Analyzing z/OS SYSLOG data

Insight Pack artifacts

The following table lists the configuration artifacts that are provided with the z/OS® SYSLOG Insight Pack for each z/OS SYSLOG file.

Tip: Data sources are not predefined. A user with administrator privileges must define at least one SYSLOG data source type before the application can be used.

Table 1. Insight Pack configuration artifacts
Artifact	Name for SYSLOG
Splitter	`zOS_Syslog-Splitter` `zOS_CICSMsgusr-Splitter` `zOS_Console-splitter`
Annotator	`zOS_Syslog-Annotator` `zOS_CICSMsgusr-Annotator` `zOS_Console-Annotator`
Source type	`zOS_Sdsf` `CICSforzOS-MSGUSR` `zOS_Syslog`
Collection	`zOS_Sdsf-Collection` `zOS_CICSMsgusr-Collection` `zOS_Syslog-Collection`

File format for z/OS SYSLOG

z/OS SYSLOG data is stored in a proprietary format and can be retrieved for ingestion in either of the following ways:

The log data is retrieved by the z/OS Log Forwarder from the console by using a user exit. It is then formatted in a comma-separated value (CSV) format to be sent to IBM SmartCloud® Analytics - Log Analysis.
The log data that is rendered by the System Display and Search Facility (SDSF) can be ingested in batch mode by using the IBM SmartCloud Analytics - Log Analysis Data Collector client.

The following format illustrates the basic format of the z/OS SYSLOG data that is rendered by SDSF:

M 8000000 SYSL     13237 14:00:20.23 STC04428 00000090  IEF403I FTPD –...
| |       |        |     |           |        |         |       |          
| First   |        |     Time        |        User exit |       |          
| 28      |        |                 |        flags     |       Message text
| routing |        Julian            |                  |                 
| codes   |        date              |                  |                 
|         |                          Console name,      Message ID     
|         System name                jobid, or              
|                                    multi-line ID              
Record type                                                               
and Request type

If the message is a DB2® message, a DB2 Command prefix might be present, as shown in the following example:

M 8000000 SYSL     13237 14:00:20.23 STC21767 00000294  DSNR031I  :D91A... 
                                                                  |
                                                                  DB2 Command
                                                                  Prefix

If the message is a CICS® message, an Application ID might be present, as shown in the following example:

N FFFF000 MV20 14071 20:16:14.27 JOB21691 00000090 DFHPA1101  CMAS51 ...
                                                              |
                                                              CICS 
                                                              ApplID

File format for CICS Transaction Server for z/OS MSGUSR job log

The following format illustrates a sample CICS message in the CICS Transaction Server for z/OS MSGUSR job log:

DFHAP1901 04/04/2014 17:03:25 CMAS01 SPI audit log is available.
|         |                   |      | 
Message   Time stamp          |      Message Text
ID                            APPLID

The CICS messages in the CICS MSGUSR log can have different formats, and the log might include custom application messages.

Example: Assume that your custom application generates messages to be added to the CICS MSGUSR log. When the CICS MSGUSR annotator processes the messages, it has the following behavior:

If the messages follow the preceding format with the time stamps, the CICS MSGUSR annotator uses the time stamp for each message.
If the messages do not follow the preceding format and do not have time stamps, the CICS MSGUSR annotator assigns the current time as the time stamp for each message.