Collect IBM AS/400 logs

Supported in:

Google secops SIEM

This document explains how to ingest IBM AS/400 logs into Google Security Operations using the Bindplane agent.

IBM AS/400 is an enterprise operating system that provides integrated database, security, and application services. The system generates security audit logs through QAUDJRN (audit journal), system operation logs through QHST (history log), database journals for application data changes, and exit point logs for network access monitoring.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or a Linux host with systemd
Network connectivity between the Bindplane agent and IBM AS/400 system
If running behind a proxy, ensure that firewall ports are open per the Bindplane agent requirements
IBM AS/400 7.2 with PTF Group 19 or later, or IBM AS/400 7.3 with PTF Group 7 or later (for native syslog generation)
IBM AS/400 user profile with *USE authority to QAUDJRN journal and journal receivers
PASE for i (5770SS1 Option 33) installed on the IBM AS/400 system
Access to IBM AS/400 command line (5250 session or SSH)

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
sudo systemctl status observiq-otel-collector
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

sudo nano /etc/bindplane-agent/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
    udplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/ibm_i:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: 'YOUR_CUSTOMER_ID'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: IBM_AS400
        raw_log_field: body
        ingestion_labels:
            env: production
            source: ibm_i

service:
    pipelines:
        logs/ibm_i_to_chronicle:
            receivers:
                - udplog
            exporters:
                - chronicle/ibm_i

Replace the following placeholders:
- Receiver configuration:
  - listen_address: Set to 0.0.0.0:514 to listen on all interfaces on UDP port 514. For Linux systems running as non-root, use port 1514 or higher.
- Exporter configuration:
  - creds_file_path: Full path to the ingestion authentication file. Make sure that you save the downloaded Ingestion Authentication File as ingestion-auth.json in one of the following locations:
    - Linux: /etc/bindplane-agent/ingestion-auth.json
    - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
  - customer_id: Your Google SecOps customer ID from the previous step
  - endpoint: Regional endpoint URL:
    - US: malachiteingestion-pa.googleapis.com
    - Europe: europe-malachiteingestion-pa.googleapis.com
    - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - log_type: Set to IBM_AS400
  - ingestion_labels: Optional labels for filtering and organization

Save the configuration file

After editing, save the file:

Linux: Press Ctrl+O, then Enter, then Ctrl+X
Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows:
1. Choose one of the following options:
  - Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
  - Services console:
    1. Press Win+R, type services.msc, and press Enter.
    2. Locate observIQ OpenTelemetry Collector.
    3. Right-click and select Restart.
2. Verify the service is running:
```
sc query observiq-otel-collector
```
3. Check logs for errors:
```
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
```

Configure IBM AS/400 syslog forwarding

Enable IBM AS/400 auditing

Sign in to IBM AS/400 using a 5250 terminal session or SSH.
Run the following command to enable auditing:
```
CHGSECAUD QAUDCTL(*AUDLVL) QAUDLVL(*AUTFAIL *SECURITY *CREATE *DELETE)
```
Note: This command creates the QAUDJRN journal if it does not exist and enables auditing for authorization failures, security events, object creation, and deletion. Adjust the QAUDLVL values based on your security requirements.

Create the syslog configuration file

Start a QShell session:
```
STRQSH
```
Create the syslog configuration directory if it does not exist:
```
mkdir -p /QOpenSys/etc
```
Create the syslog configuration file:
```
touch /QOpenSys/etc/syslog.conf
```
Edit the syslog configuration file using the edtf editor:
```
edtf /QOpenSys/etc/syslog.conf
```
Add the following line to forward all syslog messages to the Bindplane agent:
```
*.* @BINDPLANE_AGENT_IP:514
```
Replace BINDPLANE_AGENT_IP with the IP address of the host running the Bindplane agent.

Note: The @ symbol indicates UDP transport. For TCP transport, use @@ instead. Ensure there is a tab character (not spaces) between *.* and the @ symbol. The file must use LF (Line Feed) line endings only, not CRLF.
Save and exit the editor:
- Press F3 to exit.
- Press F10 to save when prompted.
Exit QShell:
```
exit
```

Start the syslog daemon

Submit a batch job to start the syslog daemon:

SBMJOB CMD(STRQSH CMD('/QOpenSys/usr/sbin/syslogd')) JOB(SYSLOGD) JOBQ(QSYSNOMAX)

Verify the syslog daemon is running:
```
STRQSH
```
```
ps -ef | grep syslogd
```
You should see a process entry for /QOpenSys/usr/sbin/syslogd.
Exit QShell:
```
exit
```

Create a script to forward audit journal entries to syslog

Create a shell script to extract audit journal entries and send them to syslog:
```
STRQSH
```

Create the script file:

touch /home/syslog_audit.sh
chmod 755 /home/syslog_audit.sh

Edit the script:
```
edtf /home/syslog_audit.sh
```

Add the following content to the script:

#!/QOpenSys/pkgs/bin/bash

# IBM i Audit Journal to Syslog Forwarder
# Extracts QAUDJRN entries in syslog format and sends to syslog daemon

# Get timestamp from 5 minutes ago
START_TIME=$(date -u -d '5 minutes ago' '+%Y-%m-%d %H:%M:%S')

# Query audit journal for recent entries in RFC5424 syslog format
system "RUNSQL SQL('SELECT syslog_event FROM TABLE(QSYS2.DISPLAY_JOURNAL(''QSYS'',''QAUDJRN'',STARTING_TIMESTAMP => ''$START_TIME'', GENERATE_SYSLOG => ''RFC5424'')) AS X WHERE syslog_event IS NOT NULL') OUTPUT(*PRINT)" | while read -r line
do
  if [ ! -z "$line" ]; then
    logger -p local0.info "$line"
  fi
done

Save and exit the editor.
Exit QShell:
```
exit
```

Schedule the script to run periodically

Create a CL program to call the shell script:
```
CRTSRCPF FILE(QGPL/QCLSRC) RCDLEN(112)
```

Add a member for the CL program:

ADDPFM FILE(QGPL/QCLSRC) MBR(SYSLOGAUD)

Edit the member:

STRSEU SRCFILE(QGPL/QCLSRC) SRCMBR(SYSLOGAUD)

Add the following CL code:

PGM
  STRQSH CMD('/home/syslog_audit.sh')
ENDPGM

Save and exit by pressing F3.

Create the CL program:

CRTCLPGM PGM(QGPL/SYSLOGAUD) SRCFILE(QGPL/QCLSRC)

Create a job schedule entry to run the program every 5 minutes:
```
ADDJOBSCDE JOB(SYSLOGAUD) CMD(CALL PGM(QGPL/SYSLOGAUD)) FRQ(*DAILY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('00:00:00') RELDAYMON(*NONE)
```
Note: This creates a basic schedule. For production use, consider using a job scheduler or the WRKJOBSCDE command to configure more sophisticated scheduling with proper error handling and logging.

Forward history log entries to syslog

Create a similar script for history log entries:
```
STRQSH
```

Create the script file:

touch /home/syslog_history.sh
chmod 755 /home/syslog_history.sh

Edit the script:
```
edtf /home/syslog_history.sh
```

Add the following content:

#!/QOpenSys/pkgs/bin/bash

# IBM i History Log to Syslog Forwarder

# Get timestamp from 5 minutes ago
START_TIME=$(date -u -d '5 minutes ago' '+%Y-%m-%d %H:%M:%S')

# Query history log for recent entries in RFC3164 syslog format
system "RUNSQL SQL('SELECT syslog_event FROM TABLE(QSYS2.HISTORY_LOG_INFO(START_TIME => ''$START_TIME'', GENERATE_SYSLOG => ''RFC3164'')) AS X WHERE syslog_event IS NOT NULL') OUTPUT(*PRINT)" | while read -r line
do
  if [ ! -z "$line" ]; then
    logger -p local1.info "$line"
  fi
done

Save and exit the editor.
Exit QShell:
```
exit
```
Create a similar CL program and job schedule for the history log script following the same steps as for the audit journal.

Verify syslog forwarding

Test the logger command to verify syslog forwarding:

STRQSH

logger -p local0.notice "Test message from IBM i"

Check the Bindplane agent logs to verify the message was received:

Linux:

sudo journalctl -u observiq-otel-collector -f

Windows:

type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Verify logs are appearing in Google SecOps:
1. Sign in to the Google SecOps console.
2. Go to Search > UDM Search.
3. Search for metadata.vendor_name = "IBM" AND metadata.product_name = "AS400".

UDM mapping table

Log Field	UDM Mapping	Logic
device_vendor	about.asset.asset_id	Concatenated
device_product	about.asset.asset_id	Concatenated
deviceExternalId	about.asset.asset_id	Concatenated
filePath	about.file.full_path	if not empty
fileHash	about.file.full_path	if not hash
about_file_path	about.file.full_path	fallback
_hash	about.file.sha256	if not empty
fileHash	about.file.sha256	if hash
fsize	about.file.size	Converted to uinteger
dvchost	about.hostname
ips	about.ip	Merged array, IP validation
dvcmac	about.mac	if valid MAC
deviceTranslatedAddress	about.nat_ip
permissions	about.resource.attribute.permissions
additional_*	additional.fields	Merged labels
about	about	Merged
additional	additional	Renamed
metadata	metadata	Renamed
Received	metadata.collected_timestamp	Converted using yyyy-MM-ddTHH:mm:ss
job_msg	metadata.description	if not empty
metadata.description	metadata.description	fallback
metadata_event_type	metadata.event_type	if not empty, else GENERIC_EVENT
file_full_path	metadata.event_type	Set to PROCESS_UNCATEGORIZED if present
event_name	metadata.event_type	Set to SCAN_UNCATEGORIZED if in (LogSpyware, LogPredictiveMachineLearning)
principal machine ID + target machine ID	metadata.event_type	Set to NETWORK_HTTP if both present
target machine ID	metadata.event_type	Set to USER_UNCATEGORIZED if present without principal
principal machine ID	metadata.event_type	Set to STATUS_UPDATE if present
device_event_class_id	metadata.product_event_type	Concatenated with " - " separator if both present, else alone
event_name	metadata.product_event_type	Concatenated with " - " separator if both present, else alone
externalId	metadata.product_log_id
device_product	metadata.product_name
device_version	metadata.product_version
device_vendor	metadata.vendor_name	if not empty, else "IBM - device_vendor", else "IBM"
app_protocol_output	network.application_protocol	if not empty
deviceDirection	network.direction	INBOUND if == 0, OUTBOUND if == 1
requestMethod	network.http.method
requestClientApplication	network.http.user_agent
ip_protocol_out	network.ip_protocol	if not empty
in	network.received_bytes	Converted to uinteger
out	network.sent_bytes	Converted to uinteger
observer	observer	Renamed
principal	principal	Renamed
sntdom	principal.administrative_domain
sourceServiceName	principal.application	if not empty
name	principal.application	fallback
hardware	principal.asset.hardware	Merged
hostname	principal.asset.hostname	if not empty
hostinfo.name	principal.asset.hostname	fallback
hostinfo.hostname	principal.asset.hostname	fallback
host	principal.asset.ip	Merged
src	principal.asset.ip	Merged
principal_ip	principal.asset.ip	Merged
hostinfo.ip	principal.asset.ip	Merged array
log.file.path	principal.file.full_path
Group_name	principal.group.group_display_name	if not empty
Gruppenavn	principal.group.group_display_name	fallback
Device_name	principal.hostname	if not empty
Enhetsnavn	principal.hostname	fallback
principal_ip	principal.ip	Merged
src	principal.ip	Merged
host	principal.ip	Merged
hostinfo.ip	principal.ip	Merged array
smac	principal.mac	Merged
hostinfo.mac	principal.mac	Merged array
sourceTranslatedAddress	principal.nat_ip
hostinfo.os.platform	principal.platform	if not empty
hostinfo.os.name	principal.platform	WINDOWS if matches (?i)Window, LINUX if matches (?i)Linux
hostinfo.os.kernel	principal.platform_patch_level
hostinfo.os.version	principal.platform_version
spt	principal.port	Converted to integer
deviceProcessName	principal.process.command_line	if not empty
sproc	principal.process.command_line	fallback
Subject	principal.process.command_line	fallback
Emne	principal.process.command_line	fallback
Path	principal.process.command_line	fallback
File_name	principal.process.file.full_path	if not empty
Object	principal.process.file.full_path	fallback
Objekt	principal.process.file.full_path	fallback
Infected_Resource	principal.process.file.full_path	fallback
spid	principal.process.pid
codename_label	principal.resource.attribute.labels	Merged
family_label	principal.resource.attribute.labels	Merged
log_offset_label	principal.resource.attribute.labels	Merged
version_label	principal.resource.attribute.labels	Merged
hostinfo.id	principal.resource.product_object_id
principal_role	principal.user.attribute.roles
temp_duser	principal.user.user_display_name	if not empty
suser	principal.user.user_display_name	fallback
CustomerName	principal.user.user_display_name	fallback
temp_duid	principal.user.userid	if not empty
suid	principal.user.userid	fallback
user_name	principal.user.userid	fallback
User	principal.user.userid	fallback
Bruker	principal.user.userid	fallback
security_result	security_result	Merged
act	security_result.action	ALLOW if in (accept, notified); BLOCK if in (deny, blocked)
outcome	security_result.action	ALLOW if REDIRECTED_USER_MAY_PROCEED; BLOCK if BLOCKED; FAIL if Failure
categoryOutcome	security_result.action	ALLOW if Success; BLOCK if Failure
cs2	security_result.action	ALLOW if Allow; BLOCK if Denied
act	security_result.action_details	if not empty
Action_Taken	security_result.action_details	fallback
cat	security_result.category_details
msg_data_2	security_result.description	if not empty
security_result.description	security_result.description	fallback
Type	security_result.description	fallback
Scan_Type	security_result.description	fallback
operation_label	security_result.detection_fields	Merged
operasjon_label	security_result.detection_fields	Merged
permission_label	security_result.detection_fields	Merged
tillatelse_label	security_result.detection_fields	Merged
infection_channel_label	security_result.detection_fields	Merged
spyware_Grayware_Type_label	security_result.detection_fields	Merged
threat_probability_label	security_result.detection_fields	Merged
mwProfile	security_result.rule_name
severity	security_result.severity	LOW if 0-3 or LOW; MEDIUM if 4-6 or MEDIUM/INFO/SUBSTANTIAL; HIGH if 7-8 or HIGH/SEVERE; CRITICAL if 9-10 or VERY-HIGH/CRITICAL
appcategory	security_result.summary	if not empty
Result	security_result.summary	fallback
reason	security_result.summary	fallback
Spyware	security_result.threat_name	if not empty
Virus_Malware_Name	security_result.threat_name	fallback
Unknown_Threat	security_result.threat_name	fallback
oldFilePath	src.file.full_path
oldFileSize	src.file.size	Converted to uinteger
old_permissions	src.resource.attribute.permissions
target	target	Renamed
dntdom	target.administrative_domain
destinationServiceName	target.application
logcollector_hostname	target.asset.hostname
dst	target.asset.ip	Merged
dst_ip	target.asset.ip	Merged
temp_dhost	target.hostname	if not empty
shost	target.hostname	if not IP
dst_ip	target.ip	Merged
dst	target.ip	Merged
IPv6_Address	target.ip	Merged
dmac	target.mac
destination_translated_address	target.nat_ip
destinationTranslatedPort	target.nat_port	Converted to integer
dpt	target.port	Converted to integer
dproc	target.process.command_line
file_full_path	target.process.file.full_path
dpid	target.process.pid
resource_Type_label	target.resource.attribute.labels	Merged
request	target.url
target_role	target.user.attribute.roles
temp_duser	target.user.user_display_name	if not empty
CustomerName	target.user.user_display_name	fallback
temp_duid	target.user.userid	if not empty
User	target.user.userid	fallback
Bruker	target.user.userid	fallback
logcollector_timestamp	metadata.collected_timestamp	Converted using ISO8601 or MMM d HH:mm:ss
metadata_event_type	metadata.event_type	if not empty, else GENERIC_EVENT
event_type	metadata.product_event_type	if not empty
product_event_type	metadata.product_event_type	fallback
device_vendor	metadata.vendor_name	if not empty, else "IBM"
device_product	metadata.product_name
agent.hostname	observer.asset.hostname
agent.type	observer.asset_id	Concatenated
agent.id	observer.asset_id	Concatenated
agent.version	observer.platform_version
sntdom	principal.administrative_domain
sourceServiceName	principal.application
hostname	principal.asset.hostname
host	principal.asset.ip	Merged
src	principal.asset.ip	Merged
hostinfo.ip	principal.asset.ip	Merged array
log.file.path	principal.file.full_path
hostname	principal.hostname
principal_ip	principal.ip	Merged
src	principal.ip	Merged
host	principal.ip	Merged
hostinfo.ip	principal.ip	Merged array
smac	principal.mac	Merged
hostinfo.mac	principal.mac	Merged array
hostinfo.os.platform	principal.platform
hostinfo.os.kernel	principal.platform_patch_level
hostinfo.os.version	principal.platform_version
spt	principal.port	Converted to integer
sproc	principal.process.command_line
spid	principal.process.pid
codename_label	principal.resource.attribute.labels	Merged
family_label	principal.resource.attribute.labels	Merged
log_offset_label	principal.resource.attribute.labels	Merged
version_label	principal.resource.attribute.labels	Merged
hostinfo.id	principal.resource.product_object_id
suser	principal.user.user_display_name
suid	principal.user.userid
act	security_result.action	ALLOW if in (accept, notified); BLOCK if in (deny, blocked)
outcome	security_result.action	ALLOW if REDIRECTED_USER_MAY_PROCEED; BLOCK if BLOCKED; FAIL if Failure
categoryOutcome	security_result.action	ALLOW if Success; BLOCK if Failure
cs2	security_result.action	ALLOW if Allow; BLOCK if Denied
act	security_result.action_details
cat	security_result.category_details
msg_data_2	security_result.description
mwProfile	security_result.rule_name
severity	security_result.severity	LOW if 0-3; MEDIUM if 4-6; HIGH if 7-8; CRITICAL if 9-10
reason	security_result.summary
logcollector_hostname	target.asset.hostname
dst	target.asset.ip	Merged
temp_dhost	target.hostname
dst_ip	target.ip	Merged
mac_address	target.mac
dpt	target.port	Converted to integer
dproc	target.process.command_line
dpid	target.process.pid
temp_duser	target.user.user_display_name
temp_duid	target.user.userid

Need more help? Get answers from Community members and Google SecOps professionals.