3. Load the files onto the IBM mainframe by using the following methods:

    Upload the sample qexims_trsmain_JCL.txt and qexims_jcl.txt files by using the TEXT protocol.

  4. Upload the qeximsloadlib.trs file by using BINARY mode transfer and append to a pre-allocated data set. The qeximsloadlib.trs file is a tersed file that contains the executable (the mainframe program QexIMS). When you upload the .trs file from a workstation, pre-allocate a file on the mainframe with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL= 1024, BLKSIZE=6144. The file transfer type must be binary mode and not text.
    Note: QexIMS is a small C mainframe program that reads the output of the IMS log file (EARLOUT data) line by line. QexIMS adds a header to each record that contains event information, for example, record descriptor, the date, and time. The program places each field into the output record, suppresses trailing blank characters, and delimits each field with the pipe character. This output file is formatted for QRadar and the blank suppression reduces network traffic to QRadar. This program does not need much CPU or I/O disk resources.
  5. Customize the qexims_trsmain_JCL.txt file according to your installation-specific information for parameters.

    For example, jobcard, data set naming conventions, output destinations, retention periods, and space requirements.

    The qexims_trsmain_JCL.txt file uses the IBM utility TRSMAIN to extract the program that is stored in the qeximsloadlib.trs file.

    An example of the qexims_trsmain_JCL.txt file includes:

    //TRSMAIN JOB (yourvalidjobcard),Q1labs, 
    // MSGCLASS=V 
    //DEL EXEC PGM=IEFBR14 //D1 DD DISP=(MOD,DELETE),DSN=<yourhlq>.QEXIMS.TRS 
    // UNIT=SYSDA, // SPACE=(CYL,(10,10)) 
    //TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK' 
    //SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA) 
    //INFILE DD DISP=SHR,DSN=<yourhlq>.QEXIMS.TRS 
    //OUTFILE DD DISP=(NEW,CATLG,DELETE), 
    // DSN=<yourhlq>.LOAD, // SPACE=(CYL,(1,1,5),RLSE),UNIT=SYSDA 
    //

    The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the qexims program as a member.

  6. You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in LINKLST. The program does not require authorization.
  7. The qexims_jcl.txt file is a text file that contains a sample JCL. You must configure the job card to meet your configuration.

    The qexims_jcl.txt sample file includes:

    //QEXIMS JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK, 
    // MSGCLASS=P, 
    // REGION=0M //* //*QEXIMS JCL VERSION 1.0 FEBRUARY 2011 
    //* 
    //************************************************************ 
    //* Change dataset names to site specific dataset names *
    //************************************************************ 
    //SET1 SET IMSOUT='Q1JACK.QEXIMS.OUTPUT', 
    // IMSIN='Q1JACK.QEXIMS.INPUT.DATA' 
    //************************************************************ 
    //* Delete old datasets * 
    //************************************************************ 
    //DEL EXEC PGM=IEFBR14 //DD1 DD DISP=(MOD,DELETE),DSN=&IMSOUT, 
    // UNIT=SYSDA, // SPACE=(CYL,(10,10)), // DCB=(RECFM=FB,LRECL=80) 
    //************************************************************ 
    //* Allocate new dataset 
    //************************************************************ 
    //ALLOC EXEC PGM=IEFBR14 //DD1 DD DISP=(NEW,CATLG),DSN=&IMSOUT, 
    // SPACE=(CYL,(21,2)), 
    // DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144) 
    //EXTRACT EXEC PGM=QEXIMS,DYNAMNBR=10, 
    // TIME=1440 //STEPLIB DD DISP=SHR,DSN=Q1JACK.C.LOAD 
    //SYSTSIN DD DUMMY 
    //SYSTSPRT DD SYSOUT=* 
    //SYSPRINT DD SYSOUT=* //IMSIN DD DISP=SHR,DSN=&IMSIN 
    //IMSOUT DD DISP=SHR,DSN=&IMSOUT 
    //*FTP EXEC PGM=FTP,REGION=3800K //*INPUT DD * 
    //*<target server> 
    //*<USER> 
    //*<PASSWORD> 
    //*ASCII //*PUT '<IMSOUT>' /TARGET DIRECTORY>/<IMSOUT> 
    //*QUIT 
    //*OUTPUT DD SYSOUT=* //*SYSPRINT DD SYSOUT=* 
    //* 
  8. After the output file is created, you must make one of the following choices:
    • Schedule a job to transfer the output file to an interim FTP server.

    • Each time the job completes, the output file is forwarded to an interim FTP server. You must configure the following parameters in the sample JCL to successfully forward the output to an interim FTP server:

    For example:

    //*FTP EXEC PGM=FTP,REGION=3800K 
    //*INPUT DD * 
    //*<target server> 
    //*<USER> 
    //*<PASSWORD> //*ASCII //*PUT '<IMSOUT>' 
    /TARGET DIRECTORY>/<IMSOUT> 
    //*QUIT //*OUTPUT DD SYSOUT=* 
    //*SYSPRINT DD SYSOUT=*

    Where:

    • <target server> is the IP address or host name of the interim FTP server to receive the output file.
    • <USER> is the user name required to access the interim FTP server.
    • <PASSWORD> is the password required to access the interim FTP server.
    • <IMSOUT> is the name of the output file saved to the interim FTP server.

    For example:

    PUT 'Q1JACK.QEXIMS.OUTPUT.C320' /192.0.2.1/IMS/QEXIMS.OUTPUT.C320

    Note: You must remove commented lines that begin with //* for the script to properly forward the output file to the interim FTP server.

    You are now ready to configure the log file protocol.

  9. Schedule QRadar to retrieve the output file from IBM IMS.

    If the mainframe is configured to serve files through FTP, SFTP, or allow SCP, then no interim FTP server is required and QRadar can pull the output file directly from the mainframe. The following text must be commented out using //* or deleted from the qexims_jcl.txt file:

    //*FTP EXEC PGM=FTP,REGION=3800K //*INPUT DD * 
    //*<target server> 
    //*<USER> //*<PASSWORD> //*ASCII 
    //*PUT '<IMSOUT>' 
    /<TARGET DIRECTORY>/<IMSOUT> 
    //*QUIT //*OUTPUT DD SYSOUT=* 
    //*SYSPRINT DD SYSOUT=*

    You are now ready to configure the log file protocol.