integrate as/400...apr 04, 2018 · 1 integrate as/400 abstract this guide provides instructions to...
TRANSCRIPT
Integrate AS/400 EventTracker v8.x and above
Publication Date: April 4, 2018
1
Integrate AS/400
Abstract This guide provides instructions to configure AS/400 to send crucial events to EventTracker Enterprise by means of syslog.
Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 8.x and later, and AS/400 iSeries 6.1-7.1.
Audience AS/400 users, who wish to forward its events to EventTracker Manager and monitor them using EventTracker Enterprise.
The information contained in this document represents the current view of EventTracker. on the issues discussed as of the date of publication. Because EventTracker must respond to changing market conditions, it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from EventTracker, if its content is unaltered, nothing is added to the content and credit to EventTracker is provided.
EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from EventTracker, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.
© 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
2
Integrate AS/400
Table of Contents
Abstract ........................................................................................................................................................................ 1
Scope ............................................................................................................................................................................ 1
Audience....................................................................................................................................................................... 1
Overview ...................................................................................................................................................................... 3
Prerequisites ................................................................................................................................................................ 3
Integrating AS/400 with EventTracker ....................................................................................................................... 3 Enable Audit for IBM iSeries (AS/400) Journal Logs .............................................................................................. 3
Configuring IBM i Security to send events to EventTracker ................................................................................. 3
EventTracker Knowledge Pack .................................................................................................................................... 8 Categories ................................................................................................................................................................ 8
Alerts ........................................................................................................................................................................ 8
Flex Reports ............................................................................................................................................................. 9
Import AS/400 Knowledge Pack into EventTracker ................................................................................................ 13 Import Category..................................................................................................................................................... 14
Import Alerts .......................................................................................................................................................... 16
Import Knowledge Object ..................................................................................................................................... 17
Token Template ..................................................................................................................................................... 18
Import Flex Reports ............................................................................................................................................... 20
Verify AS/400 Knowledge Pack ................................................................................................................................. 22 Verify Categories ................................................................................................................................................... 22
Verify Alerts ........................................................................................................................................................... 22
Verify Knowledge Object ...................................................................................................................................... 23
Token Template ..................................................................................................................................................... 24
Verify Flex Reports ................................................................................................................................................ 25
Create Dashboards in EventTracker ......................................................................................................................... 26 Schedule Reports ................................................................................................................................................... 26
Create Dashlets ...................................................................................................................................................... 29
Sample Dashboards ................................................................................................................................................... 33
3
Integrate AS/400
Overview The IBM System i is IBM's previous generation of midrange computer systems for IBM i users, and was subsequently replaced by the IBM Power Systems in April 2008. The platform was first introduced as the AS/400 (Application System/400) on June 21, 1988 and later renamed to the eServer iSeries in 2000.
AS/400 operating system is object-based. Features include a RDBMS (DB2/400), a menu-driven interface, support for multiple users, block-oriented terminal support (IBM 5250), and printers. It supports security, communications, and web-based applications which can be executed inside the optional IBM WebSphere Application Server or as PHP/MySQL applications inside a native port of the Apache web server.
Prerequisites • EventTracker 8.x or later should be installed.
• AS/400 iSeries application should be installed.
• A Syslog forwarder application needs to be installed as AS/400 do not have any syslog forwarder by default.
• Create a rule in the EventTracker Manager firewall to allow port 514.
Integrating AS/400 with EventTracker AS/400 is integrated to EventTracker via syslog forwarding with the help of any syslog forwarding application.
NOTE: Below given integration steps use IBM i Security as the syslog forwarding application.
Enable Audit for IBM iSeries (AS/400) Journal Logs NOTE: Below given integration is just an example of a syslog forwarder (IBM i Security) that can be used. You can use any other syslog forwarder to forward logs. It is not mandatory to use the same syslog forwarder. Other compatible syslog forwarder that are commonly used are ng-syslog, Townsend Allianz, kiwi etc.
Configuring IBM i Security to send events to EventTracker 1. Log in to iSecurity CLI console. 2. Access the main control screen for SIEM as shown in the below image.
4
Integrate AS/400
Figure 1
3. You will find an option Send SYSLOG Messages to Siem. Enter Y to configure. 4. Another screen comes up asking to set up the Syslog Server details as shown below.
5
Integrate AS/400
Figure 2
5. In the highlighted portion of the above image the given details need to be entered. • SIEM 1 name: Any name to identify the syslog server. • SYSLOG type: 1 (UDP) • Port: 514 • Destination address: EventTracker Manager IP Address • Message structure: CEF format
6. Set the severity of different syslog events as shown in the below image.
6
Integrate AS/400
Figure 3
7. Save the changes and press F3 to Exit from CLI mode. 8. Navigate to the GUI of iSecurity, choose System Configuration option as shown below.
7
Integrate AS/400
Figure 4
9. In the highlighted portion of the above image the given details need to be entered. • SYSLOG type: (UDP) • Port: 514 • Destination address: EventTracker Manager IP Address • Range of severities to send: 0-7
10. Click on Save. 11. Once the journal receiver is created and the logs specified are collected in it, EventTracker will fetch
those logs for monitoring, report generation and alert notification.
8
Integrate AS/400
EventTracker Knowledge Pack Once logs are received into EventTracker, Categories and reports can be configured into EventTracker.
Categories • AS/400- Audit change activities- This category based report provides information related to all the
audit change activities. • AS/400- Authority change activities- This category based report provides information related to all
the changes in authority like grant, replace and revoke that is done. • AS/400- Spooled file activities- This category based report provides information related to all the
spooled file activities. • AS/400- Interprocess communication activities- This category based report provides information
related to all the interprocess communications that are done. • AS/400- Command string audit- This category based report provides information related to all the
command strings that has been executed in the AS/400 CLI. • AS/400- User authentication failures- This category based report provides information related to all
the user authentication failures. • AS/400- Object operations- This category based report provides information related to all the object
operations such as object created, deleted, renamed, modified, ownership changed, and assigning rights.
• AS/400- Generic record activities- This category based report provides information related to all the generic record activities such as exit program added, exit program removed, function registration operations and resource monitoring operations.
Alerts • AS/400: Directory unlink: This alert is generated when any directory is unlinked or removed. • AS/400: Inteprocess communication activities: This alert is generated when any interprocess
communication changes occur such as ownership change, create, delete, authority failure and shared memory removal or attach.
• AS/400: Object operations: This alert is generated when any objects operation has taken place such as object created, deleted, renamed, modified, ownership changed, and assigned rights.
• AS/400: User Authentication failures: This alert is generated when any user authentication failure occurs.
9
Integrate AS/400
Flex Reports • AS/400- Audit change activities- This report provides information related to all the audit change
activities.
Figure 5
Logs Considered:
Figure 6
• AS/400- Authority change activities- This report provides information related to all the changes in authority like grant, replace and revoke that is done.
Figure 7
10
Integrate AS/400
Logs Considered:
Figure 8
• AS/400- Spooled file activities- This report provides information related to all the spooled file activities.
Figure 9
Logs Considered:
Figure 10
• AS/400- Interprocess communication activities- This report provides information related to all the interprocess communications that are done.
Figure 11
11
Integrate AS/400
Logs Considered:
Figure 12
• AS/400- Command string audit- This report provides information related to all the command strings that has been executed in the AS/400 CLI.
Figure 13
Logs Considered:
Figure 14
• AS/400- User authentication failures- This report provides information related to all the user authentication failures.
12
Integrate AS/400
Figure 15
Logs Considered:
Figure 16
• AS/400- Object operations- This report provides information related to all the object operations such as
object created, deleted, renamed, modified, ownership changed, and assigned rights.
Figure 17
13
Integrate AS/400
Logs Considered:
Figure 18
Import AS/400 Knowledge Pack into EventTracker NOTE: Import knowledge pack items in the following sequence:
• Categories • Knowledge Objects • Alerts • Token Templates • Flex Reports
NOTE: Export knowledge pack items in the following sequence:
• Categories • Knowledge Objects • Alerts • Token Templates • Flex Reports
1. Launch EventTracker Control Panel. 2. Double click Export Import Utility, and then click the Import tab.
14
Integrate AS/400
Figure 19
Import Category 1. Click Category option, and then click the browse button.
15
Integrate AS/400
Figure 20
2. Locate Categories_AS/400.iscat file, and then click the Open button. 3. To import categories, click the Import button.
EventTracker displays success message.
Figure 21
4. Click OK, and then click the Close button.
16
Integrate AS/400
Import Alerts 1. Click Alert option, and then click the browse button.
Figure 22
2. Locate AS/400 Alerts.isalt file, and then click the Open button. 3. To import alerts, click the Import button.
EventTracker displays success message.
Figure 23
4. Click the OK button, and then click the Close button.
17
Integrate AS/400
Import Knowledge Object 1. Click the Admin menu, and then click Knowledge Objects.
2. Click on ‘Import’ option.
Figure 24
3. In IMPORT pane click on Browse button.
Figure 25
4. Locate KO_AS/400.etko file, and then click the UPLOAD button.
18
Integrate AS/400
Figure 26
5. Now select the check box and then click on ‘OVERWRITE’ option. EventTracker displays success message.
Figure 27
6. Click on OK button.
Token Template 1. Click the Admin menu, and then click Parsing rule.
19
Integrate AS/400
2. Select Template tab, and then click on ‘Import’ option. 3. Click on Browse button.
Figure 28
4. Locate AS/400 Templates.ettd file, and then click the Open button.
Figure 29
5. Now select the check box and then click on ‘Import’ option. EventTracker displays success message.
20
Integrate AS/400
Figure 30
6. Click on OK button.
Import Flex Reports 1. Click Reports option, and then click the ‘browse’ button. 2. Locate AS/400 Reports.etcrx file, and then click the Open button.
Figure 31
3. To import scheduled reports, click the Import button.
21
Integrate AS/400
Figure 32
EventTracker displays success message.
Figure 33
4. Click OK, and then click the Close button.
22
Integrate AS/400
Verify AS/400 Knowledge Pack
Verify Categories 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Category. 3. In Category Tree to view imported categories, scroll down and expand ‘AS/400’ group folder to view
the imported categories.
Figure 34
Verify Alerts 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Alerts. 3. In the Search box, type ‘AS/400’, and then click the Go button.
Alert Management page will display all the imported alerts.
23
Integrate AS/400
Figure 35
4. To activate the imported alerts, select the respective checkbox in the Active column.
EventTracker displays message box.
Figure 36
5. Click OK, and then click the Activate Now button.
NOTE: Please specify appropriate systems in alert configuration for better performance.
Verify Knowledge Object 1. Click the Admin menu, and then click Knowledge Objects. 2. Scroll down and select AS/400 in Objects pane.
Imported AS/400 details are shown.
24
Integrate AS/400
Figure 37
Token Template 1. Logon to EventTracker Enterprise web interface.
2. Click the Admin menu, and then click Parsing Rules and click Template.
3. Click on AS/400 group option.
25
Integrate AS/400
Figure 38
Verify Flex Reports 1. Logon to EventTracker Enterprise.
2. Click the Reports menu, and then Configuration.
3. Select Defined in report type.
4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click AS/400 group
folder.
Scheduled Reports are displayed in the Reports configuration pane.
26
Integrate AS/400
Figure 39
NOTE: Please specify appropriate systems in report wizard for better performance.
Create Dashboards in EventTracker Schedule Reports
1. Open EventTracker in browser and logon.
Figure 40
27
Integrate AS/400
2. Navigate to Reports>Configuration.
Figure 41
3. Select AS/400 in report groups. Check Defined dialog box.
4. Click on ‘schedule’ to plan a report for later execution.
28
Integrate AS/400
Figure 42
5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer box.
29
Integrate AS/400
Figure 43
6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period.
7. Proceed to next step and click Schedule button. 8. Wait for scheduled time or generate report manually.
Create Dashlets 1. EventTracker 8 is required to configure flex dashboard. 2. Open EventTracker in browser and logon.
30
Integrate AS/400
Figure 44
3. Navigate to Dashboard>Flex. Flex Dashboard pane is shown.
Figure 45
4. Click to add a new dashboard. Flex Dashboard configuration pane is shown.
Figure 46
31
Integrate AS/400
5. Fill fitting title and description and click Save button.
6. Click to configure a new flex dashlet. Widget configuration pane is shown.
Figure 47
7. Locate earlier scheduled report in Data Source dropdown. 8. Select Chart Type from dropdown. 9. Select extent of data to be displayed in Duration dropdown. 10. Select computation type in Value Field Setting dropdown. 11. Select evaluation duration in As Of dropdown. 12. Select comparable values in X Axis with suitable label. 13. Select numeric values in Y Axis with suitable label. 14. Select comparable sequence in Legend. 15. Click Test button to evaluate.
Evaluated chart is shown.
32
Integrate AS/400
Figure 48
16. If satisfied, Click Configure button.
17. Click ‘customize’ to locate and choose created dashlet.
18. Click to add dashlet to earlier created dashboard.
33
Integrate AS/400
Sample Dashboards • REPORT: AS/400- User authentication failures
WIDGET TITLE: AS/400- User authentication failures CHART TYPE: Donut AXIS LABELS [X-AXIS]: Status LEGEND [SERIES]: Source IP Address
Figure 49
34
Integrate AS/400
• REPORT: AS/400- Commands executed WIDGET TITLE: AS/400- Commands executed CHART TYPE: Stacked Column AXIS LABELS [X-AXIS]: Command Executed LEGEND [SERIES]: User Name
Figure 50
35
Integrate AS/400
• REPORT: AS/400- Object operations WIDGET TITLE: AS/400- Object operations CHART TYPE: Donut AXIS LABELS [X-AXIS]: Event Type LEGEND [SERIES]: Current User Name
Figure 51