Integrate IBM RACF with IBM QRadar by using audit scripts

The IBM® RACF® DSM collects events and audit transactions on the IBM mainframe with the Log File protocol.

QRadar® records all relevant and available information from the event.

Note: zSecure integration is the only integration that provides custom events to the log source. Custom events can be displayed even when you collect events by using the Native QEXRACF integration.

Use the following procedure to integrate the IBM RACF events into QRadar:

  1. The IBM mainframe system records all security events as Service Management Framework (SMF) records in a live repository.
  2. At midnight, the IBM RACF data is extracted from the live repository by using the SMF dump utility. The RACFICE utility IRRADU00 (an IBM utility) creates a log file that contains all of the events and fields from the previous day in an SMF record format.
  3. The QEXRACF program pulls data from the SMF formatted file. The program pulls only the relevant events and fields for QRadar and writes that information in a condensed format for compatibility. The information is also saved in a location accessible by QRadar.
  4. QRadar uses the Log File protocol source to pull the QEXRACF output file and retrieves the information on a scheduled basis. QRadar then imports and process this file.