Contact us for Pricing or Questions:      (888) 682-5335          *We Ship Worldwide

Used IBM Servers | New Power 10 Systems | QRadar SIEM Security

3 minutes reading time (593 words)

SIEM and SYSLOG Forwarding Tutorial

This is the first of a series of short videos on the SIEM and SYSLOG forwarding tool for the AS400 platform… or iSeries IBM i if you prefer.This first session is focused on the configuration or setup needed to start sending your AS400 event logs to your SIEM or SYSLOG server.As you will see, it only takes a couple minutes to setup up.

For those not already aware, this tool converts any AS400 event log source into CEF format with the key value pair data associations so your event log management tool can automatically parse the IBM logs, and it then forwards them. By log source, I mean the different log types that are on the AS400.

I will be using the System's Security Journal (QAUDJRN) for my demonstration, since this data source is what every company wants to send.

*DESTINATION

First: 

You will need to know the:IP Address, Port and Connection Type for your SIEM or SYSLOG Server.

This process is identical for each log source.And, the forwarding destination can be different.Some company's send one log source to one SIEM and another log source to a different tool.

*COLLECTION POLICY

Second:

What log types are we going to forward?By default, the Data Provider will send all event logs for every user, for every data source. For the System Security Journal, that means anything you have defined in your security policy - will be sent.Those familiar with the QAUDJRN, realize this is overkill and probably not the best approach for many reasons, but I do know many companies that use it.If this is the same for you, you can jump to the next.

If you want to only send selected events… you have the ability to send logs that meets your selection criteria, such as Users, User Groups or by other specifics found in the logged event like specific Action Groups, Action Types or similar available fields seen in the event details. Suppressing unwanted noise that the System's Security Journal generates, has many benefits.For one, it puts less stress on your system resources, and will eat up less of your bandwidth.This is not a resource intensive process for the AS400, but if you're sending everything to your SIEM or SYSLOG server, you might get a call from this group every now and then asking what's going on.

*REAL TIME JOB

The fourth and last step in the setup process is to decide how often you want or need to send this log source to your SIEM or SYSLOG server. You have options for "real-time" or "controlled batches" using the scheduler. Since almost every company chooses "real-time", we will start here.Other than the statistics and trace reports, the only options here are to start or stop the job, and change settings.The "change settings" is where I recommend everyone to use "Last Registered Event".This is a safety mechanism for if or when logs can't be sent for any reason… maintenance, communication interruptions, outages, whatever the case… the Data Provider puts a marker on the last event log that got sent successfully, and will pick up where it left off once services resume.This way, no logs get missed going to your SIEM or SYSLOG server. Now, just click on "Start Job", and confirm logs are landing on your SIEM or SYSLOG Server.

For "Controlled Batch" execution.

That concludes this session.Next session will explain all the different types of AS400 event log sources that can be sent, and why they are important.Please contact us with any questions or to start a POC on your system. 

2
10 Facts you need to know about the POWER9 S924 CP...