By Robert MacAdams on Thursday, 24 January 2019
Category: Uncategorized

IBM z SIEM and SYSLOG Forwarding Considerations

The IBM z mainframe system remains the workhorse for most of the largest and most successful companies in the world, maintaining both mission critical legacy software applications and new workloads. In the scope of sensitive data and security, the IBM z/OS protects the company’s jewels for good reason, but has a plethora of system and security event log sources that must be monitored and forwarded to a SIEM like IBM QRadar, AlienVault, Exabeam, Managed SIEM or a SYSLOG Server like the Splunk.


Since IBM mainframe event logs do not conform to SIEM and SYSLOG industry standards, many IBM z shops are running batch reports and scrapping mainframe event logs manually before forwarding to their SIEM. As a result of this labor intensive process, only a few key event log sources end up being forwarded to the SIEM. With the huge volume of mainframe transactions, many important security event log sources are not getting forwarded to the SIEM: SMF records, RACF, Top Secret, SYSLOG, log4j, SyslogD, RMF, IMS, ACF2, Unix services, DB2, FTP, USS files, SYSOUT, and perhaps some application or other mainframe logs all contain critical security data for a SIEM’s AI and User Behavior Analytics algorithms.

Which IBM z event log sources contain security data a SIEM needs to identify a security breach? There are many event log sources that contain critical security data that a SIEM can use to discover internal and external threats, even simple workstation log-in attempts from one of many SMF record types can help identify a compromised asset or intruder. The number of records written to the SMF files or datasets can be astronomical, and is compounded by the number of vendor products installed. The IBM z/OS can create terabytes of security, operational, historical, diagnostic and like data in SMF daily. Of the 256 SMF record types, roughly 140 are actually used on most z/OS systems. SMF record types 0-127 are for z/OS components, and types 128-255 are used by other vendors to record activity and information related to their products.

Record types used by vendors is a bit like the wild west, but the IBM z has control over what is enabled and recorded for each record type written to SMF datasets. If vendor product data is recorded, it can log and forward user activity, security breaches, system performance, and other critical information to your SIEM.  The fields in each SMF record is written in variety of data formats like EBCDIC, bit flags, hexadecimal values, etc., of which their formats will all be unique to the IBM mainframe. Making sense and parsing these fields within a record is a cumbersome and complicated task, especially when it needs to be forwarded to another platform or SIEM expecting an entirely different format. To make matters worse, record types can change when subsystem or application changes occur. The same can be said when IBM releases z/OS updates or adds a new processor family, which can change the order and contents. The mechanism or software you are using for forwarding z/OS SMF data to your SIEM, must be able to identify these record and field format changes so the security data being sent is usable and accurate.

The complexities around extracting IBM mainframe logs accurately, efficiently and with precision are vast, but without these event logs, your SIEM has no way to confirm the IBM z was involved in the attack and which assets or resources have been compromised. For instance, password violations and denied access attempts are captured by RACF, TSO account activity, FTP authentications and file analysis, the IBM z database DB2, SYSLOG and log4j for web applications, and IP traffic analysis… are all event log sources with different field formats that likely contain very important security data that should be forwarded to your SIEM for analysis, alerts and escalation.

Suppressing unwanted data and enhancing event logs will both provide significant benefits, but will require a significant amount of technical engineering and maintenance. We have barely explained the many variables and technical hurdles involved in SMF record types, but the few described clearly illustrate the need for an advanced, feature rich SIEM forwarding solution that can manage any and all IBM z data source types for a variety of SIEM, SYSLOG or disparate platform target formats. Is there a single IBM z SIEM SYSLOG Forwarding tool capable of extracting and formatting all the mainframe event log sources that your SIEM needs to identify and respond to a security breach? Yes, there is. Contact us to schedule a demonstration and have all your questions answered.

Related Posts