CorreLog, Inc. announces IND$FILE auditing for SIEM, closing major security hole for mainframes from PC file transfers via ‘3270 Emulation’

Share Article

SIEM Agent for IBM z/OS with IND$defender™ audits IND$FILE file transfer activity on IBM z/OS that is undetectable by RACF, the security system that provides access control and auditing functionality for the z/OS operating system.

The increased visibility to user activity and improved compliance from this solution is significant, not just for our customers but for the industry as a whole.

CorreLog, the leader in multi-platform IT security event log management, today announced auditing support for IND$FILE, a z/OS file transfer program for Time Sharing Option (TSO) that provides users the capability to transfer mainframe datasets via a PC. The CorreLog product IND$defender™ closes a major security gap in mainframes left open from the inability to audit PC users who have permission to upload or download mainframe datasets. IND$defender™ provides a systematized approach for monitoring mainframe dataset activity through a 3270 Emulator program, a PC application that delivers a mainframe user interface on Windows/UNIX devices. With IND$defender™, compliance managers now have an audit trail and real-time SIEM notifications for IND$FILE, which does not natively create an SMF record from the mainframe operating system. SMF (System Management Facility) records are used by the mainframe access control and security program called RACF (CA ACF2 and CA Top Secret as well). Since no SMF record is generated from IND$FILE when a user uploads or downloads files/programs, RACF has no audit trail for compliance.

CorreLog’s IND$defender™ operates as a “wrapper” that transparently audits the usage of IND$FILE and writes an SMF record (unique to CorreLog and approved for use by IBM) that can be formatted for any SIEM system for every IND$FILE transfer. IND$defender™ then generates a real-time alert from the SMF record for the organization’s SIEM system. The product has a very small footprint that requires minimal system resources. The audit data that can be sent to the distributed SIEM system includes:

  • Invoking user ID, name and Group
  • Terminal name and IP address
  • Mainframe dataset name
  • Upload or download
  • Time of day and duration of transfer
  • Other IND$FILE parameters

“CorreLog SIEM Agent with IND$defender™ fills another gap by bringing 3270 Emulator user auditing into predominantly distributed SIEM systems in real time,” said George Faucher, CorreLog president and CEO. “The increased visibility to user activity and improved compliance from this solution is significant, not just for our customers but for the industry as a whole.”

CorreLog has worked with leading SIEM vendors to achieve certified integration status with HP ArcSight, IBM® QRadar Security®, RSA Security Analytics/EnVision, NetIQ, McAfee, and Solutionary. In addition to sending SMF data to the CorreLog SIEM Correlation Server or CorreLog Visualizer™, IND$defender™ can send data to any brand-name SIEM system including Splunk, LogRhythm®, Dell SecureWorks and others.

About CorreLog:

CorreLog, Inc. is the leading ISV for cross-platform IT security log management and event log correlation. Our solutions provide best-in-class, real-time event log collection across both distributed and mainframe systems. Event logs generated from CorreLog Agents are ready-formatted for the Windows-/UNIX-based CorreLog SIEM (Security Information & Event Management) Correlation Server or any SIEM correlation engine. The core products in the CorreLog solution suite are:

CorreLog SIEM Agent for IBM z/OS™
CorreLog Visualizer for IBM z/OS™
CorreLog DAM Agent for z/OS (Database Activity Monitor)
CorreLog SIEM Correlation Server™
CorreLog SIEM Agent for Windows, Linux, Linux on z, SAP

SIEM Agent for IBM z/OS resides in a mainframe LPAR, or multiple LPARs, and in real time, converts mainframe security events such as RACF, ACF2, Top Secret and DB2 accesses to distributed syslog format for enterprise SIEM systems. In addition to mainframe SIEM functions, SIEM Agent includes functionality for File Integrity Monitoring (FIM) and Data Loss Prevention (DLP). For enterprises that need extended mainframe visibility for users that don’t have access to their SIEM, CorreLog offers Visualizer for z/OS which delivers live mainframe security dashboards through any standard web browser.

The CorreLog SIEM Correlation Server delivers enterprise log management with a best-in-class event correlation engine. CorreLog SIEM Server operates across Windows, UNIX, and Linux platforms and helps identify anomalous behavior and security policy violations by collecting and correlating user activity logs and various system event data. Each of these CorreLog solutions has been designed to adhere to standards set forth by PCI DSS, HIPAA, IRS Pub. 1075, SOX, GLBA, FISMA, NERC and many other regulatory standards. For more information on CorreLog products, please visit

Copyright © 2015, CorreLog, Inc. All rights reserved.
All trademarks and registered trademarks used herein are the properties of their respective owners.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Tony Perri
CorreLog, Inc.
+1 (877) 267-7356 Ext: 422
Email >
Visit website