cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AS400 CEF Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1919784%22%20slang%3D%22en-US%22%3EAS400%20CEF%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1919784%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Community%20experts%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20started%20working%20on%20PoCs%20with%20partners%20for%20two%20different%20customers%20in%20the%20finance%20industry%20that%20are%20in%20need%20to%20monitor%20AS400%20systems.%20They%20will%20be%20collecting%20the%20journal%20data%2C%20then%20will%20load%20it%20into%20Log%20Analytics%20for%20Azure%20Sentinel%20and%20then%20generate%20views%20from%20there.%20Any%20recommendation%20or%20advice%20on%20best%20practices%2C%20even%20feedback%20from%20related%20scenarios%20extracting%20logs%20in%20the%20CEF%20format%20to%20Azure%20Sentinel%20from%20this%20great%20and%20large%20community%20would%20be%20highly%20appreciated.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1924295%22%20slang%3D%22en-US%22%3ERe%3A%20AS400%20CEF%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1924295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64517%22%20target%3D%22_blank%22%3E%40Daniel%20Piedra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20time%20I%20did%20anything%20like%20this%20was%20with%20ArcSight%3B%20it%20required%20a%20batch%20job%20where%20we'd%20fetch%20the%20journal%20logs%20from%20OS%2F400%20over%20FTP%20(later%20ssh)%20and%20then%20an%20ArcSight%20connector%20to%20read%20the%20journal%20log%2C%20convert%20it%20into%20CEF%2C%20and%20then%20forward%20it%20over%20to%20an%20ArcSight%20Connector%20(either%20file%20or%20syslog.)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20*may*%20want%20to%20look%20at%20addressing%20the%20journal%20log%20file%20as%20a%20flat%20file%20and%20custom%20log%20that%20is%20imported%20by%20an%20agent%2C%20and%20then%20use%20a%20Function%20within%20Sentinel%20to%20extract()%20the%20common%20fields.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Daniel Piedra
Microsoft

‎Nov 20 2020 04:01 PM - edited ‎Nov 20 2020 04:03 PM

‎Nov 20 2020 04:01 PM - edited ‎Nov 20 2020 04:03 PM

AS400 CEF Sentinel

Hello Community experts, 

 

We have started working on PoCs with partners for two different customers in the finance industry that are in need to monitor AS400 systems. They will be collecting the journal data, then will load it into Log Analytics for Azure Sentinel and then generate views from there. Any recommendation or advice on best practices, even feedback from related scenarios extracting logs in the CEF format to Azure Sentinel from this great and large community would be highly appreciated. Thanks!

360 Views
0 Likes
1 Reply
Reply
1 Reply
JKatzmandu

‎Nov 23 2020 08:06 AM

‎Nov 23 2020 08:06 AM

Re: AS400 CEF Sentinel

@Daniel Piedra 

 

The last time I did anything like this was with ArcSight; it required a batch job where we'd fetch the journal logs from OS/400 over FTP (later ssh) and then an ArcSight connector to read the journal log, convert it into CEF, and then forward it over to an ArcSight Connector (either file or syslog.) 

 

You *may* want to look at addressing the journal log file as a flat file and custom log that is imported by an agent, and then use a Function within Sentinel to extract() the common fields.

0 Likes
Reply