Configuring Enterprise-IT-Security.com SF-Sherlock to Communicate with JSA
Before you can send SF-Sherlock events and assessment details to JSA, implement the SF-Sherlock 2 JSA connection kit.
The information that is sent to JSA can be defined and selected in detail. Regardless of the selected transfer method, all information reaches JSA as LEEF-formatted records.
- Install the UMODQR01 and UMODQR02 SF-Sherlock SMP/E user modifications by using the corresponding SHERLOCK.SSHKSAMP data set members.
- If you send SF-Sherlock’s LEEF records to a JSA syslog daemon, which is generally the preferred transfer method, you must install the SF-Sherlock universal syslog message router in the USS environment of z/OS. You will find all installation details within the UNIXCMDL member of the SHERLOCK.SSHKSAMP data set.
- Optional: If you transfer the logs by FTP or another technique, you must adapt the UMODQR01 user modification.
- Enter the IP address for the JSA LEEF syslog
server, transfer method (UDP or TCP), and port number (514) in the
JSASE member of SF-Sherlock’s
init-deckparameter configuration file.
- Allocate the JSA related log data set by using the ALLOCQRG job of the SHERLOCK.SSHKSAMP data set. It is used by the SHERLOCK started procedure (STC) to keep all JSA LEEF records transferring to JSA.
- The JSATST member of the SHERLOCK.SSHKSAMP data set can be used to test the SF-Sherlock 2 JSA message routing connection. If JSA receives the test events, the implementation was successful.
- Enable the SF-Sherlock 2 JSA connection in your SF-Sherlock
installation by activating JSA00 (event monitoring) and optionally,
the JSA01 (assessment details)
init-deckmembers, through the already prepared
ADD JSAxxstatements within the $BUILD00 master control member.
- Refresh or recycle the SHERLOCK started procedure to activate the new master control member that enables the connection of SF-Sherlock to JSA.