We have started working on PoCs with partners for two different customers in the finance industry that are in need to monitor AS400 systems. They will be collecting the journal data, then will load it into Log Analytics for Azure Sentinel and then generate views from there. Any recommendation or advice on best practices, even feedback from related scenarios extracting logs in the CEF format to Azure Sentinel from this great and large community would be highly appreciated. Thanks!
The last time I did anything like this was with ArcSight; it required a batch job where we'd fetch the journal logs from OS/400 over FTP (later ssh) and then an ArcSight connector to read the journal log, convert it into CEF, and then forward it over to an ArcSight Connector (either file or syslog.)
You *may* want to look at addressing the journal log file as a flat file and custom log that is imported by an agent, and then use a Function within Sentinel to extract() the common fields.