IBM Support

zSecure data preparation for QRadar SIEM – Implementation flow-chart

How To


Summary

You can use zSecure to make z/OS event data available for SIEM applications such as IBM QRadar SIEM or Micro Focus ArcSight.

The zSecure Adapters for SIEM transform SMF records into a text format that the SIEM application can process, and adds information to these events that help the SIEM application interpret the data. This process is designed to produce an audit trail of z/OS events by copying large quantities of SMF records to the SIEM application. This function is also available in zSecure Audit.

There are two modes of operation for this 'full' enriched SMF feed: near real-time (sent using the UNIX syslog protocol), and by FTP file polling. Near real-time works better with real-time SIEM processing but also incurs more overhead during peak periods. FTP file polling allows you to postpone processing to a less busy time. In file polling mode, the SIEM application retrieves these text files according to a schedule that is configured on the SIEM console. For near real-time mode, the SIEM application must be configured to accept syslog traffic. The 'full' near real-time SMF feed can be collected by zSecure in two ways: directly by using SMF INMEM facility or using the zSecure SMF collector (CKQEXSMF).

The following flow-chart and accompanying text will guide you through the steps required to implement your chosen option to provide enriched SMF audit data to your SIEM.
This technote only references QRadar, although it should be noted that the LEEF data stream from CKQRADAR is well suited for Splunk. The zSecure documentation references both QRadar and Arcsight.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPN95","label":"IBM Security zSecure Audit"},"ARM Category":[{"code":"a8m0z000000GoYxAAK","label":"zSecure Audit-\u003EInstallation \/ Configuration \/ Upgrade \/ Usage \/ Planning"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.5.0;3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCHPT","label":"IBM Security zSecure Adapters for SIEM"},"ARM Category":[{"code":"a8m0z000000GoWSAA0","label":"zSecure Data Preparation for SIEM-\u003EInstallation \/ Configuration \/ Upgrade \/ Usage \/ Planning"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.5.0;3.1.0"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
23 November 2023

UID

ibm11117131

Page Feedback