Data preparation for QRadar SIEM

You can use zSecure™ to make z/OS event data available for QRadar® SIEM.

For QRadar SIEM, a z/OS image contains a number of Log Sources: for z/OS itself and for RACF, ACF2, or Top Secret. In addition, if DB2 and CICS are active on your z/OS image, the image also contains Log Sources for these products. On the z/OS image, you must set up a zSecure process to transform SMF records into the Log Event Enhanced Format (LEEF) that QRadar expects.

There are two modes of operation for a 'full' enriched SMF feed: near real-time (sent using the UNIX syslog protocol), and by FTP file polling. Near real-time works better with the QRadar dashboard but also incurs more overhead during peak periods. FTP file polling allows you to postpone processing to a less busy time. In file polling mode, Device Support Modules (DSMs) on QRadar SIEM retrieve these LEEF files, according to a schedule that is configured on the QRadar console. For near real-time mode, the DSMs must be configured to accept syslog traffic. The 'full' near real-time SMF feed can be collected by zSecure in two ways: directly by using SMF INMEM facility, or through the System Data Engine (SDE) of IBM Common Data Provider for z Systems (CDP).

You can also send alerts generated by zSecure Alert to QRadar SIEM. The alerts can be based on SMF or on other sources (for example based on the detection of system changes). Alerts are transferred near real-time to QRadar SIEM and are not dependent on any configured schedule. In zSecure Alert, specify the UNIX syslog format, and specify QRadar SIEM as the recipient. For more information about zSecure Alert, see the IBM® Security zSecure Alert: User Reference Manual.