Question & Answer
QRadar supports event collection from IBM i (AS/400 iSeries) appliances. Here are the most commonly asked integration questions for the AS/400 iSeries DSM.
- Does the AJLIB file just create a scheduled export job?
- Does the AJLIB file make any changes to the audit settings? If no, then what are the recommended audit settings?
- We noticed the script runs as 'qsecoffr' which is like a root account that no process should run under, are there implications of changing the permissions on the files to another user without such privileges?
- Does the ajlib.savf create any directories on my IBM i?
- Where do the audit files reside?
- Is there a full list of entries supported by the audit journal?
- Does QRadar support real-time event collection from IBM i?
- The DSM guide states that the setup function sets a default start date and time (8am of the current day) for data collection from the Audit Journal, can this start time be customized?
- Does the script need to be executed manually every day? If so, how frequently should the script be executed? Is there a way to automate this?
- I am trying to configure the AJLIB file, but receiving errors. Is there an installation step I might be missing?
No, Disk is at a premium on AS/400 (iSeries) systems. When the script is run, the AJLIB creates an output file of events and can either FTP or SFTP the event information to a destination in one step. The script then updates the time interval for the next time the script needs to be run to collect events. If the system fails to upload the event log using FTP or SFTP, the script deletes the output file, but does not update the time interval. This ensure that when the script is run during the next interval that the collection process grabs all of the events and does not miss any. In the case of a failure, the script ensures that events from the previously failed attempt, plus the newest events are written to the event log and the system will attempt to resend to events to QRadar.
Does the AJLIB file make any changes to the audit settings? If no, then what are the recommended audit settings?
No, when installed the AJLIB script does not make any changes to the default audit configuration. IBM has recommendations for auditing they call DFTSET (or default set). These are not altered when the script is installed.
We noticed the script runs as 'qsecoffr' which is like a root account that no process should run under, are there implications of changing the permissions on the files to another user without such privileges?
This would depend more on how your system is setup. We read from the audit journal, create an formatted output file, then attempt to send the output file to a remote destination to be processed by QRadar. If any of those processes are prevented by the user who is running the script, then that would be a configuration issue that would need to be reviewed by the AS/400 iSeries administrator. There is no way for us to be sure who is configured on your system to read from the audit journal on your AS/400, but it is probably NOT an unprivileged user.
No. After the AJLIB library has been restored on the IBM i, the complete application is self contained in the AJLIB library.
The Audit Journal records that are collected by the system are kept in journal files. The location of these is determined by the IBM i administrator when they configured the auditing function. The audit journal records are copied into the AJLIB library for processing when the application is executed. The application does not remove the journal records from the Audit Journal files.
Yes, a full list as well as the entry specific values of the audit journal library are defined in the following documents:
The AJLIB support does not include real-time transfer of logs. Administrators can configure their IBM i system to push the event log to a QRadar system or QRadar can retrieve the event log from either the IBM i itself or a 3rd party host. QRadar requires the Log File protocol to import and process the event log regardless of the source of the event log. The minimum polling interval for the Log File protocol is 15 minutes. This means that the fastest that QRadar can import event logs from an AS/400 iSeries system is in 15 minute intervals.
Are events stored locally on the AS/400 iSeries? If so, will storing the events locally impact performance in any way?
The events are stored in the system audit journal. When AJLIB is run, the data in the audit journal is converted in to an output file of single-line events that can be easily processed by QRadar. Administrators have the option to configure SFTP or FTP to send the output file to a destination to free up space on the IBM i system. The system audit journal should be handled normally, however, the administrator must ensure that the journal receivers are not deleted before they are needed by the AJLIB script.
A recent enhancement to the AJLIB file allows administrators to select LOCAL. This option keeps the audit jounal on the local system.
The DSM guide states that the setup function sets a default start date and time (8am of the current day) for data collection from the Audit Journal, can this start time be customized?
The default start date and time is only used for the initial run of the AJLIB script, or after the DATETIME command is executed. In normal operation, AJLIB sends all of the entries after the last successful transfer based on the sequence number.
Does the script need to be executed manually every day? If so, how frequently should the script be executed? Is there a way to automate this?
The AJLIB script can be run at appropriate intervals for the customer using standard IBM iJob scheduling tools to automate the frequency with which events are collected and processed on your AS.400 iSeries system.
I am trying to configure the AJLIB file, but receiving errors. Is there an installation step I might be missing?
When installing the AJLIB file, the IFS directory must be restored. The following command must be run to restore the directory:
RST DEV('/qsys.lib/ajlib.lib/ajifs.file') OBJ(('/ajlib'))
Note: The RST of the IFS directory does not reset the AJLIB library, it creates the necessary directory for data transfers in addition to restoring the components needed for sftp support.
Where do I find more information?
Was this topic helpful?
10 May 2019