Create Message Queue Audit Rules
- To define a message queue to monitor, select 1. Control Message Queues/QHST from the Message Queue menu (STRAUD> 14 > 1). The Work with Message Queues screen appears.
| Work with Message Queues Type options, press Enter. Position to . . . 1=Modify 4=Remove 5=Display messages Operation Data Check Opt Msg queue Library Group Active Mode Syslog Queue Actions QHST QSYS @9 Y 5 Y *NONE Y QSYSOPR *LIBL @1 Y 9 N *NONE Y Bottom F3=Exit F6=Add New F8=Print F12=Cancel |
- Select 1=Modify to modify an existing message queue or F6 to create a new message queue. The Add Message Queue screen appears.
| Add Message Queue Message queue . . . . . . . . Name, QHST Library . . . . . . . . . . *LIBL Name, *LIBL Active definition . . . . . . Y A=Auto start, N=No, Y=Yes, requires manual activation Operation mode . . . . . . . . 1=Periodic, 5=QHST, 9=Immediate For 1, Number of seconds . . 300 For 9, Break program . . . . *STD Name, *STD SMZ4⁄AUSOURCE AUMSGBRK Library . . . . . . . . . Name, *LIBL Send to SIEM . . . . . . . . . N Y=Yes, N=No Send to user Data Queue . . . *NONE Name, *NONE Library . . . . . . Name, *LIBL Check rules & perform Actions. Y Y=Yes, N=No *NO For Check rules, Group Id . @1 @1, @2, ..., @9=QHST Duplicates may appear if Action sends to SIEM⁄Data Queue, selected above. QHST requires Operation mode 5, Group @9. F3=Exit F4=Prompt F12=Cancel |
|
Parameter or Option |
Description |
|---|---|
|
Message queue/library |
The name of message queue being created/modified and the library where it exists |
|
Active Definition |
A = Automatic start at IPL or restart. You can only choose this if the Message Queues (set to start at *IPL) parameter in the Auto Start Activities screen is set to Yes. For more details, see Auto start activities in ZAUDIT. Y = Yes. After activating ZAUDIT, you will need to manually restart the Message Queue. N = No |
|
Operation mode |
1 = Periodic 5 = Watch. You must use 5 if you are monitoring QHST. 9 = Immediate |
|
Number of seconds |
Only used if Operation Mode = 1. Define the number of seconds to wait between each application of the rule. |
|
Break program/library |
Only used if Operation Mode = 9 Define the name and library of the program to use for break handling. The program source for *STD is SMZ4/AUSOURCE AUMSGBRK. |
|
Send to SIEM |
Define how to send the break information to SIEM: 1 = Syslog 2 = SNMP N = No |
|
Send to user data queue/library |
Define the name and library of the data queue to use for break handling. |
|
Check rules & perform Actions |
Y = Yes N = No |
|
For check rules, Group Id |
The Group ID for the rule definitions. Use option 11. Message Queue rules to create/modify the rule definitions. Use the Group ID to group message queues with similar handling together to reduce the number of rules needed. |
- Enter parameters and data as described in the table, then press Enter. The Filter Conditions screen appears. Filter criteria allow you to limit application of real-time detection rules to certain specific conditions.