Collecting and Monitoring Real-time IBM i Security Events with Alliance LogAgent for IBM QRadar
Because the IBM i (AS/400, iSeries) can handle multiple applications, it doesn’t log information like other systems do. The IBM i collects logs simultaneously from multiple sources and deals with large volumes: Up to 3,500 events per second…250 Million events per day! The essence of good log security is externalizing the systems logs and collecting them in a central repository, which helps remove the risk of tampering. Close monitoring of system logs can help you detect a breach before it happens, it can be a requirement for compliance with security regulations, and it can be a very difficult, inefficient, and cumbersome process.
For years, our Alliance LogAgent solution has been helping businesses using the IBM i to collect logs from the QAUDJRN security journal, convert them to common syslog formats and then transmit to a central log server or SIEM product for collection, analysis, and alert management. Now, with Alliance LogAgent for IBM QRadar, deeper threat intelligence and security insights can be gained in real-time.
For example, having chosen IBM Security’s QRadar SIEM, the security team at Boyd Gaming needed a solution to collect IBM i security and application logs into a coherent strategy for log collection, analysis and alert management. Before they started using Alliance LogAgent for IBM QRadar, Boyd Gaming used a Device Support Module (DSM) that made copies of their security journal and sent them out over FTP to a server, where QRadar would go grab them – a very cumbersome and inefficient process. By implementing Alliance LogAgent for IBM QRadar, they brought their IBM i platform into a common strategy for log consolidation and analysis with the security events from other servers.
“Alliance LogAgent for IBM QRadar does exactly what it needs to do. It was built for the IBM i and gives you the data you need,” said Anthony Johnson, IT Security Engineer, Boyd Gaming. “Knowing that Townsend Security worked with IBM made Alliance LogAgent for IBM QRadar an easy choice. By being able collect all security events and convert them to the IBM Log Event Extended Format (LEEF) made a seamless deployment.”
For Boyd Gaming, getting started was very simple. With 15 installations of Alliance LogAgent for IBM QRadar, it only took one hour for them to get them to set up, configured, and begin collecting logs from their IBM i platform.
“Alliance LogAgent for IBM QRadar fits the bill for everything. It is very simple to set up, minimal maintenance, and once you set it, you never have to make any adjustments – set it and forget it,” finished Johnson.
Not only does IBM Security QRadar perform real-time monitoring of events across the Enterprise, it learns from the events over time in order to recognize normal patterns, detect anomalies, and better identify attacks and breaches. Combined with this intelligent platform IBM Security QRadar provides a broad set of compliance reports that are ready to use. Townsend Security’s Alliance LogAgent for IBM QRadar helps IBM i customers realize the full benefits of the IBM QRadar Security Intelligence solution.
For more detail, please read the whole case study on Boyd Gaming: