Enforcive Data Provider

 

Send Important Security Events from IBM i to External, Consolidated Log Monitoring Systems

The Enforcive Data Provider add-on provides a highly efficient and flexible “filter-based” tool for automatically collecting any important subset of security events from the IBM i and delivering these to an external, consolidated log monitoring system.

Data Collection on Your Terms

Any data source on your IBM i can be analyzed through unique collection criteria. For example, the collection of events from the IBM Audit Journal can be set to select or omit specific groups of users, to define specific IBM audit journal types, and to include groups of objects that belong to related events. And Data Provider fully integrates with the Enforcive Enterprise Security Suite for added functionality; for instance, using the Application Audit module, administrators can choose criteria such as which user departments to include, which exit points events to collect, and whether only rejections should be extracted. For further subsetting of data, a Query Wizard is available to define the data extraction, such as events relating to libraries beginning with Q* or generated by a specific group of jobs.

In addition to the collection criteria you specify for each data source, administrators can choose whether security events are to be extracted in real time or on a designated schedule. Being able to control the frequency and schedule of when events are collected allows you to better manage system performance on both the collection and the consolidation systems.

 

Tailored for SIEM and Other Log Monitoring Tools

Administrators can send extracted security events from each data source to many kinds of syslog servers for analysis, including popular log monitoring tools and SIEM consoles. Just specify the IP and port, and Data Provider sends the events in the format of your choosing. For example, event processing is available for RSA enVision and Netforensics formats, as well as Common Event Format (CEF). Events can also be sent to the Enforcive Cross-Platform Audit solution , which is purpose-built to consolidate and correlate events from multiple IBM i servers.

Data Provider gives you three destination options: Cross-Platform Audit (CPA) Remote Collection Service, SYSLOG Server, and IFS Files. If the destination is set as CPA, the CPA itself handles the collection of the data via its remote collection service. For SYSLOG, you specify the IP address, port, connection type (TCP, UDP, TCP/SSL), and message format. When producing IFS Files, you have an option to automatically FTP or SFTP the files by specifying IP address, port, and the destination Output Directory.

 

Breadth of Data Sources

Because it’s integrated with the Enforcive Enterprise Security Suite, Data Provider makes it easy to collect a wide spectrum of security and system events:

  • Application Audit: Connections between the IBM i and other platforms through IBM exit points as well as through the monitoring of any system or custom command
  • Encryption: Starting and ending of field encryption by type
  • File Audit: Information about file accesses, including before and after images of critical files
  • History Log: Selected security related events from the QHST files.
  • Message Queue: Specific message queues can be monitored for relevant messages.
  • SQL Statement Audit: Internal SQL events on the systems, including interactive SQL processes, QSHELL database functions, and SQL that’s embedded in high-level languages and queries
  • System Audit: The IBM Audit Journal for critical events
  • View Data: Events can be generated from actual views and reads at the database field level, monitoring the most sensitive files

GUI-Based

As a fully GUI-based tool, Data Provider makes it easier for security officers who are not familiar with "green-screens" to manage the consolidation and monitoring of sensitive data in their organization.