Redirecting output to the UNIX syslog for IPv4 and IPv6

Resolving The Problem

Tivoli zSecure V1.11 was enhanced to support sending output to the UNIX syslog for IPv4 and IPv6 (APAR OA33310). This function is useful for zSecure Alert users who want to send alert notifications to a UNIX syslog receiver. The enhancement is also present in Security zSecure 1.12 without an update.
The product enhancements that support redirecting output to the UNIX syslog include the following:

• The NEWLIST command provides a SYSLOG keyword to direct output data to a UNIX syslog destination.
• The OPTION and NEWLIST commands provide a SYSLOGTO= keyword to specify one or more destination IP addresses and ports (default port is 514) for the output. There is also an OPTION SYSLOGTOFILE for testing purposes.
• C2RSYSLG is the dedicated ddname for receiving the syslog output.
• New and updated messages.

The new keywords are like the SNMP, SNMPTO=, and SNMPTOFILE keywords for directing output to SNMP. On the NEWLIST and OPTION commands, the syslog redirect keywords are mutually exclusive with the redirect keywords for SNMP, email, and WTO output.

This technote includes the following user and reference information:

• CARLa language changes
• Sample CARLa program
• Supported file definitions for CKRCARLa
• Message changes

CARLa language changes

The NEWLIST and OPTION commands have been changed to support writing to the UNIX syslog.

OPTION

The following keywords have been added.

SYSLOGTO= destination:port
SYSLOGTO=(destination:port,destination:port, ...)

If the SYSLOGTO= option is specified before the first NEWLIST statement or on a NEWLIST statement that specifies the SYSLOG option, it determines the output destination for SYSLOG traps.

The destination can be a name looked up through DNS or an IP address. The default port is 514. For more information, see the SNMPTO= option description in the zSecure Admin and Audit for RACF User Reference Manual.

If SYSLOGTO= is omitted, the default destination for SYSLOG output is the normal file output in file C2RSYSLG by default.

SYSLOGTOFILE

Redirects output to the default syslog file C2RSYSLG. You must specify this keyword before the first NEWLIST statement. Only output generated as the result of a SYSLOG keyword is redirected.

The SYSLOGTOFILE keyword is designed to send syslog output to a file for testing purposes. When this keyword is specified, the LRECL and RECFM specification for the C2RSYSLG file are used. The default values are VB and a logical line length of 132 for printed data, which is an effective line length of 2048. To simulate the line length for writing to the C2RSYSLG file, set the format parameters RECFM=VB,LRECL=2048 before the first NEWLIST statement. If you specify these values on or after a NEWLIST statement, they are only effective for the SYSLOG specification for that NEWLIST statement.

NEWLIST

The following keyword has been added.

SYSLOG

Requests a syslog trap to be sent for each record in the NEWLIST statement results. The destination for the syslog trap must be set using the SYSLOGTO= keyword for the OPTION command. If this parameter has not been specified on or before the first NEWLIST statement, then the destination defaults to the default syslog file DD=C2RSYSLG. syslog traps are requested with line length 2048 and UTF-8 encoding. SYSLOG is mutually exclusive with the SNMP, email, and WTO parameters. The SYSLOG keyword is supported only on z/OS.

Sample CARLa program

The syslog function can be used in CARLa batch jobs as follows:

// EXEC C2RC
//SYSIN DD *
alloc smf; suppress ckfreeze
option syslogto=127.0.0.1 /* send to local SYSLOGD */

/* global selections used in alerts */

N type=smf name=PRIVUSER outlim=0,
title='Who are the privileged users'
select user:special or user:operations
sortlist recno

/* Here are the real alerts */

N type=smf syslog name=PRIVLOG,
title='1.11 Logon privileged users'

s likelist=PRIVUSER event=racinit

sortlist '<116>' | date(month,3) date(monthday,0) time(8),
system 'C2P4111 [C2P4111',
'whatDESC="' | desc(0,explode) | '"',
'whoUSERID="' | userid(0) | '"',
'whoNAME="' | userid:name(0) | '"',
'whatJOBNAME="' | jobname(0) | '"',
'whereSYSTEM="' | system(0) | '"',
']' recorddesc(0)
//

New file definition for CKRCARLa

The following file definition has been added to support sending zSecure output to the UNIX syslog.

C2RSYSLG

File that receives the redirected output from the UNIX syslog when the SYSLOGTOFILE keyword is specified on an OPTION command. To support the line length for writing syslog traps, specify the following values for the record format and line length: RECFM=VB,LRECL=2048. Note however that the RFC 3164 maximum record length is 1024 and the RFC 5424 minimum relay length is only 480.

Message changes

The following messages changes are included in PTF UA55011 to support writing zSecure output to the UNIX syslog.

The following messages were updated:

• CKR1216, CKR217, and CKR1237: Added SYSLOG to the list of options.
• CKR1240: Added SYSLOG as a possible value for unresolved destination.

The following messages were added.

CKR1479 SYSLOG is not supported under VM
Severity: 12
Explanation: Writing a SYSLOG message to a UNIX SYSLOG receiver is not directly supported under z/VM.
User response: Run this CARLa under z/OS.

CKR1480 Sendto for syslog alert n sockdesc m failed UNIX error, name source
Severity: 12
Explanation: Indicates that the UNIX sendto service failed with the indicated error.
User response: Correct the error and try again.

CKR1481 Sending syslog alert n to addr port port on sockdesc n, name source syslog line
Severity: 00
Explanation: Indicates the destination for an alert. It also shows the syslog message EBCDIC encoding.
However, the information is sent in UTF-8 format.
The addr format corresponds to the IP stack for creating the socket descriptor. If the IPv6 stack is available, IPv4 addresses are mapped to the IPv6 socket and shown in the following format: ::FFFF:n.n.n.n where n.n.n.n is the IPv4 address. The following examples show the different message formats for IPv4 and IPv6:

Message for an IPv4 address that is mapped to an IPv6 stack:

CKR1481 00 Sending syslog alert 0 to ::FFFF:127.0.0.1 port 514 on sockdesc 0, IPV6V4 at SYSIN line 6



Message for an IPv6 stack:

CKR1481 00 Sending syslog alert 0 to ::1 port 514 on sockdesc 0, IPV6V4 at SYSIN line 6



Message for an IPv4 stack:

CKR1481 00 Sending syslog alert 0 to 127.0.0.1 port 514 on sockdesc 0, IPV4LCL at SYSIN line 6

User response: None

CKR1482 Empty syslog alert n, name source
Severity: 12
Explanation: An empty line or no line at all was encountered in a request to send a syslog message.
User response: Correct the CARLa for generating the syslog message. Then, try again.

CKR1483 Syslog alert n has more than 1 line, name source
syslog line 1
syslog line 2
Severity: 12
Explanation: Notification that a syslog alert sends only the first line.
User response: Change the alert to reduce it to one line.

CKR1484 IPv4 socket call for syslog failed UNIX error
Severity: 12
Explanation: An attempt was made to establish an IPv4 socket with the UNIX socket service, but this attempt failed with the indicated diagnostic information.
User response: See the z/OS UNIX System Services Messages and Codes manual available from the z/OS Internet Library.

CKR1485 IPv4 syslog socket close failed UNIX error
Severity: 12
Explanation: An attempt was made to close an IPv4 socket, but this attempt failed with the indicated diagnostic information.
User response: See the z/OS UNIX System Services Messages and Codes manual available from the z/OS Internet Library.

CKR1486 ipstack socket call for syslog system abend abend-reason (description)
Severity: 12
Explanation: Indicates that the IPv4 or IPv6 socket call has failed. The ipstackaddress is either IPv4 or IPv6 depending on the type of socket being created. For additional information, see the Communications Server IP and SNA Codes manual available from the z/OS Internet Library

CKR1487 ipstack syslog sockdesc n
Severity: 00
Explanation: The ipstack address is either IPv4 or IPv6, depending on the IP stack used for the SYSLOG socket descriptor. If the IPv6 stack is unavailable, the socket descriptor uses an IPv4 stack and is limited to using IPv4 addresses. The following examples show the different message formats for IPv6 and IPv4:

CKR1487 00 IPv6 syslog sockdesc 0
CKR1487 00 IPv4 syslog sockdesc 0

CKR1498 Options DD and SYSLOG are mutually exclusive
Severity: 12
Explanation: You cannot specify both DD (DDNAME,FILE,F) and SYSLOG on a NEWLIST statement.
User response: Ensure that the NEWLIST statement has either a DD (DDNAME,FILE,F) or SYSLOG parameter,

---