Powertech SIEM Agent For IBM i Audit

Overview

Powertech SIEM Agent for IBM i participates in cross-platform monitoring of security events by reporting IBM i security events to your enterprise security console.

Powertech SIEM Agent for IBM i sends events to either the RealSecure® SiteProtector™ console from Internet Security Systems (ISS), or to a syslog server. Together, RealSecure SiteProtector and Powertech Exit Point Manager For IBM i offer a dynamic protection solution that will detect, prevent, and respond to IBM i security threats. The ISS Site Protector gets events via an intermediate log file on a Windows server system. Powertech SIEM Agent for IBM i uses a socket communication over TCP/IP to send events to Site Protector via the Windows log file.

Powertech SIEM Agent for IBM i also provides Broker/Agent communication for Syslog servers and event message formatting for Syslog event messages. Syslog events are sent over UDP.

Real-time processing of events

Journal entries and messages are processed in real-time. Powertech SIEM Agent for IBM i processes the recording of the event as it is written to the audit journal.

The IBM system value QAUDFRCLVL is used by the operating system to indicate the number of journal entries collected for QAUDJRN before they are written to auxiliary storage. For more information on how this system value might affect data integrity and performance, refer to the QAUDFRCLVL system value help text and your IBM Security Reference Guide.

Network Security Events

Understanding the MSG ID

For Network Security events, message IDs are numbered according to the following scheme:

The first letter in the message ID:

U = Powertech user defined journal entries from QAUDJRN which are from Network Security.

The second two letters in the message ID:

Corresponds to the two letter audit journal code (e.g., NA= Network Security Allow).

The four-digit number at the end of the message ID:

The first two digits corresponds to the server(e.g. 03 = *DDM). The last two digits correspond to the function (e.g. 16 = Open).

The following illustrates the message numbering of common Network Security event messages:

Message ID MSG
UNA0801 Network Security Allow(Session initialization)
UNR0801 Network Security Reject(Session initialization)

For a full list of Network Security event messages that can be monitored, please see: 

https://static.helpsystems.com/powertech/help/siem-agent/4_1/siem-agent-user-guide.pdf

and search for Network Security Events

Configuring System Values

In order to send messages, Powertech SIEM Agent For IBM i needs to know the format of the events to be sent to the host server. When you begin using Powertech SIEM Agent For IBM i, it's also a good idea to assign a message queue to log all messages sent by the software. This will allow you to confirm which messages have been sent. Both of these settings are configured in Powertech SIEM Agent For IBM i - Work with System Values screen.

To configure System Values
  1. At a command line on the IBM i, enter the following command to display the Powertech Main Menu.
powertech
  1. Select option 6 SIEM Agent.
  2. Select option 2 Work with Formats.
  3. Type 2 next to SYSLOG and press Enter.
  4. In the Message Style field, type *SYSLOG.
  5. In the Header specification field type RFC3164.
  6. Ensure that Use Header Format Compatibility is set to 'Y' and save the configuration.
  1. Press F3 twice to return to the Main Menu, then choose option 3 Work with Outputs.
  2. Press F6 to create a new output.
  3. Enter the following options:
    • Name: EVENTMGR
    • Description: Event Manager Server Output (or Install)
    • Active: 1
    • Format: SYSLOG
    • Type: *NETWORK
  1. Press Enter.
  2. Now enter these options on the subsequent screen:
    • Location: Enter the IP Address of the machine on which Event Manager is installed
    • Port: 514
    • Protocol: UDP
    • Recovery limit: 100
    • Time limit: 10
    • ArcSight compatibility: 0

  1. Press Enter to save changes, then press F12 to close the window.

  2. Choose option 1 Work with Event Sources.

  3. Type 2 next to AUDIT and press Enter.

  4. Press F8 Maintain Outputs.

  5. Press F6 Attach to attach the recently created output.

  6. Type 1 next to EVENTMGR (previously created output name) and press Enter.