Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This quick start guide will help Accenture MDR customers configure IBM System i Audit to allow log collection from the Log Collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document

(Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source 

Destination

Port

Description

IBM System i Audit

LCP

21 (TCP)

Default FTP ports

Configuring IBM System i Audit

To configure the System i Audit, follow the below steps.

  1. Export audit events to an ASCII file.

  2. Transfer the event data in ASCII file.

Note : IBM System i Audit should record the auditing events and export the events to an ASCII file. 

  • You can enter commands at a command prompt, or create a CL script.

  • If you have create a CL script, you have to schedule the CL script to run on at a set time.

To export audit events to an ASCII file

  1. On the IBM System i Audit computer, to get to a command prompt, type the following command:

CALL QCMD

2. At the command prompt, type the following commands:
  IAUDITPJE:  PGM                                                      
/* Define the variables */                                            
             DCL        VAR(&FDATE) TYPE(*CHAR) LEN(6)                
             DCL        VAR(&FTIME) TYPE(*CHAR) LEN(6)                
             DCL        VAR(&TDATE) TYPE(*CHAR) LEN(6)                
             DCL        VAR(&TTIME) TYPE(*CHAR) LEN(6)                
             DCL        VAR(&NAME) TYPE(*CHAR) LEN(10)                
             DCL        VAR(&FTPIP) TYPE(*CHAR) LEN(15)              
/* Add the working library */                                        
             ADDLIBLE   LIB(IBMTSDTA)                                
             MONMSG     MSGID(CPF2103)                                
             RTVDTAARA  DTAARA(AUDLOG (13 15)) RTNVAR(&FTPIP)        
/* Retrieve the current date & time */                                
 REPEAT:     RTVSYSVAL  SYSVAL(QDATE) RTNVAR(&TDATE)                  
             RTVSYSVAL  SYSVAL(QTIME) RTNVAR(&TTIME)                  
             RTVDTAARA  DTAARA(AUDLOG (1 6)) RTNVAR(&FDATE)          
             RTVDTAARA  DTAARA(AUDLOG (7 6)) RTNVAR(&FTIME)          
/* Clear the temp file */                                            
             CLRPFM     FILE(QTEMP/SOXAUDJRN)                        
             MONMSG     MSGID(CPF3142)                                
/* Generate the from date - today date audit entries */                
             DSPJRN     JRN(QSYS/QAUDJRN) RCVRNG(*CURCHAIN) +          
                          FROMTIME(&FDATE &FTIME) TOTIME(&TDATE +      
                          &TTIME) JRNCDE(*ALL) ENTTYP(*ALL) +          
                          OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) +        
                          OUTFILE(QTEMP/SOXAUDJRN) OUTMBR(*FIRST +    
                          *REPLACE) ENTDTALEN(*VARLEN *CALC) +        
                          NULLINDLEN(*VARLEN *CALC)                    
             MONMSG     MSGID(CPF7062)                                
/* Delete the JRN_* file in /HOME */                                  
             RMVLNK     OBJLNK('/HOME/JRN_*')                          
             MONMSG     MSGID(CPFA0A9)                                
/* Copy the audit file to home folder */                              
             CPYTOIMPF  FROMFILE(QTEMP/SOXAUDJRN) +                    
                          TOSTMF('/HOME/JRN_' *CAT &TDATE *CAT +      
                          '.LOG') RCDDLM(*CRLF) STRDLM(*NONE)          
/* Clear the FTP output log file */                                    
             CLRPFM     FILE(IBMTSDTA/FTPLOG) MBR(FTP_OUT)            
             OVRDBF     FILE(INPUT) TOFILE(IBMTSDTA/FTPLOG) MBR(FTP_IN)
             OVRDBF     FILE(OUTPUT) TOFILE(IBMTSDTA/FTPLOG) +    
                          MBR(FTP_OUT)                            
/* Start the FTP to transfer file */                              
             STRTCPFTP  RMTSYS(FTP_ServerIP)                            
/* Print the FTP log file */                                      
             RUNQRY     QRYFILE((OUTPUT)) OUTTYPE(*PRINTER) +      
                          PRTDFN(*NO) FORMSIZE(*RUNOPT 378)        
/* Update the from date to current date */                        
             CHGDTAARA  DTAARA(AUDLOG (1 6)) VALUE(&TDATE)        
             CHGDTAARA  DTAARA(AUDLOG (7 6)) VALUE(&TTIME)        
/* Wait 15 mins */                                                
             DLYJOB     DLY(900)                                  
/* Back to beginning */                                            
             GOTO       CMDLBL(REPEAT)                            
                                                                   
 EXIT:       ENDPGM     

3. To exit from QCMD, press F3.

To transfer the event data in ASCII file

  1. At the command prompt, type the following commands:
    FTPUsername FTPpassword

    ASCII NAMEFMT 1

    LCD /home

    CD TargetFTPdirectoryname

    MPUT JRN_*

    QUIT

Note: FTPUsername should be ibmsysiftp and the leave the FTPPassword as blank or empty

LCP Configuration Parameters

Table 1-2: The IBM System i Audit event collector (FTP - 3946) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Port Number

21

The default port numbers for FTP.

Host Names/IP Addresses

System i Audit IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team.

 

 

 

 

 

  • No labels

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.