Absent Member.
Absent Member.
849 views

Arcsight Logger processing zSecure Alert Messages on a RACF z/OS platform

Hi,

Is anyone aware of, or has anybody ever been able to succesfully integrate zSecure Alert messages from a RACF z/OS platform into ArcSight Logger.  The zSecure application is sending messages in a very well formatted syslog message and I am hoping not to have to write a parser to strip out the details that I want and that it has been done before.

Has anyone had any experiences with integrating the zSecure Alert system into ArcSight Logger ?

Regards,

Dean

Labels (2)
0 Likes
Reply
3 Replies
Highlighted
Regular Contributor.
Regular Contributor.

Re: Arcsight Logger processing zSecure Alert Messages on a RACF z/OS platform

Hi Dean,

are there any new informations on the zSecure integration? Did you have to write a parser for this?

Thanks and Regards

Suzana

0 Likes
Reply
Highlighted
Senior Member.

Re: Arcsight Logger processing zSecure Alert Messages on a RACF z/OS platform

In zSecure Alert you must enable the rule that captures the event and then send it to the archsight with snmp protocol (I did so) or by rsyslogd.
In the
)SEL &C2PERCTP = SNMP section, you have to indicate the fields that you want to send to the ArcSight, I have attached an extract of the manual,also see the table that follow the appendix.


From the ArcSight side you must install and configure the snmp daemon that captures the data as you want.


By


Mauro


Appendix A. SNMP output

It is possible to define your own SNMP traps. In order to do this, the

LIST/SORTLIST-output must have a special form and it must be processed using

NEWLIST SNMP. The latter is automatically done for you by Tivoli zSecure Alert.

The special form of the output must be:

specific-trap [’-c community’] [’-g global-trap’.] [’-e enterprise’] /,

variable_1 <contents to be assigned to variable_1> /,

variable_2 <contents to be assigned to variable_2> /,

...

variable_n <contents to be assigned to variable_n>

The CARLa output conforming to this template is a set of assignment statements.

It is processed by NEWLIST SNMP when generating the SNMP trap. The

assigments may use predefined variables (listed below and in the Management

Information Base SCKRCARL(C2PMIB)) as well as integers representing

user-defined variables. The range 400000 to 699999 is reserved for user-defined

variables; we suggest you use the four digits of the SNMP trap number followed

by two digits of your own choice. It is recommended that your SNMP-generating

code contains:

'eventIntegral' 'short description of the specific trap at hand' /,

'eventWhen' datetime(datetimezone,0) /,

The following is an example of the CARLa that generates the required output:

)CM SNMP sortlist

)SEL &C2PERCTP = SNMP

sortlist,

recno(nd),

'&c2pemem.' /,

'eventIntegral',

'Alert: APF list changed by SETPROG APF command' '-',

'System messages report that SETPROG APF command is issued' /,

'eventWhen' datetime(datetimezone,0) /,

'&c2pemem.00' MsgTxt1(0,hor) /,

'whereSYSTEM' system(0)

)ENDSEL

The variables in this example are 'eventIntegral', 'eventWhen', '&c2pemem.00',

and 'whereSYSTEM'. The variables 'eventIntegral', 'eventWhen', and

'whereSYSTEM' are predefined, while '&c2pemem.00' is an installation defined

variable.

The contents of a variable must not contain line breaks; this may have to be

enforced with a repeat group format modifier firstonly, or hor.

Between '&c2pemem.' (called the specific-trap field) and /, on the line after

recno(nd), you may insert the options -c community, -g global-trap, and -e

enterprise. The default value of community is public while global-trap defaults to 6

(indicating an enterprise specific trap), and enterprise defaults to

1.3.6.1.4.1.9399.1.2 (indicating enterprises.consul.software.zAlert). For

information on the specific-trap, community, global-trap, and enterprise

parameters, you should consult SNMP literature like RFC 1215.


0 Likes
Reply
Highlighted
Regular Contributor.
Regular Contributor.

Re: Arcsight Logger processing zSecure Alert Messages on a RACF z/OS platform

Hi Mauro,

thank you very much for explaining the SNMP Trap solution. I am afraid that our zOS is already configured to send logs via syslog and we probably need to write a syslog subparser if one does not already exist.

Thanks an Regards

Suzana

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.