The IBM® z/OS® DSM collects events from an IBM z/OS® mainframe that uses IBM Security zSecure.
When you use a zSecure process, events from the System Management Facilities (SMF) can be transformed into Log Event Extended Format (LEEF) events. These events can be sent near real-time by using UNIX Syslog protocol or IBM QRadar® can collect the LEEF event log files by using the Log File protocol and then process the events. When you use the Log File protocol, you can schedule QRadar to collect events on a polling interval, which enables QRadar to collect the events on the schedule that you define.
To collect IBM z/OS events, complete the following steps:
- Verify that your installation meets any prerequisite installation requirements. For more information about prerequisite requirements, see the IBM Security zSecure Suite 2.2.1 Prerequisites (http://www.ibm.com/support/knowledgecenter/en/SS2RWS_2.2.1/com.ibm.zsecure.doc_2.2.0/installation/prereqs_qradar.html) .
- Configure your IBM z/OS image to write events in LEEF format. For more information, see the IBM Security zSecure Suite: CARLa-Driven Components Installation and Deployment Guide (http://www.ibm.com/support/knowledgecenter/en/SS2RWS_2.2.1/com.ibm.zsecure.doc_2.2.0/installation/setup_data_prep_qradar.html).
- Create a log source in QRadar for IBM z/OS.
- If you want to create a custom event property for IBM z/OS in QRadar, for more information, see the IBM Security Custom Event Properties for IBM z/OS technical note (http://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/TechNotes/IBM_zOS_CustomEventProperties.pdf).
Before you begin
Before you can configure the data collection process, you must complete the basic zSecure installation process and complete the post-installation activities to create and modify the configuration.
The following prerequisites are required:
- You must ensure parmlib member IFAPRDxx is enabled for IBM Security zSecure Audit on your z/OS image.
- The SCKRLOAD library must be APF-authorized.
- If you are using the direct SMF INMEM real-time interface, you must have the necessary software installed (APAR OA49263) and set up the SMFPRMxx member to include the INMEM keyword and parameters. If you decide to use the CDP interface, you must also have CDP installed and running. For more information, see the IBM Security zSecure Suite 2.2.1: Procedure for near real-time (http://www.ibm.com/support/knowledgecenter/en/SS2RWS_2.2.1/com.ibm.zsecure.doc_2.2.0/installation/smf_proc_real_time_qradar.html)
- You must configure a process to periodically refresh your CKFREEZE and UNLOAD data sets.
- If you are using the Log File protocol method, you must configure a SFTP, FTP, or SCP server on your z/OS image for QRadar to download your LEEF event files.
- If you are using the Log File protocol method, you must allow SFTP, FTP, or SCP traffic on firewalls that are located between QRadar and your z/OS image.
For instructions on installing and configuring zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components Installation and Deployment Guide (https://www-01.ibm.com/servers/resourcelink/svc00100.nsf/pages/zSecureV240sc275638?OpenDocument).