SOLVED

AS400 CEF Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1919784%22%20slang%3D%22en-US%22%3EAS400%20CEF%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1919784%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Community%20experts%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20started%20working%20on%20PoCs%20with%20partners%20for%20two%20different%20customers%20in%20the%20finance%20industry%20that%20are%20in%20need%20to%20monitor%20AS400%20systems.%20They%20will%20be%20collecting%20the%20journal%20data%2C%20then%20will%20load%20it%20into%20Log%20Analytics%20for%20Azure%20Sentinel%20and%20then%20generate%20views%20from%20there.%20Any%20recommendation%20or%20advice%20on%20best%20practices%2C%20even%20feedback%20from%20related%20scenarios%20extracting%20logs%20in%20the%20CEF%20format%20to%20Azure%20Sentinel%20from%20this%20great%20and%20large%20community%20would%20be%20highly%20appreciated.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1924295%22%20slang%3D%22en-US%22%3ERe%3A%20AS400%20CEF%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1924295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64517%22%20target%3D%22_blank%22%3E%40Daniel%20Piedra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20time%20I%20did%20anything%20like%20this%20was%20with%20ArcSight%3B%20it%20required%20a%20batch%20job%20where%20we'd%20fetch%20the%20journal%20logs%20from%20OS%2F400%20over%20FTP%20(later%20ssh)%20and%20then%20an%20ArcSight%20connector%20to%20read%20the%20journal%20log%2C%20convert%20it%20into%20CEF%2C%20and%20then%20forward%20it%20over%20to%20an%20ArcSight%20Connector%20(either%20file%20or%20syslog.)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20*may*%20want%20to%20look%20at%20addressing%20the%20journal%20log%20file%20as%20a%20flat%20file%20and%20custom%20log%20that%20is%20imported%20by%20an%20agent%2C%20and%20then%20use%20a%20Function%20within%20Sentinel%20to%20extract()%20the%20common%20fields.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello Community experts, 

 

We have started working on PoCs with partners for two different customers in the finance industry that are in need to monitor AS400 systems. They will be collecting the journal data, then will load it into Log Analytics for Azure Sentinel and then generate views from there. Any recommendation or advice on best practices, even feedback from related scenarios extracting logs in the CEF format to Azure Sentinel from this great and large community would be highly appreciated. Thanks!

2 Replies

@Daniel Piedra 

 

The last time I did anything like this was with ArcSight; it required a batch job where we'd fetch the journal logs from OS/400 over FTP (later ssh) and then an ArcSight connector to read the journal log, convert it into CEF, and then forward it over to an ArcSight Connector (either file or syslog.) 

 

You *may* want to look at addressing the journal log file as a flat file and custom log that is imported by an agent, and then use a Function within Sentinel to extract() the common fields.

best response confirmed by Daniel Piedra (Microsoft)
Solution

Hi @JKatzmandu, thanks for your response, we were able to configure it by using a 3rd party tool to convert CEF format to Syslog format and then forward the logs to a relay VM installed onprem with a Syslog agent and Log Analytics Agent for Linux and from there successfully ingested the logs to Log Analytics Workspace for Sentinel use.