Space banner This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Configuring Splunk to receive Session Monitor for WebSphere MQ SIEM data

Enable Splunk to receive SIEM data from Session Monitor for WebSphere MQ as follows:

  1. In a text editor, open /opt/splunk/etc/local/default/props.conf from the environment where Splunk is installed.

  2. Locate splunk.cpy in the /Hiperstation directory on the mainframe, then insert the contents of splunk.cpy into the props.conf file opened in step 1.

    Important

    The content of the props.conf file is defined as sections. Ensure the Session Monitor information is inserted between sections and not in the middle of one.

  3. In Splunk, perform the following:
    1. Under Settings, choose Indexes, then click New.
    2. Specify mq-appaudit for the Index name. The default values should be acceptable, but—depending on the amount of data being collected—a larger value for Max size (MB) of entire index may be specified.
    3. Click Save.
  4. Restart Splunk.
  5. In Splunk, perform the following:
    1. Under Settings, choose Data Inputs and select Add new for TCP.
    2. Under Select Source, enter the port that was specified on the SIEM Tool Data Generation Parameters screen. See Configure-SIEM-Data-Delivery for more information.
    3. Under Input Settings, select Hiperstation > hiperstation_mq for Sourcetype and mq-appaudit for Index.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*