IBM QRadar

 View Only

  • 1.  Integrate QRadar with IBM i

    Posted Tue May 16, 2023 11:22 AM
    Edited by Davin Ardian Tue May 16, 2023 11:34 AM

    Hello Everyone,

    Hope you are doing well, we are trying to integrate QRadar with IBM i but we are stuck at step number 5 https://www.ibm.com/docs/en/dsm?topic=i-configuring-integrate-qradar when we run the command there is an error message "AJLIB file in QGPL is not a Save File". Has anyone ever encountered this problem?




    ------------------------------
    Davin Ardian
    ------------------------------



  • 2.  RE: Integrate QRadar with IBM i

    IBM Champion
    Posted Mon May 29, 2023 09:49 AM

    Hi Davin,
    we have integrated many IBMi without problems. Sure you ran into an error? Message could be informatory as well.
    What happens when trying to run step 6?
    Maybe there was a problem in step 4 when trying to replace AJLIB.
    If you still have problems I can contact one of my fellow IBMers who have executed the steps documented.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Integrate QRadar with IBM i

    Posted Mon May 29, 2023 12:02 PM
      |   view attached

    Hi Karl,
    Thanks for your reply, we are facing the issue in step 12 now. please find the attached pdf document for details of the steps already executed



    ------------------------------
    Davin Ardian
    ------------------------------

    Original Message


  • 4.  RE: Integrate QRadar with IBM i

    Posted Tue June 06, 2023 09:12 PM
    Edited by Paul Leonard Tue June 06, 2023 09:54 PM

    David,

    The relevant message text here is
    Message text for CPF9801 is: Object QAUDJRN in library QSYS not found.

    It appears that you don't have auditing turned on.

    The QAUDLVL system value needs to have which types of things to audit. Check the current audit level with
    DSPSYSVAL SYSVAL(QAUDCTL)
    I suspect that it's *NONE.

    The QAUDCTL system value needs to be set to at least *OBJAUD. Ideally it will also include *NOQTEMP (so objects in QTEMP are not included) and *AUDLVL.

    It's a a Good Practice to just use the default set if you don't have specific need for another value. But you do have to make sure that the Audit Journal is set up to log entries.

    CHGSECAUD QAUDLVL(*DFTSET)
    can be used to configure the default set of entries.

    CHGSECAUD QAUDCTL(*ALL) QAUDLVL(*DFTSET)
    This should start the Security auditing on your system with the default set.

    After that the ajlib/auditjrn command should receive entries to process.
    Cheers



    ------------------------------
    Paul Leonard
    ------------------------------

    Original Message