SIEM Support
SIEM can transmit up to 1000 lines per second. Message alerts contain detailed event information about application data changes, deletions or readings of objects and files, emergency changes in user authorities, detection of IFS viruses, malicious network access to the IBM i, and more.
This feature sends events from the IBM i different Audit entry types to a remote SYSLOG server according to a range of severities such as emergencies, alerts, critical, error, warning and more.
If Send SYSLOG messages is set to Yes in the SIEM definitions, the product will automatically send all events according to the Severity range to auto send parameter (list below); the message structure parameter is used to set the format of the message.
Select 30. Main Control from the iSecurity/BaseSystem Configuration screen (STRJR > 81). The Main Control for SIEM screen appears.
| Main Control for SIEM 15/04/25 12:50:56 Send SYSLOG Messages to SIEM SIEM 1: QRADAR . . . . . . N Y=Yes, N=No SIEM 2: monitor . . . . . . Y Y=Yes, N=No SIEM 3: VICTORPC . . . . . . N Y=Yes, N=No Skip info if SIEM is inactive . N Y=Yes, N=No Y is recommended, unless it is the only operation. N delays processing until SIEM is reenabled. If the number of messages is extremely high, you may add SIEM processors by: ADDAJE JOB(JRxxxn) SBSD(SMZTMPC/ZJOURNAL) JOBD(SMZTMPC/JRSYSLOG) where xxx=Characters, n=SIEM ID To include data field changes, append -FIELDS to each SIEM type. Note: Re-activate subsystem after changes. F3=Exit F12=Cancel |
Send SYSLOG Messages to SIEM
Specify whether the SIEM server is active or not.
Skip info if SIEM is inactive
Y = Yes – Recommended, unless it is the only operation
N = No - Delays processing until SIEM is re-enabled.
To define SIEM definitions, select 31. SIEM 1, 32. SIEM 2, 33. SIEM 3 as appropriate from the iSecurity/BaseSystem Configuration screen (STRJR > 81). The SIEM Definitions screen appears.
| SIEM1 Definitions 15/04/25 13:04:23 SIEM 1 name . . . . . . . . . . QRADAR Port: 514 SYSLOG type . . . . . . . . . . 1 1=UDP, 2=TCP, 3=TLS Destination address . . . . . . 1.1.1.111 "Facility" to use . . . . . . . 22 Local use 6 (Local6) "Severity" range to auto send . 0 - 7 Emergency - Debug Note: SNDSYSLOG command is not controlled by Severity Range setting. Msg structure or *LEEF, *CEF... *CEF-SPLUNK-FIELDS *LEEF, *CEF, *CEF-SPLUNK, *SUMO-token Add -FIELDS/-CHANGES for all/chgd fields -or- mix text and variables (e.g. User=&9): &1=Header+Fields &2=Header &4=System &5=Module &6=IP &7=Entry type &8=Host name &9=User &H=Hour &M=Minute &S=Second &X=Time &d=Day in month &m=Month (mm) &y=Year (yy) &x=Date &a/&A=Weekday (abbr/full) &b/&B=Month name (abbr/full) Convert data to CCSID . . . . . 1208 0=Default, 65535=No conversion Maximum length . . . . . . . . 9800 128-9800 Note: Re-activate subsystem after changes. F3=Exit F12=Cancel |
SIEM name
Enter a short name for the SIEM, e.g., SPLUNK, QRADAR, etc.
Syslog type
1 = UDP (send and forget)
2 = TCP (verify receiver before sending, slower)
3 = TLS (verify receiver before sending, encrypted and slower)
Destination address
Enter the IP address of the SIEM server.
Facility to use
Specify the facility based on the SIEM's requirements. For IBM i, it is usually set to "22."
Severity range to auto send
Severities range from 0 (Emergency) to 7 (Debug). Specify which severity levels you want to send to the SIEM.
Msg structure
You can define a pre-existing format or create your own message structure. Predefined formats include *LEEF, *CEF, *CEF-SPLUNK, and *SUMO-token. You can add more as needed.
Convert data to CCSID
If requested by the SIEM department, specify the desired CCSID.
Maximum length
You can specify the maximum length of a message, which can range from 128 to 9800 characters.
To generate SNMP traps, select 35. SNMP Definitions from the iSecurity/BaseSystem Configuration screen (STRJR > 81). The SNMP Definitions screen appears. Type choices and press Enter.