CorreLog Agent for z/OS & DB2
Contact us

CorreLog Agent for z/OS & DB2

The CorreLog Mainframe Agent (CMA Agent) expands the role of the CorreLog Server within your enterprise to include monitoring of SMF mainframe messages, empowering you with new important capabilities and visibility into your mainframe and enterprise security. Complete your SIEM strategy using this powerful and unique management component.


CorreLog Agent for IBM z/OS with dbDefender™ for DB2

CorreLog delivers the industry's only real-time SMF message converter, delivering Syslog messages straight out of your IBM z/OS mainframe directly into your SIEM


For many large organizations, one or more IBM z/OS mainframes constitute a strategic capital investment for their most mission-critical applications and processes. The CorreLog Agent for z/OS with dbDefender enables these organizations to combine z/OS SMF events with SIEM Syslog data giving IT security personnel a complete system-wide vantage point for cyber-threat and security breach alerts. With security information and event management (SIEM) software platforms existing predominantly in distributed environments, the CorreLog Agent for z/OS allows organizations to include mainframe event log data for a unifi ed, multiplatform view of enterprise security event data in a single console..


The CorreLog z/OS Agent, in conjunction with any SIEM monitoring application that accepts Syslog messages, allows the user to view mainframe SMF security, database and TCP/IP events, along with security and other events from Windows, UNIX, Linux, routers, firewalls, and other IT assets. When included with other log and event data within the CorreLog Server, CorreLog's unique correlation engine and help-desk ticket auto notification functions alert IT security personnel of cyber-threats before they happen.


The CorreLog z/OS agent installs quickly, uses minimum resources, and does not require extensive training, ongoing maintenance or administration. CorreLog z/OS Agent is easily configured, allowing users to select from a myriad of parameters including TSO Logons, Production Job ABENDs, TCP/IP Connections, FTP File Transfers, and DB2 Accesses. Within these parameters, security systems admins may filter further by sub-categories and receive only the data relevant to security threats. This filtering capability streamlines data flow to SIEM system consoles without compromising network bandwidth.


The z/OS Agent also operates within the constraints of increasing compliance regulations such as PCI DSS, FISMA, HIPAA, NERC and Sarbanes-Oxley.


The following are some sample error messages from z/OS that are indicative of potential threats:


  • Sample RACF Violation as reported by z/OS Agent to your Syslog Console

  • MVSSYSB RACF: RESOURCE ACCESS: Insufficient Auth - UserID: TS053A - Group: RESTRICT - Auth: Normal check - Reas: AUDIT option - Job: TS053ATR - Res: SYS1.PROD.PROCLIBT - Req: READ - Allow: NONE - Vol: SYS001 - Type: DATASET - Prof: SYS1.PROD.PROCLIBT - Owner: DATASET - Name: ROBERT SMITH - POE: INTRDR

  • Sample FTP Client Data - One of your mainframe users accessing an outside host

  • MVSSYSB TCP/IP: Subtype: FTP client complete - Stack: TCPIP - AS: RX239JB - UserID: RX239JB - SubCmd: RETR - FileType: SEQ - RemtDataIP: ::ffff: - RemtID: rx239jb - DStype: Seq - Start: 11037 22:34:33.87 - Dur: 0.00 - Bytes: 6123 - LReply: 250 - Host: MVSSYSB - DSN: RX239JB.ACCOUNT.MASTER - Security: {Mech: None - CtlProt: None - DataProt: None - Login: Undefined}

  • Sample FTP Server Data - An outside user successfully copying a file from your mainframe

  • MVSSYSB TCP/IP: Subtype: FTP server complete - Stack: TCPIP - AS: FTPD1 - Op: Retrieve - FileType: SEQ - RemtDataIP: ::ffff: - UserID: RX239JB - DStype: HFS - Start: 11037 22:32:45.21 - Dur: 0.78 - Bytes: 56324 - LReply: 250 - SessID: FTPD100335 - DSN: /u/rx239jb/Source/Fields.C - Security: {Mech: None - CtlProt: None - DataProt: None - Login: Password}

  • Sample FTP Server Logon Failure - An unauthorized user attempting to access your mainframe

  • MVSSYSB TCP/IP: Subtype: FTP server logon fail - Stack: TCPIP - AS: FTPD1 - UserID: IBMUSER - RemtIP: ::ffff: - UserID: IBMUSER - Reas: Password invalid - SessID: FTPD100345 - Security: {Mech: None - CtlProt: None - DataProt: Undefined - Login: Password}

  • Sample DB2 Audit Data

  • MVSSYSA DB2: Subsys: D91B - AuthID: DV233B - CorrID: JDBC4DB2 - Plan: DISTSERV - OpID: DV233B - Loc: RS91D91B - NetID: GA0A0707 - LU: C68B - Conn: SERVER - SQL: {Insert: 1 - Prepare: 2 - Open: 1 - Create Table: 7 - Create Index: 9 - Create Tablespace: 7 - Fetch: 1}



  • Standards compliant. Creates RFC 3164-compliant Syslog messages that work with any standards-based SIEM or Syslog collection software
  • Collects events from mainframe security subsystems including RACF®
  • Extensive yet straightforward user customization. Decide which events and fields you want to see.
  • Works with CorreLog's unique correlation engine or any industry-standard Syslog console
  • Collects TSO logons and logoffs
  • Collects z/OS job and started task terminations including ABENDs
  • Collects audit events from DB2
  • Audits the use of FTP
  • Collects login, telnet and other events from TCP/IP
  • Uses only a few seconds of CPU time per day
  • Installs in less than half a day
  • Capacity of hundreds of thousands of Syslog messages per day
  • Compatible with CorreLog's powerful correlation engine
  • No impact on existing operations.



  • Investment protection. Compatible with all of your existing software. Freedom of choice: select CorreLog or any other Syslog console
  • Complements your existing mainframe security software
  • Get the data you need without unnecessary clutter
  • Flexibility and investment protection
  • Know who is accessing your system and when. Required for FISMA, PCI DSS, HIPAA, NERC and Sarbanes-Oxley compliance
  • Know what's working and what's not working in real time in your z/OS production
  • Know who accessed what data and when. Necessary for FISMA, PCI DSS, HIPAA, NERC and Sarbanes-f compliance
  • FTP is considered by many to be the number one mainframe security exposure. Be alerted to suspicious FTP events in real time
  • In the event of an unauthorized access pinpoint the exact source of the threat in real time
  • Thrifty use of mainframe resources. Does not contribute to escalating software costs
  • You are up & running and protected in no time
  • No matter what your data volume CZAGENT will keep up
  • Correlate related security events from mainframe and Windows® Linux and UNIX® sources
  • No training time, no down time.

CorreLog SIEM Security Server, Log Management & Compliance solutions

Search Agileise.Com

Download Datasheets:-

Free Trial Product Downloads:-

Learn more about this Product:-

Request a Product Demo