Data preparation for SIEM
You can use zSecure to make z/OS® event data available for SIEM applications such as IBM® QRadar® SIEM or Micro Focus ArcSight.
The zSecure Adapters for SIEM transform SMF records into a text format that the SIEM application can process, and adds information into these events that help the SIEM application interpret the data. This process is designed to produce an audit trail of z/OS events by copying large quantities of SMF records to the SIEM application. This function is also available in zSecure Audit.
There are two modes of operation for this 'full' enriched SMF feed: near real-time (sent using the UNIX syslog protocol), and by FTP file polling. Near real-time works better with real-time SIEM processing but also incurs more overhead during peak periods. FTP file polling allows you to postpone processing to a less busy time. In file polling mode, the SIEM application retrieves these text files according to a schedule that is configured on the SIEM console. For near real-time mode, the SIEM application must be configured to accept syslog traffic. The 'full' near real-time SMF feed can be collected by zSecure in two ways: directly by using SMF INMEM facility or using the zSecure SMF collector (CKQEXSMF).
You can also send alerts generated by zSecure Alert to the SIEM application. The alerts can be based on SMF or on other sources (for example based on the detection of system changes). Alerts are transferred near real-time to the SIEM application and are not dependent on any configured schedule. In zSecure Alert, specify the UNIX syslog format, and specify QRadar Unix syslog or ArcSight CEF via syslog as the recipient. For more information about zSecure Alert, see the IBM Security zSecure Alert: User Reference Manual.