This guide provides information for configuring CorreLog SIEM Agent for z/OS for syslog event collection with ArcSight. CorreLog SIEM Agent is supported on z/OS (“mainframe,” formerly known as MVS and/or OS/390) platforms. z/OS releases V1R11 and above are supported.
SIEM Agent for z/OS integrates z/OS mainframe security events into an enterprise ArcSight ESM strategy. SIEM Agent allows users to view Mainframe security, database, and TCP/IP events in real-time, alongside events from Windows, UNIX, Linux, routers, ﬁrewalls, and other IT assets in an enterprise SIEM system. SIEM Agent converts a myriad of events including TSO Logons, Production Job ABENDs, TCP/IP Connections, FTP, logs from RACF, ACF2, CA Top Secret, and DB2 accesses. SIEM Agent facilitates compliance requirements from PCI DSS, HIPAA, SOX, IRS Pub. 1075, GLBA, FISMA, NERC and many others.
SIEM Agent is configured for CEF simply by configuring it to use the supplied parameter file "CZAPCEF", as described in the "CZAGENT" reference manual section ArcSight CEF. Alternatively, you may specify SIEM(CEF) in any CZAGENT parameter file.
NOTE: This document is provided for informational purposes only, and the information herein is subject to change without notice. Please report any errors herein to HP. HP does not provide any warranties covering this information and specifically disclaims any liability in connection with this document.
CorreLog SIEM Agent for z/OS is Certified CEF: The event format complies with the requirements of the HP ArcSight Common Event Format. The HP ArcSight CEF connector will be able to process the events correctly and the events will be available for use within HP’s ArcSight product. In addition, the event content has been deemed to be in accordance with standard SmartConnector requirements. The events will be sufficiently categorized to be used in correlation rules, reports and dashboards as a proof-of-concept (POC) of the joint solution.