Connecting your IBM i systems to Security Information and Event Management (SIEM) systems

Introduction

Establishing a centralized logging system is essential for detecting security breaches, building correlations between events that are reported from different sources in a network, and providing alerts when monitored events are reported. Many companies have already, or are in the process of implementing a central Security Information and Event Management (SIEM) solution, such as IBM® QRadar®.

The advantage of the SIEM solutions is the real-time monitoring and alerting based on configured rules for events that are received from sources such as servers, applications, routers, firewalls, and so on.

This article describes how to connect IBM i systems to SIEM systems.

Prerequisites

Prerequisites include a system running the IBM i operating system and a SIEM solution.

IBM i log sources

The IBM i operating environment provides many options for logging security-related events and data, such as:

  • Audit journal
  • Data journals
  • Integrated file system (IFS) log files
  • Message queues
  • History log

Each logging mechanism has different ways of interrogating the collected log entries, and each entry is stored in a different format. This makes it very difficult to correlate events from different places in the IBM i environment. Data would need to be transferred to a SIEM server in order to be stored and analyzed in a unified approach. While IBM i provides comprehensive logging capabilities, it lacks the functionality of sending events in a standardized format to a central logging server.

Enter the Syslog Reporting Manager tool

IBM Systems Lab Services has created a tool that bridges the gap. The Syslog Reporting Manager is a tool that can easily be configured to capture events from the previously listed sources and report them to a central SIEM server using the syslog protocol. The messages can be formatted to either Log Extended Event Format (LEEF) for QRadar or Common Event Format (CEF) for other SIEM solutions.

Filters can be applied to select the type of entries to be reported. For the audit journal, you can filter the reported events by journal entry types that are generated by IBM i. Very granular filters can be defined to process history log entries. Selection criteria range from source user profiles, over program names, message identifier, and others. IFS stream file can be monitored for changes. If a change of content occurs, the changed data can be reported to the central logging server. Messages on message queues can also be monitored based on their severity and the message queue itself.

Another feature that has just been added is the capability to report database changes. You can define database tables that contain critical data. If such a table gets changed, you have the option to send just a summary of who changed a monitored file at what time by which program or you can report details about changed columns with an image of the data before and after the change. The database change reporting requires a second tool from IBM Systems Lab Services, called Journal Extract Tool.

Resources

Find more information about the Syslog Reporting Manager and other IBM Systems Lab Services security offerings and assets at the IBM i Security website.

Contact IBM Systems Lab Services today if you need to connect your IBM i environment to a Security Information and Event Management system.

Thomas Barlen