Updating the configuration file for CEF data creation

Now customize the members:

1. Adapt member CKQCEFP for use by the CKQCEF started task. Alternatively, you can change the member name in the PROC statement of the CKQCEF member in PROCLIB.
   1. Specify as input the active security database for the proper ESM or an UNLOAD and the CKFREEZE data set that you refresh every day with the C2RJPREP job. See Use of a fresh CKFREEZE and UNLOAD each day. Using the active security database gives more up-to-date enrichment of the CEF records, but requires READ access on the security database. If you are using Top Secret, remove the UNLOAD allocation, because that does not apply to Top Secret. If the product has only the QRADAR* entitlement, then an active or backup RACF database, a copy of the RACF database, an ACF2 backup database, or an inactive ACF2 database must be used instead of UNLOAD. If the product has entitlements in addition to QRADAR*, you can choose whichever you prefer.
   2. Specify the SMF that you selected as input, either as the name of a logstream, the CKQEXSMF exit name, a DD name or by using the DSNPREF parameter. See Make SMF records available to SIEM. If you use the DSNPREF parameter, specify the DELETE parameter, so that the data sets that you created for this purpose during SMF offload are deleted after successful processing.
   3. For sending CEF messages using network packages, specify the IP address(es) of your SIEM system on the SYSLOGUDP or SYSLOGTCP parameter. You can specify a hostname that can be resolved, an IPv4 address, or, if IPv6 is enabled (dual mode TCP/IP stack), an IPv6 address. Make sure the SIEM system listens to port 514 with the selected protocol (UDP or TCP), otherwise specify the port number too.
   4. For file polling or batch driven file transfer, do not use the OPTION SYSLOGTCP or SYSLOGUDP parameters, but specify OPTION SYSLOGTOFILE. The output data set must be allocated to DD name C2RSYSLG, with a JCL DD statement like this:

      //* CEF formatted output, ASCII encoded, large data set          
      //C2RSYSLG DD DISP=(&DSTAT),DSN=&DPREF..&SYS..CEF,  
      //            UNIT=&UNIT,VOL=SER=&VOLSER,           
      //            SPACE=(32760,(1000,1000),RLSE,,ROUND),
      //            LRECL=2052,RECFM=VB                   

      The messages in this data set will be UTF8 (ASCII) encoded, so use file transfer in BINARY mode.
   5. When using an SMF accumulation data set as input, specify a UNIX file or z/OS data set to be used as cutoff file. Use CARLa ALLOCATE commands or DD statements for DD=SMFHWIN and DD=SMFHWOUT. Make sure that you specify the same file or data set name in both cases:

      //* high water mark keeps the last SMF time stamp, small data set
      //SMFHWIN  DD DISP=SHR,DSN=&DPREF..&SYS..SMFHWM                  
      //SMFHWOUT DD DISP=SHR,DSN=&DPREF..&SYS..SMFHWM                  

      The HWM function is switched on by an include statement in CKQCEFP:

      imbed member=CKQSMFHW list       /* Generate cut-off file         */ 

      or disabled:

       imbed member=CKQSMFZZ nolist     /* No cut-off needed             */ 

      Note: If you need to recover a lost SMF interval, blank out this file in order to prevent skipping the time period that you want to recover. After recovery is done, edit it back to the previous contents.
2. Adapt the environmental specifications.

   For RACF systems, configure the privileged user groups in member CKQCEF@R. This member specifies groups that represent privileged roles. If a user is connected to a group that is listed in this member, events are annotated with the group name.

   For ACF2 and Top Secret systems, specify SIMULATE commands in members CKQCEF@A and CKQCEF@T as needed.