Hi Matt,
I found some materials that we salvaged from an earlier forum that no longer exists.
Specifically, an alert skeleton to create an hourly heartbeat as both WTO and UNIX syslog message (the latter would fit QRadar) that might have some code page issues (which are pointed out in instructions on using it) and another idea of how to add the timestamp to an alert.
)DEFAULT )&?!¢}~
)CM /***********************************************BeginModule********
)CM * Purpose: Sample alert for heartbeat via UNIX SYSLOG
)CM *
)CM * History:
)CM * 150601 2.1.1 RvH Created
)CM ************************************************EndModule********/
)CM Pass one query
)SEL &C2PEPASS = Y
)ENDSEL
)CM Alert condition
)SEL &C2PEPASS = N
)IM C2PSGNEW
select recno=1 likelist=recent
)CM WTO sortlist
)SEL &C2PERCTP = WTO
sortlist,
recno(nd),
'C2P&c2pemem.&c2peflag',
'Hourly heartbeat'
)ENDSEL
)CM UNIX syslog sortlist
)SEL &C2PERCTP = SYSL
sortlist,
recno(nd) '<&C2PEPRIO.>' | date(month,3) date(monthday,0) time(8),
system 'C2P&c2pemem.',
'ÝC2P&C2PEMEM.',
'whereSYSTEM="' | system(0) | '"¨',
'Hourly heartbeat'
)ENDSEL
)ENDSEL
When you issue a F C2POLICE,REFRESH, it can take a little while until the new CARLa code is active. This is because:
When the MODIFY command is received, the current collection interval (1 minute) must first complete.
Then the environment information must be processed again with stage 1 processing, which generates CARLa that has information from the CKFREEZE and security database.
Then, finally, the reporting stage can start.
All that time, SMF and WTO messages are still collected in the buffers, even when the messages are delayed a bit.
You can add a user defined alert that writes a message to operator (WTO) when the reporting stage has processed its first SMF record, and the SYSPRRPT data set of the previous interval is available for ISPF Browse.
Go to option SE.A.A, select the current alert set with an S, select the Other alerts category with an S and create a new alert by typing I in front of an existing alert.
Description Hourly heartbeat message
Member prefix a 3 character prefix of the member names in C2PCUST, e.g., abbreviation of your company name
Alert id a number between 4000 and 4099 that is not yet in use
Severity I
Data source SMF
Parameters OUTLIM=1
Type 80 or any other SMF record type you wish to use
Sub empty
Allowable destination types put a / in front of WTO and Unix Syslog
Specify action N
Extended Monitoring N
View/Edit the skeleton Y
When you press Enter you go to ISPF Edit of the skeleton member. Delete all lines and copy this skeleton.
Check that there is a x'AD' or [ in front of C2P&C2PEMEM and a x'BD' or ] after the quote in the next line. Some terminal emulators have an incorrect translation.
'[C2P&C2PEMEM.',
447ACFD5CFDCDCD47644444444444444444444
00DD32703275454BDB00000000000000000000
--------------------------------------
'whereSYSTEM="' | system(0) | '"]',
447A8898EEEECD777444AAAA894F544477B764
00D68595282354EFD0F0282354D0D0F0DFDDB0
Press PF3 to save the skeleton and PF3 to save the alert.
Enter a W to set alert destination to WTO. If you wish to send the message to your Syslog received, also select the UNIX Syslog destination.
We use a CARLa script to send application log records to QRadar in LEEF format.
There may not be any input data (empty file) but I would like to systematically generate a Heartbeat record. It would be a single record,
read from a concatenated input file in which I would like to insert the date and time.
But I can't find a function to add the current timestamp.
------
You could use NEWLIST TYPE=SYSTEM, which has a field COLLECT_DATETIME to reflect the time when CKFREEZE was collected.
You could also take NEWLIST TYPE=RUN with DATETIME representing the time when the current job runs.
As for formatting the header of your SYSLOG record, you could use CEF_DT(15) to print Jul 08 13:49:00
If you would like to insert a datetime into another newlist type, use the implicit lookup function :run.datetime(cef_dt,15) as we do in most
of the zSecure Alert skeletons.
------
This works very well with the RUN type (which is only available since 2.3 I think).
The solution with COLLECT_DATETIME also works but I won't use it because there is no need for CKFREEZE in our processing and it
involves more modification.
Thank you very much for that quick answer
I hope this helps.
Regards,
------------------------------
Jeroen Tiggelman
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Delft
------------------------------
Original Message:
Sent: Mon September 11, 2023 10:40 AM
From: Matt Ross
Subject: Heartbeat Alert for QRadar Log Source
Hello All,
There is a process in place that auto tickets if a QRadar Log Source does not receive anything in a 24 hour period. We're finding that some of our lesser used systems, with their current zSecure Alert configuration, do not always send anything to QRadar within that window. Due to some issues with modifying that ticketing, I am looking for a potential interim solution.
I thought about using the SNMP heartbeat alert as a sample and creating something similar to send to QRadar (but on a less frequent basis) just to show the connection is active. Any thoughts on doing that? Maybe once ever 6 hours or some other interval.
Thanks,
Matt
------------------------------
Matt Ross
------------------------------