Hi Linnea
Many zSecure installations use CKQRADAR (part of zSecure Audit) to send SMF records to Splunk in real-time. Splunk knows how to interpret LEEF (logfile enhanced event format) messages from CKQRADAR. The field names assigned and the interpreted field information in these LEEF records assist in writing Splunk reports that make sense to z/OS users.
See
Splunk and zSecure Audit - How to Send SMF Records to Splunk? and
zSecure Alert with Splunk integrationCommand Logger writes events into a separate logstream, e.g., PLEX1.CKXLOG. The layout of records in the logstream is not documented, but it is not very complex either. Use the zSecure Admin CR.2 panels to find the proper field contents for some records and use this to verify your home-grown interpretation of the raw logstream records.
Alternatively, you could run a zSecure job every hour or so, to send a formatted report of the events from the last hour (specify DURATION=(1,HOURS) in the ALLOC command), like here
SMF logstream reports. Use NEWLIST SYSLOG SYSLOGTO=splunkaddress HEADER=LEEF to build a job that writes directly to Splunk (use SCKRCARL(CKQLEEFL) for inspiration.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Tue June 28, 2022 05:01 PM
From: Linnea Sullivan
Subject: Command Logger Data to Splunk
We use AMI Defender to send our SMF data over to Splunk. We wanted to capture the Command Logger data and send it over to splunk as well. Does any one have any knowledge / experience with using AMU Defender for zOS in getting Command Logger records into splunk?
------------------------------
Linnea Sullivan
------------------------------