IBM Security Z Security

 View Only
  • 1.  Command Logger Data to Splunk

    InnerCircle
    Posted Tue June 28, 2022 05:01 PM
    We use AMI Defender to send our SMF data over to Splunk.   We wanted to capture the Command Logger data and send it over to splunk as well.    Does any one have any knowledge / experience with using AMU Defender for zOS in getting Command Logger records into splunk?

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: Command Logger Data to Splunk

    Posted Wed June 29, 2022 04:18 AM
    Hi Linnea
    Many zSecure installations use CKQRADAR (part of zSecure Audit) to send SMF records to Splunk in real-time.  Splunk knows how to interpret LEEF (logfile enhanced event format) messages from CKQRADAR.  The field names assigned and the interpreted field information in these LEEF records assist in writing Splunk reports that make sense to z/OS users.
    See Splunk and zSecure Audit - How to Send SMF Records to Splunk? and zSecure Alert with Splunk integration

    Command Logger writes events into a separate logstream, e.g., PLEX1.CKXLOG.  The layout of records in the logstream is not documented, but it is not very complex either.  Use the zSecure Admin CR.2 panels to find the proper field contents for some records and use this to verify your home-grown interpretation of the raw logstream records.

    Alternatively, you could run a zSecure job every hour or so, to send a formatted report of the events from the last hour (specify DURATION=(1,HOURS) in the ALLOC command),  like here SMF logstream reports.  Use NEWLIST SYSLOG SYSLOGTO=splunkaddress HEADER=LEEF to build a job that writes directly to Splunk (use SCKRCARL(CKQLEEFL) for inspiration.

    ------------------------------
    Rob van Hoboken
    ------------------------------