Hi Luigi
The Splunk customers I used to work with implemented an event feed from CKQRADAR. The LEEF records generated by CKQRADAR are easily ingested by Splunk, with intuitive field names. CEF records must follow the restrictions/limitations imposed by CEF with field names that follow strict rules. When I wrote the CEF event generator, I had to map MVS objects to the network oriented extension names in (then HP) ArcSight's reporting, and limit the number of SMF fields in each event. LEEF was not hampered by these limitations.
You noticed that the whole event stream looks like a single long line in the unix folder. You could use the unix command od -h to inspect one of these files. That will show you if the records are separated/terminated by newline (x'0A') or by "DOS CR/LF" (x'0A0D') sequences. I assume the former.
Splunk will have to use the right FTP subcommands to retrieve the data. In QRadar, we used to recommend the BIN option to transfer the file.
You could also consider using the SYSLOGTOFILE command in the CKQCEFP member, to write the CEF events to a z/OS data set allocated to C2RSYSLG in a scheduled batch job (i.e., at a pre-determined time). Then tell Splunk to retrieve the whole data set directly from z/OS, using the BIN option. This is mentioned in the Installation and Deployment manual.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Tue February 28, 2023 03:21 AM
From: Luigi Perrone
Subject: zSecure Audit & CEF format for Splunk
Hello everyone,
I'm trying to implement zSecure Audit to send syslog in CEF format to a staging area (syslog server) and then allow Splunk to fetch the log on a scheduled basis. However, the customer has difficult to manage and treat the log file stored on a unix folder, because it is on a single long line.
Are there some best practices to use as basis in order to manage the CEF file? Do you have any suggestion or precaution I can take when creating the report ?
Thanks in advance
------------------------------
Luigi Perrone
------------------------------