CorreLog, my employer, has just started shipping the IND$defender feature for our SIEM Agent for z/OS. The Agent is described here https://correlog.com/solutions-and-services/sas-correlog-mainframe.html but there is AFAIK no information yet on the Web about this particular new feature. It transparently captures the user ID, direction of transfer, dataset and member name, the TSO user's logon time, the user's name and Group, the remote IP address if available, the LU name, and the duration of the transfer.
We can send this information either through our Agent real-time to the SIEM of your choice (ArcSight, QRadar, LogRhythm, Splunk, etc.) and/or write it as a user SMF record, which Dr. Merrill has graciously offered to support in MXG. IND$defender is currently offered only as an Agent feature but the SMF record output is technologically a stand-alone product and I am sure our sales team would be happy to talk about whatever licensing interested you. BTW, we do this *without* violating IBM's system integrity guidelines. We do *not* run IND$FILE APF-authorized, as it was not designed by IBM to be run authorized. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Carlos Cordero Sent: Thursday, June 11, 2015 10:21 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: IND$FILE Resource Log & Monitoring Colleagues, Did somebody has implemented a process for monitor/log IND$FILE command activity focussed on file transmission thru 3270 emulators?, maybe with beta88 software? Or it must a home-made ad-hoc customization outside of beta88 software? What I specifically searching for is to detect the file transfer activity executed from commands given on emulators. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN