Originally posted on IBM Developer blog “Exploring PureApplication System, Software Service and more” by Hendrik van Run on 22 July 2016 (5148 visits)
Since its inception, IBM PureApplication System has provided the ability to send audit events to an external system. This was done through scp, so the external system had to be running running an ssh daemon. One of the drawbacks of this solution was that audit logs were not immediately sent to the remote server. Events were sent in batches, which means that some information could be “in transit” for some period of time. A number of clients preferred an approach whereby audit information would be sent synchronously to an external system, typically a Security Information and Event Management (SIEM) solution such as IBM QRadar.
IBM PureApplication System 2.1.2.0 and higher now support this through syslog integration. This allows audit logs as well as other logs to be sent to an external system running a syslog daemon. Syslog can process logs in a synchronous fashion, whereas at the same time it is a widely accepted standard for doing so.
The above has been documented in the IBM Knowledge Center here, although confusingly the topic is referred to as Configuring logging settings for IBM QRadar. Keep in mind that IBM PureApplication System uses syslog and therefore supports a wide variety of SIEM solutions including (but limited to) IBM QRadar. The diagram below shows what the configuration looks like. While logged on to the IBM PureApplication System console, go to System > System settings and expand Log Management. There you can specify the FQDN or the IP address of your external syslog server and optionally apply a configurable maximum retention policy for all log files on IBM PureApplication System. You can select one or more sets of log fies, as shown below.
IBM Cloud Pak System 