11-20-2020 04:01 PM - edited 11-20-2020 04:03 PM
Hello Community experts,
We have started working on PoCs with partners for two different customers in the finance industry that are in need to monitor AS400 systems. They will be collecting the journal data, then will load it into Log Analytics for Azure Sentinel and then generate views from there. Any recommendation or advice on best practices, even feedback from related scenarios extracting logs in the CEF format to Azure Sentinel from this great and large community would be highly appreciated. Thanks!
11-23-2020 08:06 AM
The last time I did anything like this was with ArcSight; it required a batch job where we'd fetch the journal logs from OS/400 over FTP (later ssh) and then an ArcSight connector to read the journal log, convert it into CEF, and then forward it over to an ArcSight Connector (either file or syslog.)
You *may* want to look at addressing the journal log file as a flat file and custom log that is imported by an agent, and then use a Function within Sentinel to extract() the common fields.