iSecurity is a leading solution for Power i, iSeries and AS/400 Security Learn More about iSecurity
 Products
 iSecurity Overview
 Market Need
 iSecurity Products A-Z
 Prevention Pack
 Compliance Pack
 Application Security Suite
 iSecurity GUI
 Scope Products
 iBi Visualizer
 Command
 Change Tracker
 DB Gate
Overview

Syslog integration with SIEM products

iSecurity helps companies protect valuable information assets against insider threats, unauthorized external access and malicious, or inadvertent, changes to field-level data in business-critical applications by sending real-time alerts to specific recipients as Syslog messages, SNMP, SMS, e-mail, MSGQ, Twitter, etc. See Figure 1 below.

Figure 1


New iSecurity Syslog Features- March 2016

Following are some of the highlights of the extended support:

  • Up to 3 SIEM products/servers can be used simultaneously. For example iSecurity can send network and system related alerts to one SIEM product/server and application-related alerts to a second SIEM server.
  • Field-mode formats for IBM QRadar (LEEF) and HP ArcSight (CEF) are supported; each event value is stored in a separate field together with its appropriate descriptive name. Previous support for LEEF/CEF and other standards, with messages that integrate field values within a descriptive message, were preserved. It should be noted that Raz-Lee is certified by IBM as “Ready for Security Intelligence” and partnered with Q1Labs prior to their acquisition by IBM.
  • Each of the supported SIEM products/servers is defined by its unique destination IP, Port, CCSID, message filtering, etc.
  • LEEF/CEF field mode support sends only meaningful fields. For example, since Move and Rename objects have the same Audit Type but different sub-types, the fields sent will be those relevant to the activity to the object.
  • UDP, TCP and encrypted TLS protocols are all supported.
  • Self-Test facility enables sending messages to a local server prior to actually sending the messages to a remote SIEM server.
  • Advanced communications recovery features have been implemented where feasible, in the event of network problems or SIEM unavailability.

Following are some of the major features of Syslog as implemented in iSecurity products:

  • Syslog support includes Transport Layer Security (TLS) encryption
  • iSecurity sends Syslog security event information originating from:
    • the system's infrastructure (QAUDJRN system journal, network access events, IFS virus detection product, user profile changes including requests for stronger authorities and much more)
    • business-critical applications, both field level writes & updates as well as unauthorized READ accesses to sensitive data
  • iSecurity includes advanced filtering capabilities for selecting which events are sent to SIEM for analysis; as such iSecurity assists in controlling the traffic sent to Syslog
  • iSecurity supports a "super fast" iSecurity Syslog implementation which can send extremely high volumes of information, for example system journal records, with virtually no performance impact
  • The Syslog message structure is easily definable by each site and can include event-specific substitution variables for user profile name, IP address, field-level before & after values, etc.


Background

As multi-platform environments are the reality at nearly all companies worldwide, these companies have often implemented SIEM solutions in order to analyze and establish forensic procedures to analyze the security-related events originating in these different environments. An additional goal is to consolidate security-related information from multiple environments to a single console for easier administration and operator response. Finally, companies will often expect to be able to integrate security event information from both the system's infrastructure as well as from business-critical applications. See Figure 2 below.

Figure 2

Syslog is the most widely used protocol for sending alert messages in real time to SIEM solutions and iSecurity supports Syslog in nearly all products; see figure 3 below.

Figure 3

Indeed, real-time Syslog alerts sent from iSecurity products integrate with all the leading SIEM products: IBM's Radar and Tivoli, HP ArcSight and OpenView, CA UniCenter, RSA enVision, GFI Solutions, Splunk, Juniper, NNT, etc. Case studies can be supplied upon request.

For a PowerPoint overview of how the iSecurity products interface with the leading SIEM solutions, including success stories and actual screenshots, see this presentation as well as the following video about SIEM using iSecurity.


   Downloads
  SIEM Presentation

  iSecurity Data Sheet

   Syslog TLS Encryption Press Release

   Raz-Lee Security Extends SIEM Support to LEEF, CEF & Multiple Concurrent SIEMs

   Quick Links
Download FREE Trial

Raz-Lee on YouTube

Raz-Lee on Twitter

Copyright © 2009 Raz-Lee Security. All rights reserved  
Terms & Conditions | Site Map