How Do IBM i Systems Fit into SIEM Environments?
Organizations are facing new demands for implementing an enterprise Security Information & Event Management solution. But what happens if you don’t know what a SIEM solution is, much less how to integrate an IBM i system into that solution? To help explain things, here’s some starter information on what SIEM is and how IBM i partitions fit into enterprise SIEM environments.
What is Enterprise SIEM?
System Information and Event Management is an IT practice for collecting, monitoring, and analyzing system and security information (logs) from different computer systems and devices. IT organizations use three components to implement an enterprise SIEM solution.
- Agents running on individual computer devices that collect and store logs locally or on a centralized collector, using the syslog security standard. Collected log information is called syslog data.
- A centralized log collector called a syslog server. The syslog server contains syslog data from enterprise servers, including Windows, Unix, and IBM i systems along with logs from other devices, such as firewalls, routers, and printers. A syslog server acts as a security console for monitoring and reporting on SIEM events across the enterprise.
- Security Information and Event Management software to monitor, analyze, and report on enterprise syslog data for system events and security trends. Reporting can analyze prior events (forensic analysis) or detect in-process enterprise security and system trends across the enterprise (predictive analysis)
IBM i information to export to SIEM
SIEM information is increasingly required by IT management, regulators, auditors, and customers. Some of the most important IBM i syslog data points that can be extracted and collected into an SIEM solution include:
- Audit Journal (QAUDJRN) entries, which contains system activities or security events that are recorded to the system audit journal
- History log (QHST) entries, that contain a high-level trace of system activities, including system changes, job changes, device status, and system operator messages
- IBM i message queues, such as QSYSOPR and QSYSMSG that contain system-related messages
- Database journals that store the results of database operations and updates, as well as database field level changes and before and after images of database records
- Authority or access changes that are stored in vendor-provided software, such as iSecurity Authority on Demand package
- Application changes and application field changes that are tracked through vendor software, such as iSecurity AP-Journal Application Security & Business Analysis solution
- The output of security exit programs, that can be set up to record information whenever user profiles or passwords are changed; users remotely sign on the system; files are accessed through ODBC or another protocol; users log on to TCP/IP servers; or for other system and security functions.
- Virus detection notices issued and actions taken from IBM i anti-virus software scanning the Integrated File System (IFS)
Implementing IBM i SIEM integration
IBM i systems use the Portable Applications Solutions Environment (PASE for i) to collect and send certain groups of syslog data to a syslog server. It’s important to note that PASE for i and other native IBM i features can only collect and export syslog data for some but not all, of the functions listed above. PASE for i syslog integration cannot natively collect and export ALL IBM i syslog data to a syslog server.
This leaves IT organizations with two options for SIEM integration. They can build on PASE for i’s syslog support and custom-write their own complete IBM i SIEM integration software, or they can purchase a third-party package for full IBM i syslog integration, such as iSecurity Syslog.
If you’re interested in discovering more about IBM i SIEM Integration, feel free to contact us at SEA Software. SEA specializes in Security, Audit and Compliance Management software and we would be glad to discuss your own syslog and SIEM integration needs.
