Configuring the IBM i to forward security and system event logs to QRadar SIEM can be done a few different ways, but in order to do it correctly; in LEEF format, in real-time, with GID and enriched event log information, you need an IBM i event log forwarding tool designed for the QRadar SIEM. There are IBM i security event log forwarding tools that can be used for QRadar that will send event logs in real-time and in CEF SYSLOG format, and even a couple that support LEEF, but only one includes QRadar QID for mapping, log enrichment and is on DSM support list. These features are important for QRadar's automatic log source discovery, parsing IBM i event logs properly for offenses, alerts and reports, and so that SOC operators can make sense of the logs. Similarly, all the IBM z Mainframe event log sources also require a forwarding tool that is able to format all the unique event log types and designed specifically for IBM QRadar.
The IBM i has many different event log sources, of which most SYSLOG and SIEM forwarding tools can only format and send System Audit (QAUDJRN) and Message Queues like QHST. However, most companies will also need to forward other event log types for compliance and audit requirements, like sensitive database access logs for File Integrity Monitoring (FIM), Network, SQL Statements, Open Source protocols, Privileged Access Management (PAM) events, Port usage, and Commands issued from a workstation. Other logs sources that companies also sometimes forward are web application logs, third party application and performance data, but these log sources are not typically required.
Before choosing your method or tool to forward your IBM i event logs to QRadar, first identity which event types need to be sent based on your compliance or audit requirements. Then, identify the solutions capable of formatting and forwarding those IBM i log sources correctly. Another important specification for IBM i QRadar integration, is the solutions ability to send all event details, not just certain fields and data the vendor or freeware deemed important. Sending security events to a SOC or SIEM are mostly likely going to be very time sensitive, so make sure the solution has a real-time or near real-time forwarding capability. Many IBM i and SIEM teams are interested in filtering or suppressing non-essential logs on the host, prior to forwarding to QRadar to both minimize the noise, effects on system resources and ongoing costs. If you have systems or LPARs that span across multiple time zones, it may also be important to the SOC team to send Coordinated Universal Time (UTC) data in the event details. Ability to enrich event logs can add a lot of value to security teams when trying to peace together a puzzle.
IBM i Event Log Sources
QAUDJRN – system security jouranal, which may require editing system and user audit settings to capture event types required by compliance or auditor.
Database – sensitive and important journals (DB2 database files) contain logs of user access and changes.
Exit Programs – user and application logs accessing system over the network and exit points, such as FTP, ODBC, JDBC, RMTSQL, RMTCMD, Pass-Through, Telnet, and many other application servers.
Network Commands – any commands issued over TCP/IP the system journal is not capturing an audit trail of or able to associate a User ID or IP Address.
SQL Statements – user audit of interactive SQL, QSHELL database functions and embedded SQL usage.
Open Source – users accessing the system through modern applications and lesser known protocols, such as JSON, Node.js, Python, Ruby, Open Query and XCOM.
Insecure Ports – ports not intended to be in listening mode and used for specific applications and communications, such as FTP instead of SFTP or FTPS, or Telnet instead of Secure Telnet (SSL).
Socket Exit Programs – log activity of secure protocols not audited by system.
Privilege Access Management (PAM) – event logs of users performing Profile Swap, Adopted Authorities and similar elevated authority events requiring special authorities to access or change sensitive data, programs, auditing, etc.
Multi-Factor Authentication (MFA) – environments using MFA for sensitive system or data access and changes that invoke a MFA process.
Static data – User profile information, system values, authorities, object and IFS properties
QHST message queue – history log of system, subsystems and jobs, including traces and message queues.
Note: Above log sources are listed in order based on typical importance, likely impact or relevance to protecting IBM i data and system integrity, and may be required for compliance or recommended by auditors to be incorporated into your SOC or SIEM.
Contact us to watch a demo or request a POC of the IBM I event log forwarding tool designed for QRadar. Other use cases for the IBM i Event Log Forwarder include SIEM, SYSLOG Server, CDC, Big Data Analytics, ITOA, SOC, Elastic and other ETL tools that require JSON, CEF, or user defined formats.