IBM Security Z Security

Expand all | Collapse all

Splunk and zSecure Audit - How to Send SMF Records to Splunk?

  • 1.  Splunk and zSecure Audit - How to Send SMF Records to Splunk?

    Posted 8 days ago
    Does anybody have experience in sending 'SMF reports' to splunk (Syslog or via USS)? We do that to QRadar, but without experience with Splunk.
    zSecure Alert is doable. I'm interested on sending data from zSecure Audit. THANKS!

    ------------------------------
    Eugenio Fernandes
    IBM Specialist Master Consultant
    IBM
    Sao Paulo
    55 11 996 580 594
    ------------------------------


  • 2.  RE: Splunk and zSecure Audit - How to Send SMF Records to Splunk?

    Posted 8 days ago
    Edited by Rob van Hoboken 8 days ago
    Splunk knows the record format of QRadar message quite well, so just use the LEEF generator: CKQCLEEF for batch jobs/log file based transfer, or CKQRADAR for real-time transfer of SMF records to Splunk.  Specify the tcp name or IP address of the Splunk machine in CKQLEEF/CKQLEEFL.

    Using Google you will find many posts with recipes, but in my experience you just point CKQRADAR to the syslog receiver port for Splunk, and go.

    ------------------------------
    Rob van Hoboken
    ------------------------------