- play_arrow Event Collection from Third-party Devices
- play_arrow Introduction to Log Source Management
- Introduction to Log Source Management
- Adding a Log Source
- Adding a Log Source by using the Log Sources Icon
- Adding Bulk Log Sources
- Adding Bulk Log Source by using the Log Sources Icon
- Editing Bulk Log Sources
- Editing Bulk Log Sources by using the Log Sources icon
- Adding a Log Source Parsing Order
- Testing Log Sources
- Log Source Groups
- play_arrow Gateway Log Source
- play_arrow Log Source Extensions
- play_arrow Manage Log Source Extensions
- play_arrow Threat Use Cases by Log Source Type
- play_arrow Troubleshooting DSMs
- play_arrow Protocols
- play_arrow Universal Cloud REST API Protocol
- play_arrow Protocols that Support Certificate Management
- play_arrow 3Com Switch 8800
- play_arrow AhnLab Policy Center
- play_arrow Akamai KONA
- Akamai Kona
- Configure an Akamai Kona Log Source by using the HTTP Receiver Protocol
- Configure an Akamai Kona Log Source by using the Akamai Kona REST API Protocol
- Configuring Akamai Kona to Communicate with JSA
- Creating an Event Map for Akamai Kona Events
- Modifying the Event Map for Akamai Kona
- Akamai Kona Sample Event Messages
- play_arrow Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs DSM Specifications
- Publishing Flow Logs to an S3 Bucket
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs Sample Event Message
- play_arrow Amazon AWS CloudTrail
- play_arrow Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service DSM Specifications
- Configuring Amazon Elastic Kubernetes Service to Communicate with JSA
- Configuring Security Credentials for your AWS User Account
- Amazon Web Services Log Source Parameters for Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service Sample Event Messages
- play_arrow Amazon AWS Network Firewall
- Amazon AWS Network Firewall
- Amazon AWS Network Firewall DSM Specifications
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Network Firewall
- AWS Network Firewall Sample Event Messages
- play_arrow Amazon AWS Route 53
- Amazon AWS Route 53
- Amazon AWS Route 53 DSM Specifications
- Configuring an Amazon AWS Route 53 Log Source by using the Amazon Web Services Protocol and CloudWatch Logs
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with an SQS Queue
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with a Directory Prefix
- Amazon AWS Route 53 Sample Event Messages
- play_arrow Amazon AWS Security Hub
- play_arrow Amazon AWS WAF
- play_arrow Amazon GuardDuty
- Amazon GuardDuty
- Configuring an Amazon GuardDuty Log Source by using the Amazon Web Services Protocol
- Creating an EventBridge Rule for Sending Events
- Creating an Identity and Access (IAM) User in the AWS Management Console
- Configuring an Amazon GuardDuty Log Source by using the Amazon AWS S3 REST API Protocol
- Configuring Amazon GuardDuty to Forward Events to an AWS S3 Bucket
- Amazon GuardDuty Sample Event Messages
- play_arrow Ambiron TrustWave IpAngel
- play_arrow Amazon VPC Flow Logs
- play_arrow APC UPS
- play_arrow Apache HTTP Server
- play_arrow Apple Mac OS X
- play_arrow Application Security DbProtect
- play_arrow Arbor Networks
- play_arrow Arpeggio SIFT-IT
- play_arrow Array Networks SSL VPN
- play_arrow Aruba Networks
- play_arrow Avaya VPN Gateway
- play_arrow BalaBit IT Security
- play_arrow Barracuda
- play_arrow BeyondTrust PowerBroker
- play_arrow BlueCat Networks Adonis
- play_arrow Blue Coat SG
- Blue Coat
- Blue Coat SG
- Creating a Custom Event Format for Blue Coat SG
- Creating a Log Facility
- Enabling Access Logging
- Configuring Blue Coat SG for FTP Uploads
- Syslog Log Source Parameters for Blue Coat SG
- Log File Log Source Parameters for Blue Coat SG
- Configuring Blue Coat SG for Syslog
- Creating Extra Custom Format Key-value Pairs
- Blue Coat SG Sample Event Messages
- play_arrow Blue Coat Web Security Service
- play_arrow Box
- play_arrow Bridgewater
- play_arrow Broadcom
- play_arrow Brocade Fabric OS
- play_arrow Carbon Black
- play_arrow Centrify
- Centrify
- Centrify Identity Platform
- Centrify Identity Platform DSM specifications
- Configuring Centrify Identity Platform to communicate with JSA
- Centrify Infrastructure Services
- Configuring WinCollect Agent to Collect Event Logs from Centrify Infrastructure Services
- Configuring Centrify Infrastructure Services on a UNIX or Linux Device to Communicate with JSA
- play_arrow Check Point
- play_arrow Cilasoft QJRN/400
- play_arrow Cisco
- Cisco
- Cisco ACE Firewall
- Configuring Cisco Aironet to Forward Events
- Cisco ACS
- Cisco ASA
- Cisco AMP
- Cisco CallManager
- Cisco CatOS for Catalyst Switches
- Cisco Cloud Web Security
- Cisco CSA
- Cisco Firepower Management Center
- Cisco Firepower Threat Defense
- Cisco FWSM
- Cisco Identity Services Engine
- Cisco IDS/IPS
- Cisco IOS
- Cisco IronPort
- Cisco Meraki
- Cisco NAC
- Cisco Nexus
- Cisco Pix
- Cisco Stealthwatch
- Cisco Umbrella
- Cisco VPN 3000 Concentrator
- Cisco Wireless LAN Controllers
- Cisco Wireless Services Module
- play_arrow Citrix
- play_arrow Cloudera Navigator
- play_arrow Cloudflare Logs
- Cloudflare Logs
- Cloudflare Logs DSM Specifications
- Configure Cloudflare to send Events to JSA when you use the HTTP Receiver Protocol
- Configuring Cloudflare Logs to Send Events to JSA when you use the Amazon S3 REST API Protocol
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- HTTP Receiver Log Source Parameters for Cloudflare Logs
- Amazon AWS S3 REST API Log Source Parameters for Cloudflare Logs
- Cloudflare Logs Sample Event Messages
- play_arrow CloudPassage Halo
- play_arrow CloudLock Cloud Security Fabric
- play_arrow Correlog Agent for IBM Z/OS
- play_arrow CrowdStrike Falcon
- play_arrow CRYPTOCard CRYPTO-Shield
- play_arrow CyberArk
- play_arrow CyberGuard Firewall/VPN Appliance
- play_arrow Damballa Failsafe
- play_arrow DG Technology MEAS
- play_arrow Digital China Networks (DCN)
- play_arrow Enterprise-IT-Security.com SF-Sherlock
- play_arrow Epic SIEM
- play_arrow ESET Remote Administrator
- play_arrow Exabeam
- play_arrow Extreme
- Extreme
- Extreme 800-Series Switch
- Extreme Dragon
- Extreme HiGuard Wireless IPS
- Extreme HiPath Wireless Controller
- Extreme Matrix Router
- Extreme Matrix K/N/S Series Switch
- Extreme NetSight Automatic Security Manager
- Extreme NAC
- Configuring Extreme Stackable and Stand-alone Switches
- Extreme Networks ExtremeWare
- Extreme XSR Security Router
- play_arrow F5 Networks
- play_arrow Fair Warning
- play_arrow Fasoo Enterprise DRM
- play_arrow Fidelis XPS
- play_arrow FireEye
- play_arrow Forcepoint
- play_arrow ForeScout CounterACT
- play_arrow Fortinet FortiGate
- Fortinet FortiGate Security Gateway
- Configuring a Syslog Destination on Your Fortinet FortiGate Security Gateway Device
- Configuring a Syslog Destination on Your Fortinet FortiAnalyzer Device
- Fortinet FortiGate Security Gateway Sample Event Messages
- Configuring JSA to Categorize App Ctrl Events for Fortinet Fortigate Security Gateway
- play_arrow Foundry FastIron
- play_arrow FreeRADIUS
- play_arrow Generic
- play_arrow Google Cloud Audit Logs
- play_arrow Genua Genugate
- play_arrow Google Cloud Platform Firewall
- play_arrow Google G Suite Activity Reports
- Google G Suite Activity Reports
- Google G Suite Activity Reports DSM Specifications
- Configuring Google G Suite Activity Reports to Communicate with JSA
- Assigning a Role to a User
- Creating a Service Account with Viewer Access
- Granting API Client Access to a Service Account
- Google G Suite Activity Reports Log Source Parameters
- Google G Suite Activity Reports Sample Event Messages
- Troubleshooting Google G Suite Activity Reports
- play_arrow Great Bay Beacon
- play_arrow H3C Technologies
- play_arrow HBGary Active Defense
- play_arrow HCL BigFix (formerly known as IBM BigFix)
- play_arrow Honeycomb Lexicon File Integrity Monitor (FIM)
- play_arrow Hewlett Packard Enterprise
- play_arrow Huawei
- play_arrow HyTrust CloudControl
- play_arrow ISC BIND
- play_arrow Illumio Adaptive Security Platform
- play_arrow Imperva Incapsula
- play_arrow Imperva SecureSphere
- play_arrow Infoblox NIOS
- play_arrow IT-CUBE AgileSI
- play_arrow Itron Smart Meter
- play_arrow Juniper Networks
- Juniper Networks
- Juniper Networks AVT
- Juniper Networks DDoS Secure
- Juniper Networks DX Application Acceleration Platform
- Juniper Networks EX Series Ethernet Switch
- Juniper Networks IDP
- Juniper Networks Infranet Controller
- Juniper Networks Firewall and VPN
- Juniper Networks Junos OS
- Juniper Networks Network and Security Manager
- Juniper Networks Secure Access
- Juniper Networks Security Binary Log Collector
- Juniper Networks Steel-Belted Radius
- Juniper Networks VGW Virtual Gateway
- Juniper Networks Junos OS WebApp Secure
- Juniper Networks WLC Series Wireless LAN Controller
- play_arrow Kaspersky
- play_arrow Kisco Information Systems SafeNet/i
- play_arrow Kubernetes Auditing
- play_arrow Lastline Enterprise
- play_arrow Lieberman Random Password Manager
- play_arrow LightCyber Magna
- play_arrow Linux
- play_arrow LOGbinder
- play_arrow McAfee
- play_arrow MetaInfo MetaIP
- play_arrow Microsoft
- Microsoft
- Microsoft 365 Defender
- Microsoft Azure Active Directory
- Microsoft Azure Platform
- Microsoft Azure Security Center
- Microsoft DHCP Server
- Microsoft DNS Debug
- Microsoft Endpoint Protection
- Microsoft Exchange Server
- Microsoft Hyper-V
- Microsoft IAS Server
- Microsoft IIS Server
- Microsoft ISA
- Microsoft Office 365
- Microsoft Office 365 Message Trace
- JDBC Log Source Parameters for Microsoft Operations Manager
- Microsoft SharePoint
- Microsoft SQL Server
- JDBC Log Source Parameters for Microsoft System Center Operations Manager
- Microsoft Windows Security Event Log
- play_arrow Motorola Symbol AP
- play_arrow Name Value Pair
- play_arrow NCC Group DDoS Secure
- play_arrow NetApp Data ONTAP
- play_arrow Netgate pfSense
- play_arrow Netskope Active
- play_arrow NGINX HTTP Server
- play_arrow Niksun
- play_arrow Nokia Firewall
- play_arrow Nominum Vantio
- play_arrow Nortel Networks
- Nortel Networks
- Nortel Multiprotocol Router
- Nortel Application Switch
- Nortel Contivity
- Nortel Ethernet Routing Switch 2500/4500/5500
- Nortel Ethernet Routing Switch 8300/8600
- Nortel Secure Router
- Nortel Secure Network Access Switch
- Nortel Switched Firewall 5100
- Nortel Switched Firewall 6000
- Nortel Threat Protection System (TPS)
- Nortel VPN Gateway
- play_arrow Novell EDirectory
- play_arrow Observe IT JDBC
- play_arrow Okta
- play_arrow Onapsis Security Platform
- play_arrow OpenBSD
- play_arrow Open LDAP
- play_arrow Open Source SNORT
- play_arrow OpenStack
- play_arrow Oracle
- play_arrow OSSEC
- play_arrow Palo Alto Networks
- play_arrow Pirean Access: One
- play_arrow PostFix Mail Transfer Agent
- play_arrow ProFTPd
- play_arrow Proofpoint Enterprise Protection and Enterprise Privacy
- play_arrow Pulse Secure
- play_arrow Pulse Secure Infranet Controller
- play_arrow Pulse Secure Pulse Connect Secure
- play_arrow Radware
- play_arrow Raz-Lee ISecurity
- play_arrow Redback ASE
- play_arrow Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes DSM Specifications
- Configuring Red Hat Advanced Cluster Security for Kubernetes to Communicate with JSA
- HTTP Receiver Log Source Parameters for Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes Sample Event Messages
- play_arrow Resolution1 CyberSecurity
- play_arrow Riverbed
- play_arrow RSA Authentication Manager
- play_arrow SafeNet DataSecure
- play_arrow Salesforce
- play_arrow Samhain Labs
- play_arrow SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection DSM Specifications
- SAP Enterprise Threat Detection Alert API Log Source Parameters for SAP Enterprise Threat Detection
- Creating a Pattern Filter on the SAP Server
- Troubleshooting the SAP Enterprise Threat Detection Alert API
- SAP Enterprise Threat Detection Sample Event Message
- play_arrow Seculert
- play_arrow Sentrigo Hedgehog
- play_arrow SolarWinds Orion
- play_arrow SonicWALL
- play_arrow Sophos
- play_arrow Sourcefire Intrusion Sensor
- play_arrow Splunk
- play_arrow Squid Web Proxy
- play_arrow SSH CryptoAuditor
- play_arrow Starent Networks
- play_arrow STEALTHbits
- play_arrow Sun
- play_arrow Suricata
- play_arrow Sybase ASE
- play_arrow Symantec
- play_arrow SysFlow
- play_arrow ThreatGRID Malware Threat Intelligence Platform
- play_arrow TippingPoint
- play_arrow Top Layer IPS
- play_arrow Townsend Security LogAgent
- play_arrow Trend Micro
- play_arrow Tripwire
- play_arrow Tropos Control
- play_arrow Universal CEF
- play_arrow Universal LEEF
- play_arrow Vectra Networks Vectra
- play_arrow Venustech Venusense
- play_arrow Verdasys Digital Guardian
- play_arrow Vericept Content 360 DSM
- play_arrow VMware
- play_arrow Vormetric Data Security
- play_arrow WatchGuard Fireware OS
- play_arrow Websense
- play_arrow Zscaler Nanolog Streaming Service
- play_arrow Zscaler Private Access
- play_arrow JSA Supported DSMs
IBMi
The JSA DSM for IBM i, formerly known as AS/400 iSeries, collects audit records and event information from IBM i systems.
The following table identifies the specifications for the IBM i DSM:
Specification | Value |
---|---|
Manufacturer | IBM |
DSM name | IBM i |
Supported versions | 5R4 |
RPM file name | DSM-IBMi-JSA_version-build_number.noarch.rpm |
Protocol | Log File Protocol Syslog |
Event Format | Common Event Format (CEF). CEF:0 is supported. |
Recorded event types | Audit records and events |
Automatically discovered? | No |
Includes identity? | Yes |
Includes custom properties? | No |
More information |
To collect events from IBM i systems, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the IBM i DSM RPM from the Juniper Downloads onto your JSA console.
Configure your IBM i system to communicate with JSA.
Add an IBM i log source on the JSA Console by using the following table to configure the parameters that are required to collect IBM i events:
Table 2: IBM i Log Source Parameters Parameter
Value
Log Source Type
IBM i
Protocol Configuration
Log File
If you are using the PowerTech Interact or LogAgent for System i software to collect CEF formatted syslog messages, you must select the Syslog option
Service Type
Secure File Transfer Protocol (SFTP)
Configuring IBM i to Integrate with JSA
You can integrate IBM i with JSA.
From https://support.juniper.net/support/downloads/, download the following file:
AJLIB.SAVF
Copy the AJLIB.SAVF file to a computer or terminal that has FTP access to IBM i.
Create a generic online SAVF file on the IBM i by typing the following command:
CRTSAVF QGPL/SAVF
Use FTP on the computer or terminal to replace the IBM i generic SAVF file with the AJLIB.SAVF file that you downloaded.
Type the following commands:
bin
cd qgpl
lcd c:\
put ajlib.savf AJLIB
quit
If you are transferring your SAVF file from another IBM i system, send the file by placing the FTP sub-command mode BINARY before the GET or PUT statement.
Restore the AJLIB file on IBM i by typing the following command:
RSTLIB SAVLIB(AJLIB) DEV(*SAVF) SAVF(QGPL/AJLIB)
AJLIB provides the mapping and data transfer support that is needed to send IBM i audit journal entries to JSA.
Run AJLIB/SETUP
The setup screen is used to configure AJLIB for FTP, SFTP, or a local path to receive the processed entries.
The server user ID is required for FTP or SFTP, and a password is required for FTP. While FTP handles line delimiter conversions, you set the line feed to the expected value for the type of system that receives the SFTP transfers.
If you want to use SFTP, run AJLIB/GENKEY.
This command generates the SSH key pair that is required for SFTP authentication. If the key pair exists, it is not replaced. If you want to generate a new key pair, before you run this command, remove the existing key files from the /ajlib/.ssh directory.
After you generate a key pair, use the following steps to enable the use of the key pair on the server:
Copy the id_rsa.pub file from the /ajlib directory to the SSH server, and then install it in the appropriate folder.
Ensure that the SSH server is added to the known_hosts file of the user profile that runs the AJLIB/AUDITJRN command.
Use the appropriate user profile to do the following steps:
Start a PASE (Portable Application Solutions Environment) shell by typing the following command:
call qp2term
Start a session with the SSH server by typing the following command:
ssh -T <user>@<serveraddress>
If prompted, accept the system key, and enter a password.
Type exit, to close the SSH session.
If you want to run these steps under a different IBM i profile than the one that runs the AJLIB/AUDITRN command, copy the .ssh directory and known_hosts file to the home directory of the profile that is used to run this command.
To configure the filtering of specific entry types, use the AJLIB/SETENTTYP command.
Set up the data collection start date and time for the audit journal library (AJLIB) by typing the following command:
AJLIB/DATETIME
If you start the audit journal collector, a failure message is sent to QSYSOPR.
The setup function sets a default start date and time for data collection from the audit journal to 08:00:00 of the current day.
To preserve your previous start date and time information from a previous installation, you must run AJLIB/DATETIME. Record the previous start date and time and type those values when you run AJLIB/SETUP. The start date and time must contain a valid date and time in the six character system date and system time format. The end date and time must be a valid date and time or left blank.
Run AJLIB/AUDITJRN.
The audit journal collection program starts and sends the records to your remote FTP server: If the transfer to the FTP server fails, a message is sent to QSYSOPR. The process for starting AJLIB/AUDITJRN is typically automated by an IBM i job Scheduler, which collects records periodically.
If the FTP transfer is successful, the current date and time information is written into the start time for AJLIB/DATETIME to update the gather time, and the end time is set to blank. If the FTP transfer fails, the export file is erased and no updates are made to the gather date or time.
Manually Extracting Journal Entries for IBM i
You can run the DSPJRN command to extract journal entries for IBM i when an audit journal receiver chain is broken.
Run the ALJIB/DATETIME command to set the Start Date to *OUTF. This command forces the processing program to use the pre-built QTEMP/AUDITJRN outfile for parsing, instead of using the date time to extract journal entries. After you run the parsing program command AJLIB/AUDITJRN, the DATETIME is set to the new processing date.
Log in to your IBM i system command-line interface (CLI).
Run DSPJRN.
The only changeable parameters in the following example are RCVRNG and ENTTYP. Do not change any other command parameters. Ensure that ENTTP matches the AJLIB/SETENTTYP command settings.
DSPJRN JRN(QSYS/QAUDJRN) RCVRNG(AUDRCV0001 AUDRCV0003) JRNCDE((T)) ENTTYP(*ALL) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/AUDITJRN) ENTDTALEN(*VARLEN 16000 100)
To set the Date Time to use outfile *OUTF support, run the AJLIB/DATETIME command.
Figure 1: DSPJRN Start and End TimesRun AJLIB/AUDITJRN.
The DATETIME is set to the next start date.
Pulling Data when you use the Log File Protocol
You can configure IBM i as the log source, and to use the log file protocol in JSA:
To configure JSA to receive events from an IBM i system, you must select the IBM i option from the Log Source Type list when you add a log source in JSA.
To configure the log file protocol for the IBM i DSM, you must select the Log File option from the Protocol Configuration list and define the location of your FTP server connection settings.
Note:If you are using the PowerTech Interact or LogAgent for System i software to collect CEF formatted syslog messages, you must select the Syslog option from the Protocol Configuration list.
Use the log file protocol option that you select a secure protocol for transferring files, such as Secure File Transfer Protocol (SFTP).
For a complete list of Log File protocol parameter options, see Log File protocol configuration options in Protocol Configuration Options.
Configuring Townsend Security Alliance LogAgent to Integrate with JSA
You can collect all audit logs and system events from Townsend Security Alliance LogAgent. You must configure Alliance LogAgent for the JSA LEEF and configure a destination that specifies JSA as the syslog server.
Log in to your Townsend Security Alliance LogAgent appliance.
Add the ALLSYL100 to your library list by typing the following command::
content_copy zoom_out_mapaddlible allsy1100
To display the main menu select go symain.
Select the option for Configuration
Select Configure Alliance LogAgent and configure the following parameters.
Parameter
Description
Interface version
4=IBM JSA LEEF
Transmit
1=Yes
Data queue control
1=Yes
Format
4=IBM JSA LEEF
From the configuration menu, select Work With TCP Clients.
Select option 2 to change the SYSLOGD client and configure the following parameters.
Parameter
Description
Status
1=Active
Autostart client
1=Yes
Remote IP address
IP address of JSA
Remote port number
514
From the Configuration menu, select Start LogAgent Subsystem. Events flow to JSA.
After TCP services start, consider automatically starting the Alliance LogAgent subsystem by modifying your IPL QSTRUP program to include the following statements:
/* START ALLIANCE LOGAGENT */ QSYS/STRSBS ALLSYL100/ALLSYL100 MONMSG MSGID(CPF0000)
For more information about installing and configuring for Independent Auxiliary Storage Pool operation, and more filter options for events, see your vendor documentation.
IBM i Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
IBM i sample message when you use the Syslog protocol
The following sample event message shows that DRDA Distributed Relational DB access is allowed.
The logs that you send to JSA must be tab-delimited. If you cut and paste the code from this sample, make sure that you press the tab key where indicated by the <tab> variables, then remove the variables.
<176>Apr 24 15:31:58 ibm.i.test LEEF:1.0|Raz-Lee iSecurity|Firewall|1.0|GRE7860| usrName=USERNAME<tab>devTime=2019-04-24-15.31.58.000<tab>devTimeFormat=yyyy-MM-dd- HH.mm.ss.SSS<tab>source=172.16.1.1<tab>sev=10<tab>jobName=948290/QUSER/ QRWTSRVR<tab>pgmName=*NONE<tab>pgmLib=*NONE<tab>entryType=36/A<tab>entryDesc=DRDA Distributed Relational DB access<tab>Action_allowed=1<tab>Src_user_before_Prechk= USERNAME<tab>Source_system=SYSTEM1<tab>Decision_level=USSRV<tab>Authority_set_to_user=USERNA ME<tab>Server_Id=36
JSA field name | Highlighted values in the event payload |
---|---|
Event ID | GRE7860 |
Username | USERNAME |
Severity | 10 |