Automatically generate and send enriched SMF audit records
Send over 40 IBM® System z® SMF record types. A sample list includes: SMF 30 and 80 records for IBM Resource Access Control Facility (RACF®) related events, such as logons, RACF commands, successful and failed access to resources and data sets; SMF 230 from CA-ACF2 and SMF 80 as written by Top Secret; SMF 102 generated by IBM DB2® through the AUDIT options specified for the subsystem; SMF 110 subtype 1 generated by IBM CICS® to allow for logging of CICS transactions.
Gather additional SMF record types sent from IBM z/OS
Collects and formats additional SMF record types generated by IBM z/OS® and its sub-systems, such as SMF 14, 15, 18 and 19 for data set access, SMF 42 for PDS member updates and deletes, SMF 92 for UNIX file activity, SMF 118 or 119 for FTP, Telnet and other TCP/IP activity, pervasive encryption, MFA, and many others.
Send data in near real-time to QRadar Security Intelligence
Gather and analyze critical information by analyzing the active IBM z/OS system security information, with the option to send that information in near real-time to QRadar Security Intelligence, helping to aid in comprehensive reporting.
Add enriched audit information about the user and resource
Data can include: all RACF commands issued by users with the system special attribute; all logon by users with the system operations attribute, all logon by users with superuser privilege, all updates to APF data sets, all members updated in parmlib data sets and
security events that are not logged by RACF.
Offers multiple collections in a day
It can also be configured to send events in batches, once per configurable interval.
Scalable for big data systems
V2.2.1 allows storage above the 2 GB boundary ("the bar") to enable processing of more data. Note that the ability to use more virtual memory can have implications for paging and real storage needs. This also frees up storage below the bar for other programs. With models z196 or higher, 64-bit addressing is activated automatically, though reverting back to 31-bit addressing is optional. You can select the program to run using the SE.0 (SETUP RUN) option.