To collect security, compliance, and audit events, configure
your Raz-Lee iSecurity installation to forward Log Event Extended
Format (LEEF) syslog events to JSA.
- Log in to the IBM System I command-line interface.
- From the command line, type STRAUD to access the Audit menu options.
- From the Audit menu, select 81. System
Configuration.
- From the iSecurity/Base System Configuration menu, select 32. SIEM 1.
- Configure the 32.SIEM 1 parameter values.
Learn more about 32. SIEM 1 parameter values:
Table 1: 32. SIEM
1 Parameter ValuesParameter
|
Value
|
SIEM 1 name
|
Type JSA.
|
DSM name
|
Type the port that is used to send syslog
messages. The default port is 514, which is the syslog standard.
|
SYSLOG type
|
Type 1 for UDP.
|
Destination address
|
Type the IP address for JSA.
|
Severity range to auto send
|
Type a severity message level in the range
of 0 - 7. For example, type 7 to send all syslog messages.
|
Facility to use
|
Type a syslog facility level in the range of 0 - 23.
|
Message structure
|
Type *LEEF.
|
Convert data to CCSID
|
Type 0 in the Convert data to CCSID field. This is the default character conversion.
|
Maximum length
|
Type 1024.
|
- From the iSecurity/Base System Configuration menu, select 31. Main Control.
- Configure the 31. Main Control parameter values.
Learn more about 31. Main Control parameter values:
Table 2: 31. Main Control Parameter ValuesParameter
|
Value
|
Run rules before sending
|
To process the events that you want to
send, type Y.
To send all events, type N.
|
SIEM 1: JSA
|
Type Y.
|
Send JSON messages (for DAM)
|
Type N.
|
As only operation
|
Type N.
|
- From the command line, to configure the Firewall options, type STRFW to access the menu
options.
- From the Firewall menu, select 81. System
Configuration.
- From the iSecurity (part 1) Global Parameters: menu, select 72. SIEM 1.
- Configure the 72.SIEM 1 parameter values.
Learn more about 72. SIEM 1 parameter
values:
Table 3: 72.SIEM
1 Parameter ValuesParameter
|
Value
|
SIEM 1 name
|
Type JSA.
|
Port
|
Type the port that is used to send syslog
messages. The default port is 514, which is the syslog standard.
|
SYSLOG type
|
Type 1 for
UDP syslog type.
|
Send in FYI mode
|
Type N.
|
Destination address
|
Type the IP address for the JSA
console.
|
Severity range to auto send
|
Type a severity level in the range 0 - 7.
|
Facility to use
|
Type a facility level.
|
Message structure
|
Type *LEEF.
|
Convert data to CCSID
|
Type 0.
|
Maximum length
|
Type 1024.
|
- From the iSecurity (part 1) Global Parameters: menu, select 71. Main Control.
- Configure the 71. Main Control parameter values.
Learn more about 71. Main Control parameter values:
Table 4: 71. Main Control Parameter ValuesParameter
|
Value
|
SIEM 1: JSA
|
Type 2.
|
Send JSON messages (for DAM)
|
Type 0.
|
Syslog LEEF events that are forwarded by Raz-Lee iSecurity are
automatically discovered by the JSA DSM for IBM AS/400
iSeries. In most cases, the log source is automatically created in JSA after a few events are detected.
If the event rate is low, you can manually configure a log source
for Raz-Lee iSecurity in JSA. Until the log source is
automatically discovered and identified, the event type displays as Unknown
on the Log Activity tab.