IDMS

Hi folks,
Have any of you created an automated process of capturing events that occur within IDMS, that sends the information to a Security Information and Event Management (SIEM) tool? I am thinking in terms of production schema changes, user login/logout, IDMS internal security administration (alter, drop, grant, revoke, etc.), and application data changes.
Does your process work directly from the IDMS journal and/or log archives, SMF, or from re-constituted extracts of the journal archives, or from exit routines? I know there are Journal analyzer tools that build an extract from the journal archive, allowing for customization of reports and further extraction of data.
Thanks for your responses, Alan Slezewick

Alan,
The new release of CICS (4.1) will have a triggering capability called "event processing" built into the base product. I opened a DAR with CA to request a similar functionality for IDMS. The issue number is 19305164. It would be good to let CA know that your site has the same need.
Kay Rozeboom

Gary_Cherlet wrote:

[color=#0D06FF]for Alan Slezewick[color]
Hi folks, Have any of you created an automated process of capturing events that occur within IDMS, that sends the information to a Security Information and Event Management (SIEM) tool? I am thinking in terms of production schema changes, user login/logout, IDMS internal security administration (alter, drop, grant, revoke, etc.), and application data changes. Does your process work directly from the IDMS journal and/or log archives, SMF, or from re-constituted extracts of the journal archives, or from exit routines? I know there are Journal analyzer tools that build an extract from the journal archive, allowing for customization of reports and further extraction of data. Thanks for your responses, Alan Slezewick

[color=#0D06FF]just a thought - if this was a immediate need - if you can find a DC MESSAGE associated with each of these events - and route the message to the console, and have OPS/MVS pick up the message there and route it to where ever you want it to go - i think USER LOGONS/LOGOFFS by default do this (and i have always modified the messages to NOT display)[color]
Chris Hoelscher

Everything we do with regard to IDMS Security is "posted" in real time to RACF from our IDMS/ADS Security Management system. When I say "everything" I include the following:
[] Ability to signon to system
[] Access to Applications and Functions
[] System Signon
[] Access exceptions (max attempts exceeded, no access to apps/functions, etc) logged to SMF
[] All Security System changes logged to SMF - as they are replicated to RACF
[] Signon security is External using RACF - however the User must also have a Profile in IDMS Catalog
[] Multiple Signon Security enabled by User
[] Applications and Functions created in the Security System become RACF Resources in real-time
[]Etc
We have been using this successfully with IDMS since 1991, and the system still meets our needs 20 years later. This is a Justice department environment supporting Police, Corrections and Family Services.
We do not monitor changes in the Dictionary which use Schema, DDDL or other compilers - however we do have a Change Management system that logs to SMF.
HTH - cheers - Gary

We monitor changes in the Dictionary which use Schema, DDDL or other compilers with a series of in house written COBOL programs. The output files are transmitted to our compliance/security group.
The journal analyzer product is used to monitor for DMLO changes, SYSGEN changes, and a few other things. The output files are also transmitted to our compliance/security group.
Regards, John H. Collins