QRadar Unix syslog layout

The administrator specifies the layout of the alert message for QRadar Unix syslog destinations in the ISPF CARLa skeleton.

You can specify the layout of the alert message for SYSLOG destinations in the )CM QRadar Unix syslog sortlist section. This message format is designed for the zAlert DSM in IBM QRadar SIEM, but can be processed by other syslog receivers. The following example shows alert 1204.

)CM QRadar Unix syslog sortlist
)SEL &C2PERCTP = SYSL
)SEL &C2PESECP = RACF
 sortlist,
  recno(nd) '<&C2PEPRIO.>' | datetime(cef_dt,15),
  system 'C2P&c2pemem.',
  '[C2P&C2PEMEM.',
  'onWhatDSNAME="' | dataset(0,firstonly) | '"',
  'onWhatGRANTED="' |  intent(0) | '"',
  'onWhatALLOWED="' | access(0) | '"',
  'onWhatINTENT="' |  intent(0) | '"',
  'whoUSERID="' | userid(0) | '"',
  'whoNAME="' | user:pgmrname(0) | '"',
  'whatACTION="&C2PXNAME"',    
  'whatDESC="' | desc(0,explode) | '"',
  'whatJOBNAME="' | jobname(0) | '"',
  'whereSYSTEM="' | system(0) | '"]',
)IM C2PSFMSG
)ENDSEL 

Note that there can be no CARLa fields after the )IM command.