Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

IBM Guardium

IBM Guardium is a database activity and audit tracking tool for system administrators to retrieve detailed auditing events across database platforms.

These instructions require that you install the 8.2p45 fix for InfoSphere Guardium.

JSA collects informational, error, alert, and warnings from IBM Guardium by using syslog. JSA receives IBM Guardium Policy Builder events in the Log Event Extended Format (LEEF).

JSA can only automatically discover and map events of the default policies that ship with IBM Guardium. Any user configured events that are required are displayed as unknowns in JSA and you must manually map the unknown events.

Configuration Overview

The following list outlines the process that is required to integrate IBM Guardium with JSA.

  1. Create a syslog destination for policy violation events. For more information, see Creating a Syslog Destination for Events.

  2. Configure your existing policies to generate syslog events. For more information, see Configuring Policies to Generate Syslog Events.

  3. Install the policy on IBM Guardium. For more information, see Installing an IBM Guardium Policy.

  4. Configure the log source in JSA. For more information, see Syslog Log Source Parameters for IBM Guardium.

  5. Identify and map unknown policy events in JSA. For more information, see Creating an Event Map for IBM Guardium Events.

Creating a Syslog Destination for Events

To create a syslog destination for these events on IBM Guardium, you must log in to the command-line interface (CLI) and define the IP address for JSA.

  1. Using SSH, log in to IBM Guardium as the root user.

    Username: <username>

    Password: <password>

  2. Type the following command to configure the syslog destination for informational events:

    store remote add daemon.info <IP address>:<port> <tcp|udp>

    For example,

    store remote add daemon.info 10.10.1.1:514 tcp

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <tcp|udp> is the protocol that is used to communicate to the JSA console or Event Collector.

  3. Type the following command to configure the syslog destination for warning events:

    store remote add daemon.warning <IP address>:<port> <tcp|udp>

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <tcp|udp> is the protocol that is used to communicate to the JSA console or Event Collector.

  4. Type the following command to configure the syslog destination for error events:

    store remote add daemon.err <IP address>:<port> <tcp|udp>

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <tcp|udp> is the protocol that is used to communicate to the JSA console or Event Collector.

  5. Type the following command to configure the syslog destination for alert events:

    store remote add daemon.alert <IP address>:<port> <tcp|udp>

    Where:

    • <IP address> is the IP address of your JSA console or Event Collector.

    • <port> is the syslog port number that is used to communicate to the JSA console or Event Collector.

    • <tcp|udp> is the protocol that is used to communicate to the JSA console or Event Collector.

    You are now ready to configure a policy for IBM InfoSphere Guardium.

Configuring Policies to Generate Syslog Events

Policies in IBM Guardium are responsible for reacting to events and forwarding the event information to JSA.

  1. Click the Tools tab.

  2. From the left navigation, select Policy Builder.

  3. From the Policy Finder pane, select an existing policy and click Edit Rules.

  4. Click Edit this Rule individually.

    The Access Rule Definition is displayed.

  5. Click Add Action.

  6. From the Action list, select one of the following alert types:

    • Alert Per Match A notification is provided for every policy violation.

    • Alert Daily A notification is provided the first time a policy violation occurs that day.

    • Alert Once Per Session A notification is provided per policy violation for unique session.

    • Alert Per Time Granularity A notification is provided per your selected time frame.

  7. From the Message Template list, select JSA.

  8. From Notification Type, select SYSLOG.

  9. Click Add, then click Apply.

  10. Click Save.

  11. Repeat Steps 1 to 10 for all rules within the policy that you want to forward to JSA.

    For more information on configuring a policy, see your IBM InfoSphere Guardium vendor documentation. After you have configured all of your policies, you are now ready to install the policy on your IBM Guardium system.

    Note:

    Due to the configurable policies, JSA can only automatically discover the default policy events. If you have customized policies that forward events to JSA, you must manually create a log source to capture those events.

Installing an IBM Guardium Policy

Any new or edited policy in IBM Guardium must be installed before the updated alert actions or rule changes can occur.

  1. Click the Administration Console tab.

  2. From the left navigation, select Configuration >Policy Installation.

  3. From the Policy Installer pane, select a policy that you modified in Configuring Policies to Generate Syslog Events.

  4. From the drop-down list, select Install and Override.

    A confirmation is displayed to install the policy to all Inspection Engines.

  5. Click OK.

    For more information on installing a policy, see your IBM InfoSphere Guardium vendor documentation. After you install all of your policies, you are ready to configure the log source in JSA.

Syslog Log Source Parameters for IBM Guardium

If JSA does not automatically detect the log source, add an IBM Guardium log source on the JSA Console by using the Syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from IBM Guardium:

Table 1: Syslog Log Source Parameters for the IBM Guardium DSM

Parameter

Value

Log Source type

IBM Guardium

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the IBM InfoSphere Guardium appliance.

Creating an Event Map for IBM Guardium Events

Event mapping is required for a number of IBM Guardium events. Due to the customizable nature of policy rules, most events, except the default policy events do not contain a predefined JSA Identifier (QID) map to categorize security events.

You can individually map each event for your device to an event category in JSA. Mapping events allows JSA to identify, coalesce, and track recurring events from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for IBM Guardium are categorized as unknown. Unknown events are easily identified as the Event Name column and Low Level Category columns display Unknown.

As your device forwards events to JSA, it can take time to categorize all of the events for a device, as some events might not be generated immediately by the event source appliance or software. It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, we suggest that you repeat this search until you are satisfied that most of your events are identified.

  1. Log in to JSA.

  2. Click the Log Activity tab.

  3. Click Add Filter.

  4. From the first list, select Log Source.

  5. From the Log Source Group list, select the log source group or Other.

    Log sources that are not assigned to a group are categorized as Other.

  6. From the Log Source list, select your IBM Guardium log source.

  7. Click Add Filter.

    The Log Activity tab is displayed with a filter for your log source.

  8. From the View list, select Last Hour.

    Any events that are generated by the IBM Guardium DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in JSA.

    Note:

    You can save your existing search filter by clicking Save Criteria.

    You are now ready to modify the event map.

Modifying the Event Map

Modifying an event map allows for the manual categorization of events to a JSA Identifier (QID) map. Any event that is categorized to a log source can be remapped to a new JSA Identifier (QID).

IBM Guardium event map events that do not have a defined log source cannot be mapped to an event. Events without a log source display SIM Generic Log in the Log Source column.

  1. On the Event Name column, double-click an unknown event for IBM Guardium.

    The detailed event information is displayed.

  2. Click Map Event.

  3. From the Browse for QID pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):

    • From the High-Level Category list, select a high-level event categorization.

    • For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the Juniper Secure Analytics Administration Guide.

    • From the Low-Level Category list, select a low-level event categorization.

    • From the Log Source Type list, select a log source type.

    The Log Source Type list gives the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, IBM Guardium provides policy events, you might select another product that likely captures similar events.

  4. To search for a QID by name, type a name in the QID/Name field.

    The QID/Name field gives the option to filter the full list of QIDs for a specific word, for example, policy.

  5. Click Search.

    A list of QIDs are displayed.

  6. Select the QID you want to associate to your unknown event.

  7. Click OK.

    JSA maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by JSA.

    If you update an event with a new JSA Identifier (QID) map, past events that are stored in JSA are not updated. Only new events are categorized with the new QID.

IBM Guardium Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

IBM Guardium Sample Message when you use the Syslog Protocol

Sample 1: The following sample event message shows that an attempted login to the database is not successful.

Table 2: Highlighted Values in the IBM Guardium Sample Event

JSA field name

Highlighted values in the event payload

Event ID

Login failures

Username

user

Source IP

10.30.5.152

Source port

38754

Destination IP

10.30.2.124

Destination port

50000

Device time

Aug 19 12:33:31

Sample 2: The following sample event message shows that unauthorized users on cardholder objects are detected.

Table 3: Highlighted Values in the IBM Guardium Sample Event

JSA field name

Highlighted values in the event payload

Event ID

Unauthorized Users on Cardholder Objects - Alert

Username

SYSTEM

Source IP

172.16.107.92

Source port

60621
Destination IP

172.16.107.92

Destination port

1433

Device time

Jun 11 13:47:19