Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Raz-Lee ISecurity to Communicate with JSA

 

To collect security, compliance, and audit events, configure your Raz-Lee iSecurity installation to forward Log Event Extended Format (LEEF) syslog events to JSA.

  1. Log in to the IBM System I command-line interface.
  2. From the command line, type STRAUD to access the Audit menu options.
  3. From the Audit menu, select 81. System Configuration.
  4. From the iSecurity/Base System Configuration menu, select 32. SIEM 1.
  5. Configure the 32.SIEM 1 parameter values.

    Learn more about 32. SIEM 1 parameter values:

    Table 1: 32. SIEM 1 Parameter Values

    Parameter

    Value

    SIEM 1 name

    Type JSA.

    DSM name

    Type the port that is used to send syslog messages. The default port is 514, which is the syslog standard.

    SYSLOG type

    Type 1 for UDP.

    Destination address

    Type the IP address for JSA.

    Severity range to auto send

    Type a severity message level in the range of 0 - 7. For example, type 7 to send all syslog messages.

    Facility to use

    Type a syslog facility level in the range of 0 - 23.

    Message structure

    Type *LEEF.

    Convert data to CCSID

    Type 0 in the Convert data to CCSID field. This is the default character conversion.

    Maximum length

    Type 1024.

  6. From the iSecurity/Base System Configuration menu, select 31. Main Control.
  7. Configure the 31. Main Control parameter values.

    Learn more about 31. Main Control parameter values:

    Table 2: 31. Main Control Parameter Values

    Parameter

    Value

    Run rules before sending

    To process the events that you want to send, type Y.

    To send all events, type N.

    SIEM 1: JSA

    Type Y.

    Send JSON messages (for DAM)

    Type N.

    As only operation

    Type N.

  8. From the command line, to configure the Firewall options, type STRFW to access the menu options.
  9. From the Firewall menu, select 81. System Configuration.
  10. From the iSecurity (part 1) Global Parameters: menu, select 72. SIEM 1.
  11. Configure the 72.SIEM 1 parameter values.

    Learn more about 72. SIEM 1 parameter values:

    Table 3: 72.SIEM 1 Parameter Values

    Parameter

    Value

    SIEM 1 name

    Type JSA.

    Port

    Type the port that is used to send syslog messages. The default port is 514, which is the syslog standard.

    SYSLOG type

    Type 1 for UDP syslog type.

    Send in FYI mode

    Type N.

    Destination address

    Type the IP address for the JSA console.

    Severity range to auto send

    Type a severity level in the range 0 - 7.

    Facility to use

    Type a facility level.

    Message structure

    Type *LEEF.

    Convert data to CCSID

    Type 0.

    Maximum length

    Type 1024.

  12. From the iSecurity (part 1) Global Parameters: menu, select 71. Main Control.
  13. Configure the 71. Main Control parameter values.

    Learn more about 71. Main Control parameter values:

    Table 4: 71. Main Control Parameter Values

    Parameter

    Value

    SIEM 1: JSA

    Type 2.

    Send JSON messages (for DAM)

    Type 0.

Syslog LEEF events that are forwarded by Raz-Lee iSecurity are automatically discovered by the JSA DSM for IBM AS/400 iSeries. In most cases, the log source is automatically created in JSA after a few events are detected.

If the event rate is low, you can manually configure a log source for Raz-Lee iSecurity in JSA. Until the log source is automatically discovered and identified, the event type displays as Unknown on the Log Activity tab. View automatically discovered log sources on the Admin tab by clicking the Log Sources icon.