Create Message Queue Audit Rules
- To define a message queue to monitor, select 1. Control Message Queues/QHST from the Message Queue menu (STRAUD> 14 > 1). The Work with Message Queues screen appears.
| Work with Message Queues Type options, press Enter. Position to . . . 1=Modify 4=Remove 5=Display messages Operation Data Check Opt Msg queue Library Group Active Mode Syslog Queue Actions QHST QSYS @9 Y 5 Y *NONE Y QSYSOPR *LIBL @1 Y 9 N *NONE Y Bottom F3=Exit F6=Add New F8=Print F12=Cancel |
- Select 1=Modify to modify an existing message queue or F6 to create a new message queue. The Add Message Queue screen appears.
| Add Message Queue Message queue . . . . . . . . Name, QHST Library . . . . . . . . . . *LIBL Name, *LIBL Active definition . . . . . . Y A=Auto start, N=No, Y=Yes, requires manual activation Operation mode . . . . . . . . 1=Periodic, 5=QHST, 9=Immediate For 1, Number of seconds . . 300 For 9, Break program . . . . *STD Name, *STD SMZ4⁄AUSOURCE AUMSGBRK Library . . . . . . . . . Name, *LIBL Send to SIEM . . . . . . . . . N Y=Yes, N=No Send to user Data Queue . . . *NONE Name, *NONE Library . . . . . . Name, *LIBL Check rules & perform Actions. Y Y=Yes, N=No *NO For Check rules, Group Id . @1 @1, @2, ..., @9=QHST Duplicates may appear if Action sends to SIEM⁄Data Queue, selected above. QHST requires Operation mode 5, Group @9. F3=Exit F4=Prompt F12=Cancel |
The body of the screen includes these fields:
Message queue/library
The name of message queue being created or modified and the library where it exists.
Active Definition
A = Automatic start at IPL or restart. You can only choose this if the Message Queues (set to start at *IPL) parameter in the Auto Start Activities screen is set to Yes.
Y = Yes. After activating ZAUDIT, you will need to manually restart the Message Queue.
N = No
Operation mode
1 = Periodic
5 = Watch. You must use 5 if you are monitoring QHST.
9 = Immediate
Number of seconds
If Operation Mode is set to 1, the number of seconds to wait between each application of the rule.
Break program/library
If Operation Mode is set to 9, the name and library of the program to use for break handling.
The program source for *STD is SMZ4/AUSOURCE AUMSGBRK.
Send to SIEM
Define how to send the break information to SIEM:
1 = Syslog
2 = SNMP
N = No
Send to user data queue/library
Define the name and library of the data queue to use for break handling.
Check rules & perform Actions
Y = Yes
N = No
For check rules, Group Id
The Group ID for the rule definitions. Use option 11. Message Queue rules to create/modify the rule definitions. Use the Group ID to group message queues with similar handling together to reduce the number of rules needed.
- Enter parameters and data as described in the table, then press Enter. The Filter Conditions screen appears. Filter criteria allow you to limit application of real-time detection rules to certain specific conditions.