WIXLIB

Integrate AS/400EventTracker v8.x and abovePublication Date: April 4, 2018

Integrate AS/400AbstractThis guide provides instructions to configure AS/400 to send crucial events to EventTracker Enterprise bymeans of syslog.ScopeThe configurations detailed in this guide are consistent with EventTracker Enterprise version 8.x and later,and AS/400 iSeries 6.1-7.1.AudienceAS/400 users, who wish to forward its events to EventTracker Manager and monitor them usingEventTracker Enterprise.The information contained in this document represents the current view of EventTracker. on theissues discussed as of the date of publication. Because EventTracker must respond to changingmarket conditions, it should not be interpreted to be a commitment on the part of EventTracker,and EventTracker cannot guarantee the accuracy of any information presented after the date ofpublication.This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting therights under copyright, this paper may be freely distributed without permission fromEventTracker, if its content is unaltered, nothing is added to the content and credit toEventTracker is provided.EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from EventTracker, the furnishing of this document does not give youany license to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious.No association with any real company, organization, product, person or event is intended orshould be inferred. 2018 EventTracker Security LLC. All rights reserved. The names of actual companies andproducts mentioned herein may be the trademarks of their respective owners.1

Integrate AS/400Table of ContentsAbstract . 1Scope . 1Audience. 1Overview . 3Prerequisites . 3Integrating AS/400 with EventTracker . 3Enable Audit for IBM iSeries (AS/400) Journal Logs . 3Configuring IBM i Security to send events to EventTracker . 3EventTracker Knowledge Pack . 8Categories . 8Alerts . 8Flex Reports . 9Import AS/400 Knowledge Pack into EventTracker . 13Import Category. 14Import Alerts . 16Import Knowledge Object . 17Token Template . 18Import Flex Reports . 20Verify AS/400 Knowledge Pack . 22Verify Categories . 22Verify Alerts . 22Verify Knowledge Object . 23Token Template . 24Verify Flex Reports . 25Create Dashboards in EventTracker . 26Schedule Reports . 26Create Dashlets . 29Sample Dashboards . 332

Integrate AS/400OverviewThe IBM System i is IBM's previous generation of midrange computer systems for IBM i users, and wassubsequently replaced by the IBM Power Systems in April 2008. The platform was first introduced as theAS/400 (Application System/400) on June 21, 1988 and later renamed to the eServer iSeries in 2000.AS/400 operating system is object-based. Features include a RDBMS (DB2/400), a menu-driven interface,support for multiple users, block-oriented terminal support (IBM 5250), and printers. It supports security,communications, and web-based applications which can be executed inside the optional IBM WebSphereApplication Server or as PHP/MySQL applications inside a native port of the Apache web server.Prerequisites EventTracker 8.x or later should be installed. AS/400 iSeries application should be installed. A Syslog forwarder application needs to be installed as AS/400 do not have any syslog forwarder bydefault. Create a rule in the EventTracker Manager firewall to allow port 514.Integrating AS/400 with EventTrackerAS/400 is integrated to EventTracker via syslog forwarding with the help of any syslog forwardingapplication.NOTE: Below given integration steps use IBM i Security as the syslog forwarding application.Enable Audit for IBM iSeries (AS/400) Journal LogsNOTE: Below given integration is just an example of a syslog forwarder (IBM i Security) that can be used. Youcan use any other syslog forwarder to forward logs. It is not mandatory to use the same syslog forwarder.Other compatible syslog forwarder that are commonly used are ng-syslog, Townsend Allianz, kiwi etc.Configuring IBM i Security to send events to EventTracker1. Log in to iSecurity CLI console.2. Access the main control screen for SIEM as shown in the below image.3

Integrate AS/400Figure 13. You will find an option Send SYSLOG Messages to Siem. Enter Y to configure.4. Another screen comes up asking to set up the Syslog Server details as shown below.4

Integrate AS/400Figure 25. In the highlighted portion of the above image the given details need to be entered. SIEM 1 name: Any name to identify the syslog server. SYSLOG type: 1 (UDP) Port: 514 Destination address: EventTracker Manager IP Address Message structure: CEF format6. Set the severity of different syslog events as shown in the below image.5

Integrate AS/400Figure 37. Save the changes and press F3 to Exit from CLI mode.8. Navigate to the GUI of iSecurity, choose System Configuration option as shown below.6

Integrate AS/400Figure 49. In the highlighted portion of the above image the given details need to be entered. SYSLOG type: (UDP) Port: 514 Destination address: EventTracker Manager IP Address Range of severities to send: 0-710. Click on Save.11. Once the journal receiver is created and the logs specified are collected in it, EventTracker will fetchthose logs for monitoring, report generation and alert notification.7

Integrate AS/400EventTracker Knowledge PackOnce logs are received into EventTracker, Categories and reports can be configured into EventTracker.Categories AS/400- Audit change activities- This category based report provides information related to all theaudit change activities.AS/400- Authority change activities- This category based report provides information related to allthe changes in authority like grant, replace and revoke that is done.AS/400- Spooled file activities- This category based report provides information related to all thespooled file activities.AS/400- Interprocess communication activities- This category based report provides informationrelated to all the interprocess communications that are done.AS/400- Command string audit- This category based report provides information related to all thecommand strings that has been executed in the AS/400 CLI.AS/400- User authentication failures- This category based report provides information related to allthe user authentication failures.AS/400- Object operations- This category based report provides information related to all the objectoperations such as object created, deleted, renamed, modified, ownership changed, and assigningrights.AS/400- Generic record activities- This category based report provides information related to all thegeneric record activities such as exit program added, exit program removed, function registrationoperations and resource monitoring operations.Alerts 8AS/400: Directory unlink: This alert is generated when any directory is unlinked or removed.AS/400: Inteprocess communication activities: This alert is generated when any interprocesscommunication changes occur such as ownership change, create, delete, authority failure and sharedmemory removal or attach.AS/400: Object operations: This alert is generated when any objects operation has taken place suchas object created, deleted, renamed, modified, ownership changed, and assigned rights.AS/400: User Authentication failures: This alert is generated when any user authentication failureoccurs.

Integrate AS/400Flex Reports AS/400- Audit change activities- This report provides information related to all the audit changeactivities.Figure 5Logs Considered:Figure 6 AS/400- Authority change activities- This report provides information related to all the changes inauthority like grant, replace and revoke that is done.Figure 79

Integrate AS/400Logs Considered:Figure 8 AS/400- Spooled file activities- This report provides information related to all the spooled file activities.Figure 9Logs Considered:Figure 10 AS/400- Interprocess communication activities- This report provides information related to all theinterprocess communications that are done.Figure 1110

Integrate AS/400Logs Considered:Figure 12 AS/400- Command string audit- This report provides information related to all the command strings thathas been executed in the AS/400 CLI.Figure 13Logs Considered:Figure 14 AS/400- User authentication failures- This report provides information related to all the userauthentication failures.11

Integrate AS/400Figure 15Logs Considered:Figure 16 AS/400- Object operations- This report provides information related to all the object operations such asobject created, deleted, renamed, modified, ownership changed, and assigned rights.Figure 1712

Integrate AS/400Logs Considered:Figure 18Import AS/400 Knowledge Pack into EventTrackerNOTE: Import knowledge pack items in the following sequence: CategoriesKnowledge ObjectsAlertsToken TemplatesFlex ReportsNOTE: Export knowledge pack items in the following sequence: Categories Knowledge Objects Alerts Token Templates Flex Reports1. Launch EventTracker Control Panel.2. Double click Export Import Utility, and then click the Import tab.13

Integrate AS/400Figure 19Import Category1. Click Category option, and then click the browse14button.

Integrate AS/400Figure 202. Locate Categories AS/400.iscat file, and then click the Open button.3. To import categories, click the Import button.EventTracker displays success message.Figure 214. Click OK, and then click the Close button.15

Integrate AS/400Import Alerts1. Click Alert option, and then click the browsebutton.Figure 222. Locate AS/400 Alerts.isalt file, and then click the Open button.3. To import alerts, click the Import button.EventTracker displays success message.Figure 234. Click the OK button, and then click the Close button.16

Integrate AS/400Import Knowledge Object1. Click the Admin menu, and then click Knowledge Objects.2. Click on‘Import’ option.Figure 243. In IMPORT pane click on Browse button.Figure 254. Locate KO AS/400.etko file, and then click the UPLOAD button.17

Integrate AS/400Figure 265. Now select the check box and then click on ‘OVERWRITE’ option.EventTracker displays success message.Figure 276. Click on OK button.Token Template1. Click the Admin menu, and then click Parsing rule.18

Integrate AS/4002. Select Template tab, and then click on‘Import’ option.3. Click on Browse button.Figure 284. Locate AS/400 Templates.ettd file, and then click the Open button.Figure 295. Now select the check box and then click onEventTracker displays success message.19‘Import’ option.

Integrate AS/400Figure 306. Click on OK button.Import Flex Reports1. Click Reports option, and then click the ‘browse’button.2. Locate AS/400 Reports.etcrx file, and then click the Open button.Figure 313. To import scheduled reports, click the Import button.20

Integrate AS/400Figure 32EventTracker displays success message.Figure 334. Click OK, and then click the Close button.21

Integrate AS/400Verify AS/400 Knowledge PackVerify Categories1. Logon to EventTracker Enterprise.2. Click the Admin menu, and then click Category.3. In Category Tree to view imported categories, scroll down and expand ‘AS/400’ group folder to viewthe imported categories.Figure 34Verify Alerts1. Logon to EventTracker Enterprise.2. Click the Admin menu, and then click Alerts.3. In the Search box, type ‘AS/400’, and then click the Go button.Alert Management page will display all the imported alerts.22