Optional customization of the SIEM data

This section describes optional configuration that changes the text formatted SMF data to better meet the installation's logging requirements.

Three installation exit members support changes to the contents of the text-formatted SMF data. This includes:
  1. Changing the contents or formatting of fields for most record types, and other global changes.
  2. Excluding events and record types from the audit trail.
  3. Adding installation defined (custom) records to the audit trail.

Initialization exit

QRadar® member CKQ0ES.
ArcSight member CKQCEF#0.

This member is included at the start of processing. You can use this member, for example, when IBM® or vendor software writes badly formatted SMF records that cause errors. In this case, IBM Software Support can supply a set of CARLa statements to be used until the problems with the OEM vendor are solved or a more permanent solution is built.

You can also use this member to specify the right CCSID when translating, for example, double-byte character set (DBCS) characters to UTF-8. For example, for Japanese Latin extended Unicode, you can include the following CARLa statement:
OPTION MY_CCSID=1399

Record suppression exit

QRadar member CKQXES.
ArcSight member CKQCEF#X.

This member contains installation-specific EXCLUDE statements for the SMF selection. Each EXCLUDE command results in the exclusion of all SMF records that match in all newlists that generate text formatted records. You must be very precise with these EXCLUDE commands, or the effect might be more than what you aimed for. The following examples show CARLa EXCLUDE statements that can be used to suppress event data that user George caused:
  • Suppress all events that George generates: 
    exclude user=George
  • Suppress all events where RACF® returned a return code 8 and possibly, in the future, other non-RACF records as well: 
    exclude user=George desc=viol
  • To exclude only George's DATASET access violations: 
    exclude user=George event=access(viol) class=dataset
  • To exclude all DATASET and RESOURCE access that is granted to George due to the operations attribute, but includes RACF commands that George issued due to operations: 
    exclude user=George event=access(success) racfauth=operations
The following examples show CARLa EXCLUDE statements that can be used to suppress events for a list of user IDs:
  • To exclude all successful RACF event codes between 1 and 7 for specific user IDs:
    exclude user=(known,user,ids), access<=read, desc=success event=allsvc(success)
  • To exclude successful access recording for specific user IDs:
    exclude user=(known,user,ids) access<=read, desc=success
    Valid values for the ACCESS field in NEWLIST TYPE=SMF are: N/A, NONE, EXECUTE, READ, UPDATE, CONTROL, ALTER, or OWNER as described in the table SMF record ACCESS field - available values; see the field descriptions for the SMF newlist in zSecure CARLa SELECT/LIST Fields. By coding access<=read, you still include UPDATE and higher levels of access in the text-formatted records.
The following example shows a CARLa EXCLUDE statement that can be used to suppress events based on SMF record type. To exclude READ logging from SMF 14 or subtype 1 of SMF type 92 records:
exclude type=(14,92(1))

Custom event exit

QRadar member CKQCES.
ArcSight member CKQCEF#C.

This member can be used for CARLa statements to customize the text-formatted records to also map installation-defined events. For example, you might have a product that creates its own SMF records.