IBM Security Z Security

 View Only

  • 1.  zSecure Audit & CEF format for Splunk

    Posted Tue February 28, 2023 03:22 AM

    Hello everyone,

    I'm trying to implement zSecure Audit to send syslog in CEF format to a staging area (syslog server) and then allow Splunk to fetch the log on a scheduled basis. However, the customer has difficult to manage and treat the log file stored on a unix folder, because it is on a single long line.
    Are there some best practices to use as basis in order to manage the CEF file?  Do you have any suggestion or precaution I can take when creating the report ?

    Thanks in advance 



    ------------------------------
    Luigi Perrone
    ------------------------------


  • 2.  RE: zSecure Audit & CEF format for Splunk

    IBM Champion
    Posted Wed March 01, 2023 04:35 AM

    Hi Luigi

    The Splunk customers I used to work with implemented an event feed from CKQRADAR.  The LEEF records generated by CKQRADAR are easily ingested by Splunk, with intuitive field names.  CEF records must follow the restrictions/limitations imposed by CEF with field names that follow strict rules.  When I wrote the CEF event generator, I had to map MVS objects to the network oriented extension names in (then HP) ArcSight's reporting, and limit the number of SMF fields in each event.  LEEF was not hampered by these limitations.

    You noticed that the whole event stream looks like a single long line in the unix folder.  You could use the unix command od -h to inspect one of these files.  That will show you if the records are separated/terminated by newline (x'0A') or by "DOS CR/LF" (x'0A0D')  sequences.  I assume the former.

    Splunk will have to use the right FTP subcommands to retrieve the data.  In QRadar, we used to recommend the BIN option to transfer the file.

    You could also consider using the SYSLOGTOFILE command in the CKQCEFP member, to write the CEF events to a z/OS data set allocated to C2RSYSLG in a scheduled batch job (i.e., at a pre-determined time).  Then tell Splunk to retrieve the whole data set directly from z/OS, using the BIN option.  This is mentioned in the Installation and Deployment manual.



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 3.  RE: zSecure Audit & CEF format for Splunk

    Posted Thu March 02, 2023 04:08 AM

    Thanks a lot Rob for your precious support. I really appreciate it. 



    ------------------------------
    Luigi Perrone
    ------------------------------

    Original Message