Pat Townsend Normalizes i5/OS Log Data for Security Analyses
October 9, 2007 Alex Woodie
There are many advantages to using a System i server to run business applications, including high degrees of security, scalability, and reliability. But there are also disadvantages to the proprietary platform, such as the fact that its security log data is incompatible with industry standard formats used by Windows, Unix, and Linux machines, which poses a challenge to security event correlation. Last week, i5/OS software vendor Patrick Townsend & Associates launched a new product, called the Alliance LogAgent, that transforms i5/OS log data into the industry standard “syslog” format.
It used to be that nobody paid much attention to the various computer logs and audit journals that document the day-to-day processes of a business machine. They existed mostly in the background, storing tons of raw data only the most die-hard geeks could understand, let alone derive benefit from.
But now, we’re in the midst of a security log renaissance. Regulations such as PCI, SOX, and HIPAA are leading companies to delve into their server logs like never before, determined to find evidence of a hacking ring, confirmation of organized crime, or traces of unauthorized internal access–or just to get the auditors off their backs. Equipped with advanced security information and event management (SIEM) systems, forensic investigators and chief security officers rely on the raw data provided by logs to bring down the bad guys. There’s almost something sexy about security logs.
And while a System i server is less likely to be hacked than your average Linux or Windows box, the platform hasn’t been participating in the security log revolution to the same extent as its “open systems” brethren. The reason for this is that, while the rest of the computing world has largely agreed to use the syslog protocol, IBM has steadfastly maintained its own proprietary log data format for the i5/OS server.
With Alliance LogAgent, Pat Townsend is addressing the System i’s separation from the SIEM marketplace and the capability of SIEM products to correlate the security data from all IT assets–including servers, databases, and network devices–thereby boosting overall security. The product does this by translating data collected from the i5/OS logs, such as the QAUDJRN and QSYSOPR journals, as well as application messages and SNMP traps, into the RFC 3164 protocol, which is the standard format used by major SIEM products, according to Pat Townsend.
The software also digs up and translates critical System i security data that may be missed if the QAUDJRN journal is the only place you look. Because several popular open-source applications for the System i–such as the Apache Web server, the MySQL database, and applications written in PHP–store their log data on the IFS, it can be easily overlooked. Integration with other Pat Townsend network products, including Alliance FTP Manager, Alliance XML/400, and Alliance AS2 Integrator, provides more grist for the SIEM security data mill.
Once translated to RFC 3164 format, i5/OS security event information can be shared with many cross-platform SIEM systems that use the syslog standard, including the open source Syslogd application that’s available for Unix and Linux, and several commercial offerings, including ArcSight‘s ESM, Symantec SIM, LogLogic‘s LX, Novell‘s Sentinel, Q1Labs‘ QRadar, TriGeo‘s SIM, and CrossTec‘s Activeworx, Pat Townsend says. These products provide benefits in the area of real-time alerting, as well as after-the-fact reporting.
The product also comes with tools that allow users to define their own System i security events, and interfaces for integrating Alliance LogAgent routines into ILE applications. With this latter capability, Pat Townsend expects the product to be a good seller among ISVs.
Alliance LogAgent is largely based on the open source Syslogd application sold and supported by BalaBit. Pat Townsend ported it to run on the System i, and provided the i5/OS know-how to make the product really fit into this peculiar platform.
In addition to gaining a more complete picture of one’s security posture, Alliance LogAgent can also help free up gigabytes of valuable disk space on the System i, providing a cost savings. Users can cut down on their bandwidth requirements by filtering the events sent to the SIEM, while offloading archive log data onto cheaper Windows and Linux servers can bring additional savings.
Pat Townsend, president of the Olympia, Washington, company, says the effectiveness of log analysis and management software depends on the capability to consolidate all security and event data into one place. “Only then can patterns be analyzed for potential security breaches,” he says. “By providing a System i log agent and integrating all of our encryption and data security solutions into the logging architecture, our customers get unmatched support for security monitoring.”
Alliance LogAgent is available now. The product requires OS/400 V5R1 or higher. For more information, visit www.patownsend.com.