Integrate IBM RACF with IBM QRadar by using audit scripts
The IBM® RACF® DSM collects events and audit transactions on the IBM mainframe with the Log File protocol.
QRadar® records all relevant and available information from the event.
Use the following procedure to integrate the IBM RACF events into QRadar:
- The IBM mainframe system records all security events as Service Management Framework (SMF) records in a live repository.
- At midnight, the IBM RACF data is extracted from the live repository by using the SMF dump utility. The RACFICE utility IRRADU00 (an IBM utility) creates a log file that contains all of the events and fields from the previous day in an SMF record format.
- The QEXRACF program pulls data from the SMF formatted file. The program pulls only the relevant events and fields for QRadar and writes that information in a condensed format for compatibility. The information is also saved in a location accessible by QRadar.
- QRadar uses the Log File protocol source to pull the QEXRACF output file and retrieves the information on a scheduled basis. QRadar then imports and process this file.