The IBM® Information Management System (IMS) DSM for IBM QRadar® allows you to use an IBM mainframe to collect events and audit IMS database transactions.

To integrate IBM IMS events with QRadar, you must download scripts that allow IBM IMS events to be written to a log file.

Overview of the event collection process:

  1. The IBM mainframe records all security events as Service Management Framework (SMF) records in a live repository.
  2. The IBM IMS data is extracted from the live repository using the SMF dump utility. The SMF file contains all of the events and fields from the previous day in raw SMF format.
  3. The qeximsloadlib.trs program pulls data from the SMF formatted file. The qeximsloadlib.trs program only pulls the relevant events and fields for QRadar and writes that information in a condensed format for compatibility. The information is saved in a location accessible by QRadar.
  4. QRadar uses the log file protocol source to retrieve the output file information for QRadar on a scheduled basis. QRadar then imports and processes this file.