- play_arrow Event Collection from Third-party Devices
- play_arrow Introduction to Log Source Management
- Introduction to Log Source Management
- Adding a Log Source
- Adding a Log Source by using the Log Sources Icon
- Adding Bulk Log Sources
- Adding Bulk Log Source by using the Log Sources Icon
- Editing Bulk Log Sources
- Editing Bulk Log Sources by using the Log Sources icon
- Adding a Log Source Parsing Order
- Testing Log Sources
- Log Source Groups
- play_arrow Gateway Log Source
- play_arrow Log Source Extensions
- play_arrow Manage Log Source Extensions
- play_arrow Threat Use Cases by Log Source Type
- play_arrow Troubleshooting DSMs
- play_arrow Protocols
- play_arrow Universal Cloud REST API Protocol
- play_arrow Protocols that Support Certificate Management
- play_arrow 3Com Switch 8800
- play_arrow AhnLab Policy Center
- play_arrow Akamai KONA
- Akamai Kona
- Configure an Akamai Kona Log Source by using the HTTP Receiver Protocol
- Configure an Akamai Kona Log Source by using the Akamai Kona REST API Protocol
- Configuring Akamai Kona to Communicate with JSA
- Creating an Event Map for Akamai Kona Events
- Modifying the Event Map for Akamai Kona
- Akamai Kona Sample Event Messages
- play_arrow Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs DSM Specifications
- Publishing Flow Logs to an S3 Bucket
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs Sample Event Message
- play_arrow Amazon AWS CloudTrail
- play_arrow Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service DSM Specifications
- Configuring Amazon Elastic Kubernetes Service to Communicate with JSA
- Configuring Security Credentials for your AWS User Account
- Amazon Web Services Log Source Parameters for Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service Sample Event Messages
- play_arrow Amazon AWS Network Firewall
- Amazon AWS Network Firewall
- Amazon AWS Network Firewall DSM Specifications
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Network Firewall
- AWS Network Firewall Sample Event Messages
- play_arrow Amazon AWS Route 53
- Amazon AWS Route 53
- Amazon AWS Route 53 DSM Specifications
- Configuring an Amazon AWS Route 53 Log Source by using the Amazon Web Services Protocol and CloudWatch Logs
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with an SQS Queue
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with a Directory Prefix
- Amazon AWS Route 53 Sample Event Messages
- play_arrow Amazon AWS Security Hub
- play_arrow Amazon AWS WAF
- play_arrow Amazon GuardDuty
- Amazon GuardDuty
- Configuring an Amazon GuardDuty Log Source by using the Amazon Web Services Protocol
- Creating an EventBridge Rule for Sending Events
- Creating an Identity and Access (IAM) User in the AWS Management Console
- Configuring an Amazon GuardDuty Log Source by using the Amazon AWS S3 REST API Protocol
- Configuring Amazon GuardDuty to Forward Events to an AWS S3 Bucket
- Amazon GuardDuty Sample Event Messages
- play_arrow Ambiron TrustWave IpAngel
- play_arrow Amazon VPC Flow Logs
- play_arrow APC UPS
- play_arrow Apache HTTP Server
- play_arrow Apple Mac OS X
- play_arrow Application Security DbProtect
- play_arrow Arbor Networks
- play_arrow Arpeggio SIFT-IT
- play_arrow Array Networks SSL VPN
- play_arrow Aruba Networks
- play_arrow Avaya VPN Gateway
- play_arrow BalaBit IT Security
- play_arrow Barracuda
- play_arrow BeyondTrust PowerBroker
- play_arrow BlueCat Networks Adonis
- play_arrow Blue Coat SG
- Blue Coat
- Blue Coat SG
- Creating a Custom Event Format for Blue Coat SG
- Creating a Log Facility
- Enabling Access Logging
- Configuring Blue Coat SG for FTP Uploads
- Syslog Log Source Parameters for Blue Coat SG
- Log File Log Source Parameters for Blue Coat SG
- Configuring Blue Coat SG for Syslog
- Creating Extra Custom Format Key-value Pairs
- Blue Coat SG Sample Event Messages
- play_arrow Blue Coat Web Security Service
- play_arrow Box
- play_arrow Bridgewater
- play_arrow Broadcom
- play_arrow Brocade Fabric OS
- play_arrow Carbon Black
- play_arrow Centrify
- Centrify
- Centrify Identity Platform
- Centrify Identity Platform DSM specifications
- Configuring Centrify Identity Platform to communicate with JSA
- Centrify Infrastructure Services
- Configuring WinCollect Agent to Collect Event Logs from Centrify Infrastructure Services
- Configuring Centrify Infrastructure Services on a UNIX or Linux Device to Communicate with JSA
- play_arrow Check Point
- play_arrow Cilasoft QJRN/400
- play_arrow Cisco
- Cisco
- Cisco ACE Firewall
- Configuring Cisco Aironet to Forward Events
- Cisco ACS
- Cisco ASA
- Cisco AMP
- Cisco CallManager
- Cisco CatOS for Catalyst Switches
- Cisco Cloud Web Security
- Cisco CSA
- Cisco Firepower Management Center
- Cisco Firepower Threat Defense
- Cisco FWSM
- Cisco Identity Services Engine
- Cisco IDS/IPS
- Cisco IOS
- Cisco IronPort
- Cisco Meraki
- Cisco NAC
- Cisco Nexus
- Cisco Pix
- Cisco Stealthwatch
- Cisco Umbrella
- Cisco VPN 3000 Concentrator
- Cisco Wireless LAN Controllers
- Cisco Wireless Services Module
- play_arrow Citrix
- play_arrow Cloudera Navigator
- play_arrow Cloudflare Logs
- Cloudflare Logs
- Cloudflare Logs DSM Specifications
- Configure Cloudflare to send Events to JSA when you use the HTTP Receiver Protocol
- Configuring Cloudflare Logs to Send Events to JSA when you use the Amazon S3 REST API Protocol
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- HTTP Receiver Log Source Parameters for Cloudflare Logs
- Amazon AWS S3 REST API Log Source Parameters for Cloudflare Logs
- Cloudflare Logs Sample Event Messages
- play_arrow CloudPassage Halo
- play_arrow CloudLock Cloud Security Fabric
- play_arrow Correlog Agent for IBM Z/OS
- play_arrow CrowdStrike Falcon
- play_arrow CRYPTOCard CRYPTO-Shield
- play_arrow CyberArk
- play_arrow CyberGuard Firewall/VPN Appliance
- play_arrow Damballa Failsafe
- play_arrow DG Technology MEAS
- play_arrow Digital China Networks (DCN)
- play_arrow Enterprise-IT-Security.com SF-Sherlock
- play_arrow Epic SIEM
- play_arrow ESET Remote Administrator
- play_arrow Exabeam
- play_arrow Extreme
- Extreme
- Extreme 800-Series Switch
- Extreme Dragon
- Extreme HiGuard Wireless IPS
- Extreme HiPath Wireless Controller
- Extreme Matrix Router
- Extreme Matrix K/N/S Series Switch
- Extreme NetSight Automatic Security Manager
- Extreme NAC
- Configuring Extreme Stackable and Stand-alone Switches
- Extreme Networks ExtremeWare
- Extreme XSR Security Router
- play_arrow F5 Networks
- play_arrow Fair Warning
- play_arrow Fasoo Enterprise DRM
- play_arrow Fidelis XPS
- play_arrow FireEye
- play_arrow Forcepoint
- play_arrow ForeScout CounterACT
- play_arrow Fortinet FortiGate
- Fortinet FortiGate Security Gateway
- Configuring a Syslog Destination on Your Fortinet FortiGate Security Gateway Device
- Configuring a Syslog Destination on Your Fortinet FortiAnalyzer Device
- Fortinet FortiGate Security Gateway Sample Event Messages
- Configuring JSA to Categorize App Ctrl Events for Fortinet Fortigate Security Gateway
- play_arrow Foundry FastIron
- play_arrow FreeRADIUS
- play_arrow Generic
- play_arrow Google Cloud Audit Logs
- play_arrow Genua Genugate
- play_arrow Google Cloud Platform Firewall
- play_arrow Google G Suite Activity Reports
- Google G Suite Activity Reports
- Google G Suite Activity Reports DSM Specifications
- Configuring Google G Suite Activity Reports to Communicate with JSA
- Assigning a Role to a User
- Creating a Service Account with Viewer Access
- Granting API Client Access to a Service Account
- Google G Suite Activity Reports Log Source Parameters
- Google G Suite Activity Reports Sample Event Messages
- Troubleshooting Google G Suite Activity Reports
- play_arrow Great Bay Beacon
- play_arrow H3C Technologies
- play_arrow HBGary Active Defense
- play_arrow HCL BigFix (formerly known as IBM BigFix)
- play_arrow Honeycomb Lexicon File Integrity Monitor (FIM)
- play_arrow Hewlett Packard Enterprise
- play_arrow Huawei
- play_arrow HyTrust CloudControl
- play_arrow ISC BIND
- play_arrow Illumio Adaptive Security Platform
- play_arrow Imperva Incapsula
- play_arrow Imperva SecureSphere
- play_arrow Infoblox NIOS
- play_arrow IT-CUBE AgileSI
- play_arrow Itron Smart Meter
- play_arrow Juniper Networks
- Juniper Networks
- Juniper Networks AVT
- Juniper Networks DDoS Secure
- Juniper Networks DX Application Acceleration Platform
- Juniper Networks EX Series Ethernet Switch
- Juniper Networks IDP
- Juniper Networks Infranet Controller
- Juniper Networks Firewall and VPN
- Juniper Networks Junos OS
- Juniper Networks Network and Security Manager
- Juniper Networks Secure Access
- Juniper Networks Security Binary Log Collector
- Juniper Networks Steel-Belted Radius
- Juniper Networks VGW Virtual Gateway
- Juniper Networks Junos OS WebApp Secure
- Juniper Networks WLC Series Wireless LAN Controller
- play_arrow Kaspersky
- play_arrow Kisco Information Systems SafeNet/i
- play_arrow Kubernetes Auditing
- play_arrow Lastline Enterprise
- play_arrow Lieberman Random Password Manager
- play_arrow LightCyber Magna
- play_arrow Linux
- play_arrow LOGbinder
- play_arrow McAfee
- play_arrow MetaInfo MetaIP
- play_arrow Microsoft
- Microsoft
- Microsoft 365 Defender
- Microsoft Azure Active Directory
- Microsoft Azure Platform
- Microsoft Azure Security Center
- Microsoft DHCP Server
- Microsoft DNS Debug
- Microsoft Endpoint Protection
- Microsoft Exchange Server
- Microsoft Hyper-V
- Microsoft IAS Server
- Microsoft IIS Server
- Microsoft ISA
- Microsoft Office 365
- Microsoft Office 365 Message Trace
- JDBC Log Source Parameters for Microsoft Operations Manager
- Microsoft SharePoint
- Microsoft SQL Server
- JDBC Log Source Parameters for Microsoft System Center Operations Manager
- Microsoft Windows Security Event Log
- play_arrow Motorola Symbol AP
- play_arrow Name Value Pair
- play_arrow NCC Group DDoS Secure
- play_arrow NetApp Data ONTAP
- play_arrow Netgate pfSense
- play_arrow Netskope Active
- play_arrow NGINX HTTP Server
- play_arrow Niksun
- play_arrow Nokia Firewall
- play_arrow Nominum Vantio
- play_arrow Nortel Networks
- Nortel Networks
- Nortel Multiprotocol Router
- Nortel Application Switch
- Nortel Contivity
- Nortel Ethernet Routing Switch 2500/4500/5500
- Nortel Ethernet Routing Switch 8300/8600
- Nortel Secure Router
- Nortel Secure Network Access Switch
- Nortel Switched Firewall 5100
- Nortel Switched Firewall 6000
- Nortel Threat Protection System (TPS)
- Nortel VPN Gateway
- play_arrow Novell EDirectory
- play_arrow Observe IT JDBC
- play_arrow Okta
- play_arrow Onapsis Security Platform
- play_arrow OpenBSD
- play_arrow Open LDAP
- play_arrow Open Source SNORT
- play_arrow OpenStack
- play_arrow Oracle
- play_arrow OSSEC
- play_arrow Palo Alto Networks
- play_arrow Pirean Access: One
- play_arrow PostFix Mail Transfer Agent
- play_arrow ProFTPd
- play_arrow Proofpoint Enterprise Protection and Enterprise Privacy
- play_arrow Pulse Secure
- play_arrow Pulse Secure Infranet Controller
- play_arrow Pulse Secure Pulse Connect Secure
- play_arrow Radware
- play_arrow Raz-Lee ISecurity
- play_arrow Redback ASE
- play_arrow Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes DSM Specifications
- Configuring Red Hat Advanced Cluster Security for Kubernetes to Communicate with JSA
- HTTP Receiver Log Source Parameters for Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes Sample Event Messages
- play_arrow Resolution1 CyberSecurity
- play_arrow Riverbed
- play_arrow RSA Authentication Manager
- play_arrow SafeNet DataSecure
- play_arrow Salesforce
- play_arrow Samhain Labs
- play_arrow SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection DSM Specifications
- SAP Enterprise Threat Detection Alert API Log Source Parameters for SAP Enterprise Threat Detection
- Creating a Pattern Filter on the SAP Server
- Troubleshooting the SAP Enterprise Threat Detection Alert API
- SAP Enterprise Threat Detection Sample Event Message
- play_arrow Seculert
- play_arrow Sentrigo Hedgehog
- play_arrow SolarWinds Orion
- play_arrow SonicWALL
- play_arrow Sophos
- play_arrow Sourcefire Intrusion Sensor
- play_arrow Splunk
- play_arrow Squid Web Proxy
- play_arrow SSH CryptoAuditor
- play_arrow Starent Networks
- play_arrow STEALTHbits
- play_arrow Sun
- play_arrow Suricata
- play_arrow Sybase ASE
- play_arrow Symantec
- play_arrow SysFlow
- play_arrow ThreatGRID Malware Threat Intelligence Platform
- play_arrow TippingPoint
- play_arrow Top Layer IPS
- play_arrow Townsend Security LogAgent
- play_arrow Trend Micro
- play_arrow Tripwire
- play_arrow Tropos Control
- play_arrow Universal CEF
- play_arrow Universal LEEF
- play_arrow Vectra Networks Vectra
- play_arrow Venustech Venusense
- play_arrow Verdasys Digital Guardian
- play_arrow Vericept Content 360 DSM
- play_arrow VMware
- play_arrow Vormetric Data Security
- play_arrow WatchGuard Fireware OS
- play_arrow Websense
- play_arrow Zscaler Nanolog Streaming Service
- play_arrow Zscaler Private Access
- play_arrow JSA Supported DSMs
IBM DB2
The IBM DB2 DSM collects events from an IBM DB2 mainframe that uses IBM Security zSecure.
When you use a zSecure process, events from the System Management Facilities (SMF) can be transformed into Log Event Extended Format (LEEF) events. These events can be sent near real-time by using UNIX Syslog protocol or JSA can retrieve the LEEF event log files by using the Log File protocol and then process the events. When you use the Log File protocol, you can schedule JSA to retrieve events on a polling interval, which enables JSA to retrieve the events on the schedule that you define.
To collect IBM DB2 events, complete the following steps:
Verify that your installation meets any prerequisite installation requirements.
Configure your IBM DB2 image to write events in LEEF format.
Create a log source in JSA for IBM DB2.
If you want to create a custom event property for IBM DB2 in JSA, for more information, see the Custom Event Properties for IBM Z/OS Tech note.
Before You Begin
Before you can configure the data collection process, you must complete the basic zSecure installation process and complete the post-installation activities to create and modify the configuration.
The following prerequisites are required:
You must ensure parmlib member IFAPRDxx is enabled for IBM Security zSecure Audit on your z/OS image.
The SCKRLOAD library must be APF-authorized.
If you are using the direct SMF INMEM real-time interface, you must have the necessary software installed (APAR OA49263) and set up the SMFPRMxx member to include the INMEM keyword and parameters. If you decide to use the CDP interface, you must also have CDP installed and running.
You must configure a process to periodically refresh your CKFREEZE and UNLOAD data sets.
If you are using the Log File protocol method, you must configure a SFTP, FTP, or SCP server on your z/OS image for JSA to download your LEEF event files.
If you are using the Log File protocol method, you must allow SFTP, FTP, or SCP traffic on firewalls that are located between JSA and your z/OS image.
Create a Log Source for Near Real-time Event Feed
The Syslog protocol enables JSA to receive System Management Facilities (SMF) events in near real-time from a remote host.
The following DSMs are supported:
IBM z/OS
IBM CICS
IBM RACF
IBM DB2
CA Top Secret
CA ACF2
If JSA does not automatically detect the log source, add a log source for your DSM on the JSA console.
The following table describes the parameters that require specific values for event collection for your DSM:
Parameter | Value |
---|---|
Log Source type | Select your DSM name from the list. |
Protocol Configuration | Syslog |
Log Source Identifier | Type a unique identifier for the log source. |
Creating a Log Source for Log File Protocol
The Log File protocol enables JSA to retrieve archived log files from a remote host for the IBM z/OS, IBMCICS, IBM RACF, IBM DB2, CA Top Secret, and CA ACF2 DSM's.
Log files are transferred, one at a time, to JSA for processing. The Log File protocol can manage plain text event logs, compressed files, or archives. Archives must contain plain-text files that can be processed one line at a time. Multi-line event logs are not supported by the Log File protocol. IBM z/OS with zSecure writes log files to a specified directory as gzip archives. JSA extracts the archive and processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source that uses the Log File protocol. JSA requires credentials to log in to the system that hosts your LEEF formatted event files and a polling interval.
Log in to JSA.
Click the Admin tab.
Click the Log Sources icon.
Click Add.
In the Log Source Name field, type a name for the log source.
In the Log Source Description field, type a description for the log source.
From the Log Source Type list, select your DSM name.
From the Protocol Configuration list, select Log File.
Configure the Log File protocol parameters.
The following table describes the parameters that require specific values for the DSM event collection:
Table 2: Log File Protocol Parameters Parameter
Value
Log Source Identifier
Type an IP address, host name, or name to identify the event source. IP addresses or host names are suggested as they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such as multiple z/OS images or a file repository that contains all of your event logs, you must specify a name, IP address, or host name for the image or location that uniquely identifies events for the DSM log source. This specification enables events to be identified at the image or location level in your network that your users can identify.
Service Type
From the Service Type list, select the protocol that you want to use when retrieving log files from a remote server. The default is SFTP.
SFTP - SSH File Transfer Protocol
FTP - File Transfer Protocol
SCP - Secure Copy
The underlying protocol that is used to retrieve log files for the SCP and SFTP service type requires that the server that is specified in the Remote IP or Hostname field has the SFTP subsystem enabled.
Remote IP or Hostname
Type the IP address or host name of the device that stores your event log files.
Remote Port
Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 - 65535.
The options include ports:
FTP - TCP Port 21
SFTP - TCP Port 22
SCP - TCP Port 22
If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value.
Remote User
Type the user name or user ID necessary to log in to the system that contains your event files.
If your log files are on your IBM z/OS image, type the user ID necessary to log in to your IBM z/OS. The user ID can be up to 8 characters in length.
If your log files are on a file repository, type the user name necessary to log in to the file repository. The user name can be up to 255 characters in length.
Remote Password
Type the password necessary to log in to the host.
Confirm Password
Confirm the password necessary to log in to the host.
SSH Key File
If you select SCP or SFTP as the Service Type, this parameter gives you the option to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored.
Remote Directory
Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in.
Recursive
If you want the file pattern to search sub folders in the remote directory, select this check box. By default, the check box is clear.
If you configure SCP as the Service Type, the Recursive option is ignored.
FTP File Pattern
If you select SFTP or FTP as the Service Type, you can configure the regular expression (regex) needed to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing.
The IBM z/OS mainframe that uses IBM Security zSecure Audit writes event files by using the pattern:
<product_name>.<timestamp>.gz
The FTP file pattern that you specify must match the name that you assigned to your event files. For example, to collect files that start with zOS and end with .gz, type the following code:
zOS.*\.gz
Use of this parameter requires knowledge of regular expressions (regex). For more information about regex, see Lesson: Regular Expressions. (http://download.oracle.com/javase/tutorial/essential/regex/)
FTP Transfer Mode
This option displays only if you select FTP as the Service Type. From the list, select Binary.
The binary transfer mode is needed for event files that are stored in a binary or compressed format, such as zip, gzip, tar, or tar+gzip archive files.
SCP Remote File
If you select SCP as the Service Type you must type the file name of the remote file.
Start Time
Type the time of day you want the processing to begin. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight.
This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.
Recurrence
Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be scanned every 2 hours from the start time. The default is 1H.
Run On Save
If you want the Log File protocol to run immediately after you click Save, select this check box.
After the Run On Save completes, the Log File protocol follows your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter.
EPS Throttle
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.
Processor
From the list, select gzip.
Processors enable event file archives to be expanded and contents are processed for events. Files are processed after they are downloaded to JSA. JSA can process files in zip, gzip, tar, or tar+gzip archive format.
Ignore Previously Processed File(s)
Select this check box to track and ignore files that are already processed by the Log File protocol.
JSA examines the log files in the remote directory to determine whether a file is previously processed by the Log File protocol. If a previously processed file is detected, the Log File protocol does not download the file for processing. All files that are not previously processed are downloaded.
This option applies only to FTP and SFTP service types.
Change Local Directory?
Select this check box to define a local directory on your JSA for storing downloaded files during processing.
It is suggested that you leave this check box clear. When this check box is selected, the Local Directory field is displayed, which gives you the option to configure the local directory to use for storing files.
Event Generator
From the Event Generator list, select LineByLine.
The Event Generator applies more processing to the retrieved event files. Each line is a single event. For example, if a file has 10 lines of text, 10 separate events are created.
Click Save.
On the Admin tab, click Deploy Changes.
The DSM configuration is complete. If your DSM requires custom event properties, see the Custom Event Properties for IBM Z/OS Tech note.
Integrating IBM DB2 Audit Events
The IBM DB2 DSM allows you to integrate your DB2 audit logs into JSA for analysis.
The db2audit command creates a set of comma-delimited text files with a .del extension that defines the scope of audit data for JSA when auditing is configured and enabled. Comma-delimited files created by the db2audit command include:
audit.del
checking.del
context.del
execute.del
objmaint.del
secmaint.del
sysadmin.del
validate.del
To integrate the IBM DB2 DSM with JSA, you must:
Use the db2audit command to ensure the IBM DB2 records security events. See your IBM DB2 vendor documentation for more information.
Extract the DB2 audit data of events contained in the instance to a log file, depending on your version of IBM DB2.
Use the Log File protocol source to pull the output instance log file and send that information back to JSA on a scheduled basis. JSA then imports and processes this file.
Extracting Audit Data for DB2 V8.x to V9.4
You can extract audit data when you are using IBM DB2 v8.x to v9.4.
Log into a DB2 account with SYSADMIN privilege.
Type the following start command to audit a database instance:
db2audit start
For example, the start command response might resemble the following output:
AUD00001 Operation succeeded.
Move the audit records from the instance to the audit log:
db2audit flush
For example, the flush command response might resemble the following output:
AUD00001 Operation succeeded.
Extract the data from the archived audit log and write the data to .del files:
db2audit extract delasc
For example, an archive command response might resemble the following output:
AUD00001 Operation succeeded.
Note:Double-quotation marks (") are used as the default text delimiter in the ASCII files, do not change the delimiter.
Remove non-active records:
db2audit prune all
Move the .del files to a storage location where JSA can pull the file. The movement of the comma-delimited (.del) files should be synchronized with the file pull interval in JSA.
You are now ready to create a log source in JSA to collect DB2 log files.
Extracting Audit Data for DB2 V9.5
You can extract audit data when you are using IBM DB2 v9.5.
Log in to a DB2 account with SYSADMIN privilege.
Move the audit records from the database instance to the audit log:
db2audit flush
For example, the flush command response might resemble the following output:
AUD00001 Operation succeeded.
Archive and move the active instance to a new location for future extraction:
db2audit archive
For example, an archive command response might resemble the following output:
content_copy zoom_out_mapNode AUD Archived or Interim Log File Message ---- --- ----------------------------- - 0 AUD00001 dbsaudit.instance.log.0.20091217125028 AUD00001 Operation succeeded.
Note:In DB2 v9.5 and later, the archive command replaces the prune command.
The archive command moves the active audit log to a new location, effectively pruning all non-active records from the log. An archive command must be complete before an extract can be executed.
Extract the data from the archived audit log and write the data to .del files:
db2audit extract delasc from files db2audit.instance.log.0.200912171528
For example, an archive command response might resemble the following output:
AUD00001 Operation succeeded.
Note:Double-quotation marks (
"
) are used as the default text delimiter in the ASCII files, do not change the delimiter.Move the .del files to a storage location where JSA can pull the file. The movement of the comma-delimited (.del) files should be synchronized with the file pull interval in JSA.
You are now ready to create a log source in JSA to collect DB2 log files.