IBM Security Z Security

 View Only
Expand all | Collapse all

adding fields to LEEF records

  • 1.  adding fields to LEEF records

    Posted Mon February 08, 2021 11:55 AM
    Hello,

    I read in the nice documentation that it is possible to add more information to the LEEF records prepared by CKQRADAR.  
    Let's imagine that we have a RACF user Custom Field named "VEHICLE" (with possible values: BIKE, CAR, BICYCLE, N/A) and every time that CKQRADAR enriches an SMF record with user information we want to have also the "VEHICLE" field added.
    How this could be easily achieved?

    Many thanks for your support,
    Alx.

    ------------------------------
    Alx
    ------------------------------


  • 2.  RE: adding fields to LEEF records

    IBM Champion
    Posted Wed March 03, 2021 05:56 AM

    Sorry for overlooking this question.  zSecure Adapter for SIEM offers an exit (CKQCES) to add Custom events to the LEEF stream, this supports locally written CARLa (NEWLIST) that translate SMF records into new LEEF records.  Similarly, CKQCEF supports the CKQCEF#C exit.

    There is no exit point or non-destructible method to add fields into existing records.  The only options:

    1. Write a (semi-) duplicate LEEF record with the additional fields using CKQCES, manipulate the syslog receiver (QRadar, Splunk, etc) to ignore the original record.
    2. Copy member CKQLEEF or CKQLEEFL from SCKRCARL to the data set you use as CKQCUST, modify the SORTLIST commands as needed.  This cuts off improvements that IBM adds to the original member, through PTFs and new releases, so not a great idea either.

    I suggest you open an RFE for a proper customization path.

    ------------------------------
    Rob van Hoboken
    ------------------------------