using PDS monitor to send data to SPLUNK
I was just checking about using PDS monitor to send data to SPLUNK.
I believe I have the rule correct but I am not seeing any data in SPLUNK.
I am not sure but I thought there was a issue sending data to SPLUNK using CEMMON and
I just wanted to verify. Here is what my policy looks like Active Policy Set = SampleMonitor Policy Statement 1: Event = PDS_MONITOR Condition = (PARMLIB=Y || DSN="SYSM.SYSTEMS.PARMLIB") PUUID = a4a9ad58-5fd7-4fdb-9a0f-42943894ec33 Action = EMAIL Policy Statement 2: Event = PDS_MONITOR Condition = LPALIST=Y || LINKLIST=Y || APFLIST=Y PUUID = f6777be1-2f4d-4756-936b-787bcb2b2766 Action = SIEM Action = EMAIL EM Listener MODIFY Command Complete
As far as how the data is getting sent, it does not seem this is the issue. From what the log is telling us, CEMMON is having trouble converting the text to UTF8 to send to Splunk. This is most likely an issue with configuration. What I think we need to verify is that for the Splunk configuration setting you are using in the GUI you have the correct encoding option set that is supported on your system. This encoding option correlates to a Unicode conversion character set that is used when converting the text to send from the mainframe to Splunk. To find the list of supported Unicode conversion character sets, you can issue the following command: DISPLAY UNI,CONV From there, make sure that the selected option in the SIEM configuration setting is available in the output of the DISPLAY command. documentation for the display command can be found here: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieag100/d3uni.htm Once you have the right setting in place, you can cycle CEMMON and it should be able to send after setting the right encoding option.