Monitoring SSH Activity with SIEM Agent

This section provides an overview of monitoring SSH (Secure Shell) activity with Powertech SIEM Agent for IBM i.

NOTE: Detailed instructions can be found in the Fortra article: Setting up and testing monitoring of SSH Activity with SIEM Agent.

Requirements

Successful monitoring of SSH Activity with SIEM Agent requires the following:

SSH is already configured and working on the IBM i.
You can connect via SSH from another system to the IBM i in order to test the configuration.
Basic configuration of Powertech SIEM Agent for IBM i has been performed. Specifically, Outputs have been defined and events are flowing to them.
The path of the SSHD configuration file is known.

TIP: The path is typically: /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config

Data Flow

Correct configuration results in the following flow of data:

An SSH client connects to an SSH server and performs actions.
On the IBM i server, the SSH daemon sends events to the local Syslog daemon.
The Syslog daemon sends events to a local log file.
Events added to the log file cause journal entries to be created.
SIEM Agent ingests the journal entries.
SIEM Agent forwards the journal entries as events to the defined Outputs.

NOTE: See the Fortra article: Setting up and testing monitoring of SSH Activity with SIEM Agent for more information.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.8 | 202410020724 | October 2024