Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IBM Guardium

 

IBM®Guardium® is a database activity and audit tracking tool for system administrators to retrieve detailed auditing events across database platforms.

These instructions require that you install the 8.2p45 fix for InfoSphere®Guardium®.

JSA collects informational, error, alert, and warnings from IBM®Guardium® by using syslog. JSA receives IBM®Guardium® Policy Builder events in the Log Event Extended Format (LEEF).

JSA can only automatically discover and map events of the default policies that ship with IBM®Guardium®. Any user configured events that are required are displayed as unknowns in JSA and you must manually map the unknown events.

Configuration Overview

The following list outlines the process that is required to integrate IBM®Guardium® with JSA.

  1. Create a syslog destination for policy violation events. For more information, see Creating a syslog destination for eventsTo create a syslog destination for these events on IBM Guardium, you must log in to the command-line interface (CLI) and define the IP address for JSA..

  2. Configure your existing policies to generate syslog events. For more information, see Configuring policies to generate syslog eventsPolicies in IBM Guardium are responsible for reacting to events and forwarding the event information to JSA..

  3. Install the policy on IBM® Guardium®. For more information, see Installing an IBM Guardium PolicyAny new or edited policy in IBM Guardium must be installed before the updated alert actions or rule changes can occur..

  4. Configure the log source in JSA. For more information, see Configuring a log sourceJSA only automatically discovers default policy events from IBM Guardium..

  5. Identify and map unknown policy events in JSA. For more information, see Creating an event map for IBM Guardium eventsEvent mapping is required for a number of IBM Guardium events. Due to the customizable nature of policy rules, most events, except the default policy events do not contain a predefined JSA Identifier (QID) map to categorize security events..

Creating a Syslog Destination for Events

To create a syslog destination for these events on IBM®Guardium®, you must log in to the command-line interface (CLI) and define the IP address for JSA.

  1. Using SSH, log in to IBM® Guardium® as the root user.

    Username: <username>

    Password: <password>

  2. Type the following command to configure the syslog destination for informational events:

    store remote add daemon.info <IP address>:<port> <<tcp>|<udp>>

    For example,

    store remote add daemon.info 10.10.1.1:514 tcp

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <<tcp>|<udp>> is the protocol that is used to communicate to the JSA console or Event Collector.

  3. Type the following command to configure the syslog destination for warning events:

    store remote add daemon.warning <IP address>:<port> <<tcp>|<udp>>

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <<tcp>|<udp>> is the protocol that is used to communicate to the JSA console or Event Collector.

  4. Type the following command to configure the syslog destination for error events:

    store remote add daemon.err <IP address>:<port> <<tcp>|<udp>>

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <<tcp>|<udp>> is the protocol that is used to communicate to the JSA console or Event Collector.

  5. Type the following command to configure the syslog destination for alert events:

    store remote add daemon.alert <IP address>:<port> <<tcp>|<udp>>

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <<tcp>|<udp>> is the protocol that is used to communicate to the JSA console or Event Collector.

    You are now ready to configure a policy for IBM®InfoSphere®Guardium®.

Configuring Policies to Generate Syslog Events

Policies in IBM®Guardium® are responsible for reacting to events and forwarding the event information to JSA.

  1. Click the Tools tab.
  2. From the left navigation, select Policy Builder.
  3. From the Policy Finder pane, select an existing policy and click Edit Rules.
  4. Click Edit this Rule individually.

    The Access Rule Definition is displayed.

  5. Click Add Action.
  6. From the Action list, select one of the following alert types:
    • Alert Per Match A notification is provided for every policy violation.

    • Alert Daily A notification is provided the first time a policy violation occurs that day.

    • Alert Once Per Session A notification is provided per policy violation for unique session.

    • Alert Per Time Granularity A notification is provided per your selected time frame.

  7. From the Message Template list, select JSA.
  8. From Notification Type, select SYSLOG.
  9. Click Add, then click Apply.
  10. Click Save.
  11. Repeat Steps 1 to 10 for all rules within the policy that you want to forward to JSA.

    For more information on configuring a policy, see your IBM® InfoSphere® Guardium® vendor documentation. After you have configured all of your policies, you are now ready to install the policy on your IBM®Guardium® system.

    Note

    Due to the configurable policies, JSA can only automatically discover the default policy events. If you have customized policies that forward events to JSA, you must manually create a log source to capture those events.

Installing an IBM Guardium Policy

Any new or edited policy in IBM®Guardium® must be installed before the updated alert actions or rule changes can occur.

  1. Click the Administration Console tab.
  2. From the left navigation, select Configuration >Policy Installation.
  3. From the Policy Installer pane, select a policy that you modified in Configuring policies to generate syslog eventsPolicies in IBM Guardium are responsible for reacting to events and forwarding the event information to JSA..
  4. From the drop-down list, select Install and Override.

    A confirmation is displayed to install the policy to all Inspection Engines.

  5. Click OK.

    For more information on installing a policy, see your IBM® InfoSphere® Guardium® vendor documentation. After you install all of your policies, you are ready to configure the log source in JSA.

Configuring a Log Source

JSA only automatically discovers default policy events from IBM Guardium.

Because of the configurable nature of policies, it is suggested that you configure a log source manually for IBM Guardium.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. Click the Log Sources icon.
  4. Click Add.
  5. In the Log Source Name field, type a name for the log source.
  6. In the Log Source Description field, type a description for the log source.
  7. From the Log Source Type list, select IBM Guardium.
  8. From the Protocol Configuration list, select Syslog.
  9. Configure the following values:

    Table 1: IBM Guardium Syslog Configuration

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the IBM InfoSphere Guardium appliance.

  10. Click Save.
  11. On the Admin tab, click Deploy Changes.

Creating an Event Map for IBM Guardium Events

Event mapping is required for a number of IBM®Guardium® events. Due to the customizable nature of policy rules, most events, except the default policy events do not contain a predefined JSA Identifier (QID) map to categorize security events.

You can individually map each event for your device to an event category in JSA. Mapping events allows JSA to identify, coalesce, and track recurring events from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for IBM®Guardium® are categorized as unknown. Unknown events are easily identified as the Event Name column and Low Level Category columns display Unknown.

As your device forwards events to JSA, it can take time to categorize all of the events for a device, as some events might not be generated immediately by the event source appliance or software. It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, we suggest that you repeat this search until you are satisfied that most of your events are identified.

  1. Log in to JSA.
  2. Click the Log Activity tab.
  3. Click Add Filter.
  4. From the first list, select Log Source.
  5. From the Log Source Group list, select the log source group or Other.

    Log sources that are not assigned to a group are categorized as Other.

  6. From the Log Source list, select your IBM® Guardium® log source.
  7. Click Add Filter.

    The Log Activity tab is displayed with a filter for your log source.

  8. From the View list, select Last Hour.

    Any events that are generated by the IBM®Guardium® DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in JSA.

    Note

    You can save your existing search filter by clicking Save Criteria.

    You are now ready to modify the event map.

Modifying the Event Map

Modifying an event map allows for the manual categorization of events to a JSA Identifier (QID) map. Any event that is categorized to a log source can be remapped to a new JSA Identifier (QID).

IBM®Guardium® event map events that do not have a defined log source cannot be mapped to an event. Events without a log source display SIM Generic Log in the Log Source column.

  1. On the Event Name column, double-click an unknown event for IBM® Guardium®.

    The detailed event information is displayed.

  2. Click Map Event.
  3. From the Browse for QID pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):
    • From the High-Level Category list, select a high-level event categorization.

    • For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the Juniper Secure Analytics Administration Guide.

    • From the Low-Level Category list, select a low-level event categorization.

    • From the Log Source Type list, select a log source type.

    The Log Source Type list gives the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, IBM®Guardium® provides policy events, you might select another product that likely captures similar events.

  4. To search for a QID by name, type a name in the QID/Name field.

    The QID/Name field gives the option to filter the full list of QIDs for a specific word, for example, policy.

  5. Click Search.

    A list of QIDs are displayed.

  6. Select the QID you want to associate to your unknown event.
  7. Click OK.

    JSA maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by JSA.

    If you update an event with a new JSA Identifier (QID) map, past events that are stored in JSA are not updated. Only new events are categorized with the new QID.