IBM Security Z Security

 View Only
Expand all | Collapse all

Splunk and zSecure Audit - How to Send SMF Records to Splunk?

  • 1.  Splunk and zSecure Audit - How to Send SMF Records to Splunk?

    Posted Tue September 14, 2021 04:44 PM
    Does anybody have experience in sending 'SMF reports' to splunk (Syslog or via USS)? We do that to QRadar, but without experience with Splunk.
    zSecure Alert is doable. I'm interested on sending data from zSecure Audit. THANKS!

    ------------------------------
    Eugenio Fernandes
    IBM Specialist Master Consultant
    IBM
    Sao Paulo
    55 11 996 580 594
    ------------------------------


  • 2.  RE: Splunk and zSecure Audit - How to Send SMF Records to Splunk?

    IBM Champion
    Posted Wed September 15, 2021 04:07 AM
    Edited by Rob van Hoboken Wed September 15, 2021 04:07 AM
    Splunk knows the record format of QRadar message quite well, so just use the LEEF generator: CKQCLEEF for batch jobs/log file based transfer, or CKQRADAR for real-time transfer of SMF records to Splunk.  Specify the tcp name or IP address of the Splunk machine in CKQLEEF/CKQLEEFL.

    Using Google you will find many posts with recipes, but in my experience you just point CKQRADAR to the syslog receiver port for Splunk, and go.

    ------------------------------
    Rob van Hoboken
    ------------------------------