CorreLog, Inc.   Solutions   Download   Partners   News   Support   About Login

Solutions > CorreLog Agent for z/OS

The CorreLog Mainframe Agent (CMA Agent) expands the role of the CorreLog Server within your enterprise to include monitoring of SMF mainframe messages, empowering you with new important capabilities and visibility into your mainframe and enterprise security. Complete your SIEM strategy using this powerful and unique management component.

 

SIEM Agent for IBM z/OS Mainframes
State of the Art Syslog Agent for Your IBM Mainframes

For many large organizations, one or more IBM z/OS mainframes are a strategic platform for their most mission-critical applications and processes. The CorreLog Agent for z/OS enables organizations to monitor their enterprise IT security, including mainframes, from a unified viewpoint. The z/OS Agent, in conjunction with any SIEM monitoring application that accepts Syslog messages, allows the user to view mainframe SMF security, database and TCP/IP events, along with security and other events from Windows, UNIX, Linux, routers, firewalls, etc. When combined withCorreLog's Security Correlation Server, appropriate personnel are notified of security threats instantly using CorreLog's unique correlation
engine and notification components.

The CorreLog z/OS agent is quickly installed, uses a minimum of resources, and does not require extensive training to use or ongoing maintenance or administration. It is fully user configurable, allowing you to select from TSO Logons, Production Job ABENDs, TCP/IP Connections, FTP File Transfers, and DB2 Accesses. Within these you may select the sub-categories and data you want to see.

The z/OS Agent provides the information you need to meet today's increasing compliance regulations such as FISMA, PCI, DSS, HIPAA, NERC and Sarbanes-Oxley. The following are some sample error messages from z/OS that are indicative of potential threats:

  • Sample RACF Violation as reported by CZAGENT to your Syslog Console
    SYSB RACF: RESOURCE ACCESS: Insufficient Auth, SID=SYSB, User=RU018B, Group=RESTRICT, Reas=AUDIT option, Job=RU018BTR, Res=SYS1.PROD.PROCLIBT, Req=READ, Allow=NONE, Vol=SYS001, Type=DATASET, Prof=SYS1.PROD.PROCLIBT, Owner=DATASET, Name=ROBERT SMITH, POE=INTRDRs
  • Sample FTP Client Data
    One of your mainframe users accessing an outside host mvssysb TCP/IP: Subtype=FTP client complete, Stack=TCPIP, AS=RX239JB, UserID= RX239JB, SubCmd=RETR, FileType=SEQ, RemtDataIP=::ffff:23.36.0.209, RemtCtlIP=::ffff: 23.36.0.209, RemtID= rx239jb, LocID= RX239JB, DStype=Seq, Start=11037 22:34:33.87, Dur=0.00, Bytes=6123, LReply=250, Host=mvssysb, DSN= RX239JB.FOO.DELETEME, Security={Mech=None, CtlProt=None, DataProt=None, Login=Undefined}, UserID= rx239jb
  • Sample FTP Server Data
    An outside user successfully copying a file from your mainframe mvssysb TCP/IP: Subtype=FTP server complete, Stack=TCPIP, AS=FTPD1, Op=Retrieve, FileType=SEQ, RemtDataIP=::ffff:10.31.0.209, RemtCtlIP=::ffff:10.31.0.209, UserID= RX239JB, DStype=HFS, Start=11037 22:32:45.21, Dur=0.78, Bytes=56324, LReply=250, SessID=FTPD100335, DSN=/u/ rx239jb /Source/Fields.C, Security={Mech=None, CtlProt=None, DataProt=None, Login=Password}
  • Sample FTP Server Logon Failure
    An unauthorized user attempting to access your mainframe mvssysb TCP/IP: Subtype=FTP server logon fail, Stack=TCPIP, AS=FTPD1, UserID=IBMUSER, RemtIP=::ffff:208.3.0.2, UserID=IBMUSER, Reas=Password invalid, SessID=FTPD100345, Security={Mech=None, CtlProt=None, DataProt=Undefined, Login=Password}
  • Sample DB2 Audit Data
    SYSA DB2: Subsys=D91B, AuthID=DV233B, CorrID=JDBC4DB2, Plan=DISTSERV, OpID=DV233B, Loc=RS91D91B, NetID=GA0A0707, LU=C68B, Conn=SERVER, SQL={Insert=1, Prepare=2, Open=1, Create Table=7, Create Index=9, Create Tablespace=7, Fetch=1}
  • Features

    • Standards compliant. Creates RFC 3164-compliant Syslog messages that work with any standards-based SIEM or Syslog collection software
    • Collects events from mainframe security subsystems including RACF®
    • Extensive yet straightforward user customization. Decide which events and fields you want to see.
    • Works with CorreLog's unique correlation engine or any industry-standard Syslog console
    • Collects TSO logons and logoffs
    • Collects z/OS job and started task terminations including ABENDs
    • Collects audit events from DB2
    • Audits the use of FTP
    • Collects login, telnet and other events from TCP/IP
    • Uses only a few seconds of CPU time per day
    • Installs in less than half a day
    • Capacity of hundreds of thousands of Syslog messages per day
    • Compatible with CorreLog's powerful correlation engine
    • No impact on existing operations.

    Benefits

    • Investment protection. Compatible with all of your existing software. Freedom of choice: select CorreLog or any other Syslog console
    • Complements your existing mainframe security software
    • Get the data you need without unnecessary clutter
    • Flexibility and investment protection
    • Know who is accessing your system and when. Required for FISMA, PCI DSS, HIPAA, NERC and Sarbanes-Oxley compliance
    • Know what's working and what's not working in real time in your z/OS production
    • Know who accessed what data and when. Necessary for FISMA, PCI DSS, HIPAA, NERC and Sarbanes-f compliance
    • FTP is considered by many to be the number one mainframe security exposure. Be alerted to suspicious FTP events in real time
    • In the event of an unauthorized access pinpoint the exact source of the threat in real time
    • Thrifty use of mainframe resources. Does not contribute to escalating software costs
    • You are up & running and protected in no time
    • No matter what your data volume CZAGENT will keep up
    • Correlate related security events from mainframe and Windows® Linux and UNIX® sources
    • No training time, no down time

    View Other Solutions & Services...

    This is CorreLog
    Security Compliance
    Datasheets

    MTS logo

    Read the MTS Allstream case study
    for monitoring DB2 activity
    with z/OS mainframe agent.

     

    Free Trial Download
    Request Product Demo
    Purchase CorreLog

    Free 30 Day Trial
    Download CorreLog's Security Correlation Server, Windows Agent, File Integrity Monitor, UNIX/Linux Agent, z/OS Agent and McAfee ePO integration module today for a free 30 day evaluation.

    Privacy  |  Product Licensing  |  Contact Us

    CorreLog: High Performance Correlation, Search and Log Management

    Copyright © 2010, CorreLog, Inc. All rights reserved.
    All trademarks and registered trademarks used herein are the properties of their respective owners.

    Google, Twitter, Digg, SlashDot, Cisco, Microsoft