Since IBM mainframe event logs do not conform to SIEM and SYSLOG industry standards, many IBM z shops are running batch reports and scrapping mainframe event logs manually before forwarding to their SIEM. As a result of this labor intensive process, only a few key event log sources end up being forwarded to the SIEM. With the huge volume of mainframe transactions, many important security event log sources are not getting forwarded to the SIEM: SMF records, RACF, Top Secret, SYSLOG, log4j, SyslogD, RMF, IMS, ACF2, Unix services, DB2, FTP, USS files, SYSOUT, and perhaps some application or other mainframe logs all contain critical security data for a SIEM’s AI and User Behavior Analytics algorithms.
Which IBM z event log sources contain security data a SIEM needs to identify a security breach? There are many event log sources that contain critical security data that a SIEM can use to discover internal and external threats, even simple workstation log-in attempts from one of many SMF record types can help identify a compromised asset or intruder. The number of records written to the SMF files or datasets can be astronomical, and is compounded by the number of vendor products installed. The IBM z/OS can create terabytes of security, operational, historical, diagnostic and like data in SMF daily. Of the 256 SMF record types, roughly 140 are actually used on most z/OS systems. SMF record types 0-127 are for z/OS components, and types 128-255 are used by other vendors to record activity and information related to their products.