IBM SAN Volume Controller

The IBM QRadar DSM IBM® SAN Volume Controller collects events from IBM SAN Volume Controller.

Important: This DSM supports only the Cloud Auditing Data Federation (CADF) event format that includes monitoring and protection related to cloud account's create, update, removal and cloud backup activity events from IBM SAN Volume Controller.
The following table describes the specifications for the IBM SAN Volume Controller DSM:
Table 1. IBM SAN Volume Controller DSM specifications
Specification Value
Manufacturer IBM
DSM name IBM SAN Volume Controller
RPM file name DSM-IBMSANVolumeController-QRadar_version-build_number.noarch.rpm
Supported versions N/A
Protocol Syslog
Event format CADF
Recorded event types activity, control, and monitor audit events
Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information IBM SAN Volume Controller website (http://www-03.ibm.com/systems/storage/software/virtualization/svc/)
To integrate IBM SAN Volume Controller with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website, in the order that they are listed, on your QRadar Console:
    • DSMCommon RPM
    • IBM SAN Volume Controller DSM RPM
  2. Configure your IBM SAN Volume Controller server to send syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add an IBM SAN Volume Controller log source on the QRadar Console. The following table describes the parameters that require specific values for IBM SAN Volume Controller event collection:
    Table 2. IBM SAN Volume Controller log source parameters
    Parameter Value
    Log Source type IBM SAN Volume Controller
    Protocol Configuration Syslog
    Log Source Identifier The IP address or host name of the IBM SAN Volume Controller server.
  4. To verify that QRadar is configured correctly, review the following table to see an example of a parsed event message.
    Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
    The following table shows a sample event message for IBM SAN Volume Controller:
    Table 3. IBM SAN Volume Controller sample message
    Event name Low level category Sample log message
    Backup Successful Backup Activity Succeeded
    Oct 12 20:02:33 Cluster_<IP_address> IBM2145: {"typeURI": "http://example.com/cloud/audit/1.0/event","eventTime": "2016-10-12T20:02:30.000000+0000","target": {"typeURI": "service/storage/object","id": "0","name": "username"},"observer": {"typeURI": "service/network/cluster/logger","id": "10032004394","name": "username"},"tags": ["Backup"],"eventType": "activity","measurements": [{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Time/0000000000/000/0","name": "Time of backup being copied or restored","unit": "YYMMDDHHMMSS"},"result": "2016/10/12/20/02/30"},{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Generation_Number/0000000000/000/0","name": "Volume backup generation number","unit": "Natural Number"},"result": "1"}],"initiator": {"typeURI": "service/network/node","host": {"address": "<IP_address>"},"attachments": [{"content":"6005076400C8010E5000000000000000","typeURI": "text/plain","name": "volume_uuid"}],"name": "username","id": "1"},"reason": {"reasonCode": "200","reasonType": "http://www.example.com/assignments/http-status-codes/http-status-codes.xml"},"action": "backup","outcome": "success","id": "xxxxxxxxxxx-xxxxxxxxxx-xxx"}