IBM Security Z Security

Expand all | Collapse all

zSecure Alert with Splunk integration

  • 1.  zSecure Alert with Splunk integration

    Posted Tue October 20, 2020 07:29 AM
    Hi All,
    We've been asked to integrate zSecure Alert with Splunk. Looking at the zSecure manual we see mention of having to run an extra STC to enrich SMF data.
    We are only interested in zSecure Alert events, so is this necessary?
    Our understanding is that we can use:
    • QRadar Unix syslog
    • ArcSight CEF via syslog
    Is this correct?
    What is the best way to do this integration?

    Thanks for your help.

    ------------------------------
    Anji Stephens
    ------------------------------


  • 2.  RE: zSecure Alert with Splunk integration

    Posted Tue October 20, 2020 09:31 AM
    Edited by Rob van Hoboken Wed October 21, 2020 03:16 AM
    zSecure Alert can be used to generate messages in RFC 3164 format, i.e., in syslog structured text format.  This is selected with the "QRadar UNIX Syslog" check box, and sends a message with a few of the relevant fields to the recipient (Splunk, or QRadar).  The field names can be found in Appendix C of the zSecure Alert User Reference Manual.

    zSecure Alert installs its own SMF exits (IEFU83/84/85 or IEFU86).  Enrichment of SMF data, such as finding the profile for data set names, looking up the programmer name field for users, or identifying the APF data sets in the system, is achieved within zSecure Alert.  For this purpose zSecure Alert's started task C2POLICE starts a daily collection of CKFREEZE information, running in C2PCOLL.
    There is no need for an additional SMF data extractor (CKQEXSMF).  This function is only used for CKQRADAR if your installation does not use or want to use SMF log streams.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: zSecure Alert with Splunk integration

    Posted Wed October 21, 2020 07:39 AM
    Thank you for your response Rob.
    We are testing this without actually sending the messages to Splunk, i.e. we have redirected the QRadar Unix Syslog messages to C2RSYSLG DD. 
    We have triggered Alert C2P1105 and we can see the WTO message and the email in the STC Joblog. We can also see entries in C2RSYSLG DD, but they are unreadable characters. E.g.:
    | & $ & ?> / | & < ?> / ( ?> / ( + ( |

    Is this to be expected? Are we missing something in our config?

    Thanks and regards,

    ------------------------------
    Anji Stephens
    ------------------------------



  • 4.  RE: zSecure Alert with Splunk integration

    Posted Wed October 21, 2020 08:21 AM
    Edited by Rob van Hoboken Wed October 21, 2020 08:36 AM
    Syslog messages to Splunk and QRadar are generated in ASCII (or UTF8, to be more accurate).
    When you print the messages to C2RSYSLG, they are still formatted in UTF8, so you have to tell SDSF to convert them into EBCDIC:

    1. Select C2POLICE with a ? command character.
    2. Find the C2RSYSLG file and select with SE (select, edit).
    3. Within Edit, issue SOURCE ASCII.  This will convert the text to readable EBCDIC.

    Alternatively, select with SB (select browse) and use DISPLAY ASCII as a primary command.


  • 5.  RE: zSecure Alert with Splunk integration

    Posted Wed October 21, 2020 09:24 AM
    Perfect! Many thanks Rob.

    Regards,

    ------------------------------
    Anji Stephens
    ------------------------------