IBM · zeeIBM · Jan 22, 2025 · Feb 13, 2025 · Feb 18, 2025 · Feb 18, 2025
@@ -0,0 +1 @@
+gradle.properties
@@ -1,21 +1,21 @@
 filter {
-if [type] == "test"{
-ruby {
-code => 'event.set("message", event.to_json)'
-}
-#Check to allow only supported event types.
-	if "ConfigurationChange" not in [message] and "UserChange" not in [message] and "RoleChange" not in [message] and "ResourceChange" not in [message] and "XDBCStatement" not in [message] and "DynamicStatement" not in [message] and "LoginFailure" not in [message]
-	{
-	drop{}
+	if [type] == "test"{
+		ruby {
+		code => 'event.set("message", event.to_json)'
+		}
+		#Check to allow only supported event types.
+			if "ConfigurationChange" not in [message] and "UserChange" not in [message] and "RoleChange" not in [message] and "ResourceChange" not in [message] and "XDBCStatement" not in [message] and "DynamicStatement" not in [message] and "LoginFailure" not in [message]
+			{
+			drop{}
+			}
+		#Drop event by specific keyword or query in message.
+			if "SELECT UTCTimestamp AS mytimestamp" in [message] or "AuditChange" in [message] or "AuditReport" in [message] or "JDBCCatalog_" in [message] or "SELECT TABLE_SCHEMA AS TABLESCHEMA" in [message] or "SELECT json_arrayagg ( colname ) , json_arrayagg ( odbctype ) FROM %SQL_Util . statement_columns" in [message] or "Create section Map" in [message] or "Delete section Map" in [message] or "Clear switch" in [message] or "Set switch" in [message]
+			{
+			drop{}
+			}
+		if ("UserChange" in [event] or "RoleChange" in [event] or "ConfigurationChange" in [event]) and ![cspsessionid] {
+		drop{}
+		}
+		intersystems_iris_guardium_filter {}
 	}
-#Drop event by specific keyword or query in message.
-	if "SELECT UTCTimestamp AS mytimestamp" in [message] or "AuditChange" in [message] or "AuditReport" in [message] or "JDBCCatalog_" in [message] or "SELECT TABLE_SCHEMA AS TABLESCHEMA" in [message] or "SELECT json_arrayagg ( colname ) , json_arrayagg ( odbctype ) FROM %SQL_Util . statement_columns" in [message] or "Create section Map" in [message] or "Delete section Map" in [message] or "Clear switch" in [message] or "Set switch" in [message]
-	{
-	drop{}
-	}
-if ("UserChange" in [event] or "RoleChange" in [event] or "ConfigurationChange" in [event]) and ![cspsessionid] {
-drop{}
-}
-intersystems_iris_guardium_filter {}
-}
 }
@@ -1,11 +1,12 @@
 # logstash-filter-intersystems-iris-guardium
 
 ### Meet IntersystemsIRIS
-* Tested versions: 2023.1
+* Tested versions: IRIS for UNIX 2024.2 (Build 247U)
 * Environment: On-premise
 * Supported inputs: JDBC (pull)
 * Supported Guardium versions:
   * Guardium Data Protection: 11.4 and above
+  * Guardium Data Security Center: 3.7 and above
 
 This is a [Logstash](https://github.com/elastic/logstash) filter plug-in for the universal connector that is featured in IBM Security Guardium. It parses events and messages from the intersystems-iris audit log into a [Guardium record](https://github.com/IBM/universal-connectors/blob/main/common/src/main/java/com/ibm/guardium/universalconnector/commons/structures/Record.java) instance (which is a standard structure made out of several parts). The information is then sent over to Guardium. Guardium records include the accessor (the person who tried to access the data), the session, data, and exceptions. If there are no errors, the 
 data contains details about the query "construct". The construct details the main action (verb) and collections (objects) involved.
@@ -34,7 +35,7 @@ This plug-in was developed and tested against an Ubuntu instance on AWS EC2, but
 5. Select the below options in Download page
     - Choose a Product - InterSystems IRIS Community
     - Choose a Platform - Ubuntu
-    - Choose a Version - 2023.1 
+    - Choose a Version
 6. Select I agree to Accept the policy.
 7. Click on the Download InterSystems IRIS button to download.
 
@@ -164,17 +165,21 @@ Note: If we are not able to access the portal, Edit the inbound rules in EC2 ins
  5. User is expected to give Server Ip address according to the format of Client Ip address in the input configuration.
  6. We have seen the error(Communication link failure: Connection refused) using AWS EC2 instance Ip inside UC input configuration, a restart may be required for UC to bypass a connection refused issue.
 
-## 7. Configuring the intersystems-iris filter in Guardium
+## 7. Configuring the InterSystems-IRIS filter in Guardium
+
 The Guardium universal connector is the Guardium entry point for native audit logs. The Guardium universal connector identifies and parses the received events, and converts them to a standard Guardium format. The output of the Guardium universal connector is forwarded to the Guardium sniffer on the collector, for policy and auditing enforcements. Configure Guardium to read the native audit logs by customizing the intersystems-iris template.
 
 ### Before you begin
-1. Configure the policies you require. See [policies](https://github.com/IBM/universal-connectors/#policies) for more information.
-2. You must have permission for the S-Tap Management role. The admin user includes this role by default.
-3. Download the [guardium_logstash-offline-plugin-intersystemsiris.zip](IntersystemsIrisoverJDBC/guardium_logstash-offline-plugin-intersystemsiris.zip) plug-in.
-4. Download the plugin filter configuration file [intersystems_iris.conf](intersystems_iris.conf).
-5. Download the intersystems-jdbc-3.7.1.jar from [here](IntersystemsIrisoverJDBC/intersystems-jdbc-3.7.1.jar) ([External Link](https://github.com/intersystems-community/iris-driver-distribution/blob/main/JDBC/JDK18/intersystems-jdbc-3.7.1.jar)).
+* Configure the policies you require. See [policies](/docs/#policies) for more information.
+* You must have permission for the S-Tap Management role. The admin user includes this role by default
+* Download the relevant plugin based on the version of the Guardium.
 
-### Procedure
+    1. For Guardium Data Protection, Download [guardium_logstash-offline-plugin-intersystemsiris.zip](IntersystemsIrisoverJDBC/guardium_logstash-offline-plugin-intersystemsiris.zip) plug-in.
+    2. For Guardium Data Protection, Download the plugin filter configuration file [intersystems_iris.conf](intersystems_iris.conf).
+    3. Download the intersystems-jdbc-3.7.1.jar from [here](IntersystemsIrisoverJDBC/intersystems-jdbc-3.7.1.jar) ([External Link](https://github.com/intersystems-community/iris-driver-distribution/blob/main/JDBC/JDK18/intersystems-jdbc-3.7.1.jar)).
+    4. For Guardium Data Security Center, Download [gi-filter-intersystems-iris-package-1.0.zip](gi-filter-intersystems-iris-package-1.0.zip).
+
+### Procedure in Guardium Data Protection
 1. On the collector, go to Setup > Tools and Views > Configure Universal Connector.
 2. Enable the connector if it is already disabled, before proceeding uploading of the UC.
 3. Click Upload File and select the offline [guardium_logstash-offline-plugin-intersystemsiris.zip](IntersystemsIrisoverJDBC/guardium_logstash-offline-plugin-intersystemsiris.zip) plug-in. After it is uploaded, click OK.
@@ -186,6 +191,25 @@ The Guardium universal connector is the Guardium entry point for native audit lo
 9. The "type" field should match in the input and filter configuration section. This field should be unique for every individual connector added.
 10. Click Save. Guardium validates the new connector, and enables the universal connector if it was disabled. After it is validated, it appears in the Configure Universal Connector page.
 
+### Procedure in Guardium Data Security Center
+1. Navigate to **Connections** > **Add connection**.
+2. Search for **InterSystems IRIS** and click **Configure**
+3. Provide Name and Description, click **Next**.
+4. In the **Build pipeline**, **Choose input plugin** > **JDBC** > **Choose filter plugin** > **InterSystems IRIS** click **Next**.
+5. Enter the Additional information,
+
+   **Connection String:** Enter the JDBC connection string. For example: jdbc:IRIS://<InterSystems IRIS instance ip>:1972/%SYS
+   **JDBC User:** Enter the username that you want to connect to the database with access to the audit tables to be queried.
+   **Password:** Enter password for the JDBC user.
+
+   The statement setting determines which audit tables the SELECT query calls for the audit logs. In the Guardium UI, the Statement* is divided into three parts to enhance clarity and ease of use:
+
+   **SELECT:** For choosing columns
+   **FROM:** For specifying tables
+   **WHERE:** For adding filter conditions
+
+6. Click **Configure** and then click **Done**.
+
 ## 8. JDBC Load Balancing Configuration
 In Intersystems IRIS JDBC input plug-in, we distribute load between two machines based on Even and Odd "AuditIndex".
 

@@ -36,6 +36,10 @@ buildscript {
         classpath 'com.github.jengelman.gradle.plugins:shadow:4.0.4'
         classpath group: 'org.yaml', name: 'snakeyaml', version: '2.2'
     }
+
+    ext {
+        snakeYamlVersion = '2.2'
+    }
 }
 
 def universalConnectorsDir=project.projectDir.parentFile?.parentFile.toString();

@@ -0,0 +1,121 @@
+{
+  "plugin_name": "IntersystemsIrisFilterPlugin",
+  "help_link": "https://github.com/IBM/universal-connectors/blob/main/filter-plugin/logstash-filter-intersystems-iris-guardium/README.md",
+  "input_name": "JDBC_input",
+  "input_parameters": [
+    {
+      "jdbc_connection_string": {
+        "type": "text",
+        "label": "Connection string"
+      },
+      "jdbc_driver_class": {
+        "type": "text",
+        "default": "com.intersystems.jdbc.IRISDriver",
+        "hidden": true
+      },
+      "schedule": {
+        "type": "text",
+        "default": "*/1 * * * *",
+        "hidden": true
+      },
+      "use_column_value": {
+        "type": "boolean",
+        "default": true,
+        "hidden": true
+      },
+      "tracking_column": {
+        "type": "text",
+        "default": "mytimestamp",
+        "hidden": true
+      },
+      "tracking_column_type": {
+        "type": "text",
+        "default": "timestamp",
+        "hidden": true
+      },
+      "statement_select": {
+        "type": "text",
+        "default": "UTCTimestamp as mytimestamp,Event,Username,ClientIPAddress,StartupClientIPAddress,SystemID,CSPSessionID,AuditIndex,Namespace,Description,OSUsername,EventData",
+        "label": "SELECT"
+      },
+      "statement_from": {
+        "type": "text",
+        "default": "%SYS.Audit",
+        "label": "FROM"
+      },
+      "statement_where": {
+        "type": "text",
+        "default": "UTCTimestamp > :sql_last_value order by UTCTimestamp asc",
+        "label": "WHERE"
+      },
+      "plugin_timezone": {
+        "type": "text",
+        "default": "utc",
+        "hidden": true
+      },
+      "jdbc_driver_library": {
+        "type": "text",
+        "default": "${LOGSTASH_DIR}/logstash-core/lib/jars/IRIS-jdbc.jar",
+        "hidden": true
+      },
+      "server_name": {
+        "type": "text",
+        "default": "NA",
+        "hidden": true
+      },
+      "account_id": {
+        "type": "text",
+        "default": "NA",
+        "hidden": true
+      },
+      "jdbc_validate_connection": {
+        "type": "boolean",
+        "default": false,
+        "hidden": true
+      },
+      "type": {
+        "type": "text",
+        "default": "InterSystems IRIS",
+        "hidden": true
+      },
+	  "Server_ip": {
+		  "type": "text",
+		  "label" : "Server IP"
+	  },
+	  "enrollmentId": {
+        "type": "text",
+        "default": "NA",
+        "hidden": true
+      },
+	  "server_host_name": {
+        "type": "text",
+        "default": "NA",
+        "hidden": true
+      },
+	  "event_type": {
+        "type": "text",
+        "default": "NA",
+        "hidden": true
+      }
+	}
+  ],
+  "credentials": [
+    {
+      "jdbc_password": {
+        "type": "password",
+        "label": "Password"
+      }
+    }
+  ],
+  "filter_name": "IntersystemsIrisFilterPlugin",
+  "filter_parameters": [],
+  "auth_parameters": [
+    {
+      "guc_input_param_jdbc_user": {
+        "type": "text",
+        "label": "JDBC User"
+      }
+    }
+  ],
+  "supported_platforms": ["on-premise", "Cloud"]
+}
@@ -0,0 +1,21 @@
+filter {
+	if [type] == "InterSystems IRIS"{
+		ruby {
+			code => 'event.set("message", event.to_json)'
+		}
+		#Check to allow only supported event types.
+		if "ConfigurationChange" not in [message] and "UserChange" not in [message] and "RoleChange" not in [message] and "ResourceChange" not in [message] and "XDBCStatement" not in [message] and "DynamicStatement" not in [message] and "LoginFailure" not in [message]
+		{
+			drop{}
+		}
+		#Drop event by specific keyword or query in message.
+		if "SELECT UTCTimestamp AS mytimestamp" in [message] or "AuditChange" in [message] or "AuditReport" in [message] or "JDBCCatalog_" in [message] or "SELECT TABLE_SCHEMA AS TABLESCHEMA" in [message] or "SELECT json_arrayagg ( colname ) , json_arrayagg ( odbctype ) FROM %SQL_Util . statement_columns" in [message] or "Create section Map" in [message] or "Delete section Map" in [message] or "Clear switch" in [message] or "Set switch" in [message]
+		{
+			drop{}
+		}
+		if ("UserChange" in [event] or "RoleChange" in [event] or "ConfigurationChange" in [event]) and ![cspsessionid] {
+			drop{}
+		}
+		intersystems_iris_guardium_filter {}
+	}
+}
@@ -0,0 +1,15 @@
+{
+  "name": "IntersystemsIrisFilterPlugin",
+  "alias": "InterSystems IRIS",
+  "type": "filter",
+  "pipeline_type":"pull",
+  "plugin_version": "1.0.0",
+  "datasourceTypes": [{"type":"InterSystems IRIS","supportedVersions": [""]}],
+  "supported_input_plugins": ["JDBC_input"],
+  "developer": "IBM",
+  "license": "Apache2.0",
+  "description": "Parses events and messages from the InterSystems IRIS audit log into Guardium.",
+  "configuration_notes": "",
+  "documentation_path": "https://github.com/IBM/universal-connectors/blob/main/filter-plugin/logstash-filter-intersystems-iris-guardium/README.md",
+  "third_parties" : ["IRIS-jdbc.jar"]
+}