QRadar: What information is extracted when using just the qexracf

Question & Answer

Question

QRadar: What information is extracted when using just the qexracf_bundled.tar.gz which is discussed here?

Answer

The qexracf_bundled.tar.gz bundle extracts events in LEEF format for z/OS.

The IBM RACF scripts was designed to pull in very basic data. This is what the RACF fields are creating and reading/pulling into QRadar using the QEXRACF script.

Identifier - Each line begins with the string IBMRACF

Delimiter - Pipe character

Action and Reason Codes - The action and reason codes are joined by an underline (action_reason) into a single field

Ex. ADDSD_SUCCESS or for multiple fields ADDSD_INSUFFICENT_AUTH

Date Format - Year-month-day hour:minute:second Ex. 2009-01-30 23:59:59

Username - The username should consistently be in the fourth field. What is in that field will be treated as the user name.

Development work on qexracf_bundled.tar.gz was stopped in 2011. For pulling in z/OS information, it is now recommended to use IBM Security zSecure

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS013725167","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

QRadar: What information is extracted when using just the qexracf_bundled.tar.gz ?

Question & Answer

Question

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?