IBM SAN Volume Controller
The IBM QRadar DSM IBM® SAN Volume Controller collects events from IBM SAN Volume Controller.
Important: This DSM supports only the Cloud Auditing Data Federation (CADF) event format
that includes monitoring and protection related to cloud account's create, update, removal and cloud
backup activity events from IBM SAN Volume Controller.
The following table describes the specifications for the IBM SAN Volume Controller DSM:
Specification | Value |
---|---|
Manufacturer | IBM |
DSM name | IBM SAN Volume Controller |
RPM file name | DSM-IBMSANVolumeController-QRadar_version-build_number.noarch.rpm |
Supported versions | N/A |
Protocol | Syslog |
Event format | CADF |
Recorded event types | activity, control, and monitor audit events |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | IBM SAN Volume Controller website (http://www-03.ibm.com/systems/storage/software/virtualization/svc/) |
To integrate IBM SAN Volume Controller with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM Support Website, in the order that
they are listed, on your QRadar
Console:
- DSMCommon RPM
- IBM SAN Volume Controller DSM RPM
- Configure your IBM SAN Volume Controller server to send syslog events to QRadar.
- If QRadar does not automatically detect the log source, add an IBM SAN Volume Controller log source on the QRadar
Console. The following table describes the parameters that require specific values for IBM SAN Volume Controller event collection:
Table 2. IBM SAN Volume Controller log source parameters Parameter Value Log Source type IBM SAN Volume Controller Protocol Configuration Syslog Log Source Identifier The IP address or host name of the IBM SAN Volume Controller server. - To verify that QRadar is
configured correctly, review the following table to see an example of a parsed event message.Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.The following table shows a sample event message for IBM SAN Volume Controller:
Table 3. IBM SAN Volume Controller sample message Event name Low level category Sample log message Backup Successful Backup Activity Succeeded Oct 12 20:02:33 Cluster_<IP_address> IBM2145: {"typeURI": "http://example.com/cloud/audit/1.0/event","eventTime": "2016-10-12T20:02:30.000000+0000","target": {"typeURI": "service/storage/object","id": "0","name": "username"},"observer": {"typeURI": "service/network/cluster/logger","id": "10032004394","name": "username"},"tags": ["Backup"],"eventType": "activity","measurements": [{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Time/0000000000/000/0","name": "Time of backup being copied or restored","unit": "YYMMDDHHMMSS"},"result": "2016/10/12/20/02/30"},{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Generation_Number/0000000000/000/0","name": "Volume backup generation number","unit": "Natural Number"},"result": "1"}],"initiator": {"typeURI": "service/network/node","host": {"address": "<IP_address>"},"attachments": [{"content":"6005076400C8010E5000000000000000","typeURI": "text/plain","name": "volume_uuid"}],"name": "username","id": "1"},"reason": {"reasonCode": "200","reasonType": "http://www.example.com/assignments/http-status-codes/http-status-codes.xml"},"action": "backup","outcome": "success","id": "xxxxxxxxxxx-xxxxxxxxxx-xxx"}