In addition to the collection criteria you specify for each data source, administrators can choose whether security events are to be extracted in real time or on a designated schedule. Being able to control the frequency and schedule of when events are collected allows you to better manage system performance on both the collection and the consolidation systems.
Tailored for SIEM and Other Log Monitoring Tools
Administrators can send extracted security events from each data source to many kinds of syslog servers for analysis, including popular log monitoring tools and SIEM consoles. Just specify the IP and port, and Data Provider sends the events in the format of your choosing. For example, event processing is available for RSA enVision and Netforensics formats, as well as Common Event Format (CEF). Events can also be sent to the Enforcive Cross-Platform Audit solution , which is purpose-built to consolidate and correlate events from multiple IBM i servers.
Data Provider gives you three destination options: Cross-Platform Audit (CPA) Remote Collection Service, SYSLOG Server, and IFS Files. If the destination is set as CPA, the CPA itself handles the collection of the data via its remote collection service. For SYSLOG, you specify the IP address, port, connection type (TCP, UDP, TCP/SSL), and message format. When producing IFS Files, you have an option to automatically FTP or SFTP the files by specifying IP address, port, and the destination Output Directory.
Breadth of Data Sources
Because it’s integrated with the Enforcive Enterprise Security Suite, Data Provider makes it easy to collect a wide spectrum of security and system events:
- Application Audit: Connections between the IBM i and other platforms through IBM exit points as well as through the monitoring of any system or custom command
- Encryption: Starting and ending of field encryption by type
- File Audit: Information about file accesses, including before and after images of critical files
- History Log: Selected security related events from the QHST files.
- Message Queue: Specific message queues can be monitored for relevant messages.
- SQL Statement Audit: Internal SQL events on the systems, including interactive SQL processes, QSHELL database functions, and SQL that’s embedded in high-level languages and queries
- System Audit: The IBM Audit Journal for critical events
- View Data: Events can be generated from actual views and reads at the database field level, monitoring the most sensitive files
As a fully GUI-based tool, Data Provider makes it easier for security officers who are not familiar with "green-screens" to manage the consolidation and monitoring of sensitive data in their organization.