Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Audit IBM iSeries System security events with LEM

Audit IBM iSeries System security events with LEM

Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 99 Votes: 0 Revisions: 9

Overview

This article describes how to audit IBM iSeries System security events with LEM. LEM supports security auditing on IBM iSeries Systems using a third-party log agent. The log agent sends data from the iSeries System to the LEM Appliance.

The log agent must be purchased separately from LEM. Some log agents commonly used with LEM include:

  • Alliance Log Agent for IBM i from Townsend Security
  • iSecurity for IBM AS400 from Raz-Lee
  • PowerTech Interact from PowerTech
  • Enforcive Enterprise Security for IBM i from Enforcive

For a complete list of supported third-party log agents, refer to the LEM Supported Tools List at http://www.solarwinds.com/log-event-manager/data-sources.aspx

Environment

All LEM versions

Audit requirements

To enable auditing on the iSeries System, you must:

  • Install the third-party log agent on your iSeries System.
  • Create the journal QAUDJRN and related journal receivers.
  • Set the appropriate auditing system security values.

Consult your third-party log agent documentation and the IBM Security Reference manual for information on how to perform these actions.  

Steps

iSeries System auditing-generated events

These system values include:

  • QAUDCTL: Auditing Control
  • QAUDLVL: Security Auditing Level
  • QAUDLVL2: Security Auditing Level Extensions
  • CHGUSRAUD: Change User Audit
  • CHGOBJAUD: Change Object Audit

Consult the IBM Security Reference manual for more information.

Integrate third-party iSeries log agents with LEM 

To integrate third-party iSeries log agents with LEM:

  1. Configure iSeries System auditing as described in the IBM Security Reference manual.
  2. Install and the third-party log agent on the as described in the log agent documentation
  3. Configure the syslog to the LEM Appliance on port 514.
    1. Confirm the port number and IP address with your Security Administrator.
  4. Configure LEM to use the third-party log agent in the LEM Console:
    1. Open the Manage > Appliances view.
    2. Select Connectors from the gear icon for your appliance. The Connector Configuration window for your appliance displays.
  5. Select the gear icon for the third-party log agent instance installed on the iSeries System and click New.
  6. Configure the third-party log agent in the LEM Console as follows:
    1. Alias: Enter the name of the third-party log agent.
    2. Log File: Enter the directory or path from which to read. This is a location on either the local computer or LEM Appliance.
    3. Output: Select the desired type of output:
      1.  Alert  - sends data to only the Alert database
      2.  nDepth - sends data to only the RAW database
      3.  Alert and nDepth - sends data to both the Alert database and the RAW database
    4. Output, nDepth Host, and nDepth Port: Configure these options to store original log messages. Define output format, nDepth Host to be used, and which nDepth port to use. LEAVE AS DEFAULT.
    5. Click Save.
  7. In the Connectors list, click the gear icon next to the new connector (in the Status column), and then select Start.
  8. Verify the connector is working by checking for events in the LEM Console Monitor tab.

Additional logging from the AS400 (IBM i-series)

The AS400 can send logs to additional facilities in the LEM, so the AS400 connector may need to be configured to receive data that is sent to the following additional logging facilities.

 

This is the change that is added to the /etc/syslog-ng/syslog-ng.conf

destination d_auth     { file( "/var/log/auth.log"     template("${UNIXTIME}000 $HOST $MSGHDR$MSG\n") template_escape(no) ); };
destination d_audit    { file( "/var/log/audit.log"    template("${UNIXTIME}000 $HOST $MSGHDR$MSG\n") template_escape(no) ); };
destination d_alert    { file( "/var/log/alert.log"    template("${UNIXTIME}000 $HOST $MSGHDR$MSG\n") template_escape(no) ); };
destination d_clock2   { file( "/var/log/clock2.log"   template("${UNIXTIME}000 $HOST $MSGHDR$MSG\n") template_escape(no) ); };

filter f_auth     { facility(auth,authpriv); };
filter f_audit    { facility(13);            };
filter f_alert    { facility(14);            };
filter f_clock2   { facility(15);            };

log { source(s_src); filter(f_auth);     destination(d_auth);     };
log { source(s_src); filter(f_audit);    destination(d_audit);    };
log { source(s_src); filter(f_alert);    destination(d_alert);    };
log { source(s_src); filter(f_clock2);   destination(d_clock2);   };


Then set up the AS400 (Agentlog) to look for the auth.log, audit.log, alert.log, syslog.log, and clock2.log.

Last modified
19:54, 22 Jun 2016

Tags

Classifications

Public