Question & Answer
Question
Answer
The IBM RACF scripts was designed to pull in very basic data. This is what the RACF fields are creating and reading/pulling into QRadar using the QEXRACF script.
Identifier - Each line begins with the string IBMRACF
Delimiter - Pipe character
Action and Reason Codes - The action and reason codes are joined by an underline (action_reason) into a single field
Ex. ADDSD_SUCCESS or for multiple fields ADDSD_INSUFFICENT_AUTH
Date Format - Year-month-day hour:minute:second Ex. 2009-01-30 23:59:59
Username - The username should consistently be in the fourth field. What is in that field will be treated as the user name.
Development work on qexracf_bundled.tar.gz was stopped in 2011. For pulling in z/OS information, it is now recommended to use IBM Security zSecure
Was this topic helpful?
Document Information
Modified date:
15 February 2024
UID
ibm17118461