mainframe.ibm
Introduction
The tags beginning with mainframe.ibm identify events generated by an IBM mainframe.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as mainframe.ibm. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type | Subtype |
---|---|---|---|
mainframe | ibm |
|
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
mainframe.ibm.type80.<subtype> | mainframe.ibm.type80 |
How is the data sent to Devo?
Logs generated by IBM mainframes are forwarded to Devo using a dedicated collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process.
Also, a couple of relay rules are needed to define the fourth level of the tag and send the data to the target table. Create the rules using the following values:
Relay rule 1
Source Tag → devo.collectors.out
Select the Stop Processing checkbox
Relay rule 2
Source Data → ([^ ]+).*
Target Tag → mainframe.ibm.type80.\M1
Select the Stop Processing and Sent without syslog tag checkboxes
Log samples
The following are sample logs sent to each of the mainframe.ibm data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
mainframe.ibm.type80
2020-12-08 19:46:51.986 localhost=127.0.0.1 mainframe.ibm.type80.ACCESS: ACCESS SUCCESS 08:59:34 2020-06-10 SY03 NO NO NO IMSRUSR XZWST NO NO NO NO YES NO NO NO NO NO NO YES NO NO NO NO 000 NO NO I03ABZ61 04:34:48 2020-06-10 NO NO NO NO NO NO NO NO NO NO 77A0 MWFESRS READ READ TIMS IMS DEPENDENT REGION NO YES NO NO NO NO NO NO NO NO STARTED NO NO YES IMSRUSR XZWST NO YES 2020-12-08 19:46:51.986 localhost=127.0.0.1 mainframe.ibm.type80.JOBINIT: JOBINIT UNDFUSER 08:59:18 2020-06-10 SY03 YES NO NO S12AS999 NO NO NO NO NO NO NO NO NO NO NO NO YES NO NO NO 000 NO NO I03ABZ61 04:34:48 2020-06-10 NO NO NO NO NO NO NO NO NO NO 77A0 I03A NO NO NO NO NO NO NO YES NO NO NO NO NO S12AS999 YES YES
And this is how the log would be parsed:
Field | Value | Type | Extra field |
---|---|---|---|
eventdate |
|
| |
hostchain |
|
| ✓ |
hostname |
|
| |
tag |
|
| ✓ |
EVENT_TYPE |
|
| |
EVENT_QUAL |
|
| |
TIME_WRITTEN |
|
| |
DATE_WRITTEN |
|
| |
SYSTEM_SMFID |
|
| |
VIOLATION |
|
| |
USER_NDFND |
|
| |
USER_WARNING |
|
| |
EVT_USER_ID |
|
| |
EVT_GRP_ID |
|
| |
AUTH_NORMAL |
|
| |
AUTH_SPECIAL |
|
| |
AUTH_OPER |
|
| |
AUTH_AUDIT |
|
| |
AUTH_EXIT |
|
| |
AUTH_FAILSFT |
|
| |
AUTH_BYPASS |
|
| |
AUTH_TRUSTED |
|
| |
LOG_CLASS |
|
| |
LOG_USER |
|
| |
LOG_SPECIAL |
|
| |
LOG_ACCESS |
|
| |
LOG_RACINIT |
|
| |
LOG_ALWAYS |
|
| |
LOG_CMDVIOL |
|
| |
LOG_GLOBAL |
|
| |
TERM_LEVEL |
|
| |
BACKOUT_FAIL |
|
| |
PROF_SAME |
|
| |
TERM |
|
| |
JOB_NAME |
|
| |
READ_TIME |
|
| |
READ_DATE |
|
| |
SMF_USER_ID |
|
| |
LOG_LEVEL |
|
| |
LOG_VMEVENT |
|
| |
LOG_LOGOPT |
| ||
LOG_SECL |
| ||
LOG_COMPATM |
| ||
LOG_APPLAUD |
| ||
LOG_NONOMVS |
| ||
LOG_OMVSNPRV |
| ||
AUTH_OMVSSU |
| ||
AUTH_OMVSSYS |
| ||
USR_SECL |
|
| |
RACF_VERSION |
|
| |
RECORD_EXTENSION |
|
| |
rawMessage |
|
|