Change Event Description panel

The Change Event Description panel allows you to modify the properties of an existing Event Description.

How to Get There

Enter 2=Change for an entry in the Work with Event Descriptions panel.

Field Descriptions

Event Source

An Event Source is a location from which IBM i events are extracted. Currently, journals and message queues are supported as Event Sources. Common event sources are QAUDJRN (journal) and QSYSOPR (message queue). You may define your own journals and message queues as Event Sources.

Name

The name you use to refer to this Event Description within Powertech SIEM Agent. For events that originate in a journal, this name must be comprised of the Journal Code and Entry Type of the journal entry. For message queue events, this name must be a message ID.

Description

A short description you assign to the Event Description.

Active

Indicates whether the Event Description is available for processing. When an Event Description is not active, the event it identifies will not be processed.

Event Class ID

Event Class ID is simply placed into the syslog output event when using the Legacy Interact 3 Syslog format. Interact 3 formatted this data as a message ID, but you are free to specify whatever data is meaningful to you.

Specify *NAME to display the Event Description's Name in the output. For journals, this is the Journal Code and Entry Type (for example, TCD). For message queues, *NAME displays the Message ID (for example, CPF0907).

You can specify a single asterisk (*) to inherit the value from the parent Event Description at run time.

Severity

Indicates the severity of the event. This severity is used in the output syslog packet.

0=Emergency
System is unusable; A panic condition.
1=Alert
Action must be taken immediately; A condition that should be corrected immediately, such as a corrupted system database.
2=Critical
Critical conditions; Hard device errors.
3=Error
Error conditions
4=Warning
Warning conditions
5=Notice
Normal but significant conditions; Conditions that are not error conditions, but that may require special handling.
6=Informational
Informational messages
7=Debug
Debug-level messages; Messages that contain information normally of use only when debugging a program.
Class

Class is simply placed into the syslog output event when using the Legacy Interact 3 formats. Typical values implemented by Interact 3 include:

AUD - Audit event
POL - Policy event
VULN - Vulnerability event
FW - Firewall event
IDS - Intrusion detected event
SYS - System event
STG - Storage event
Extension

At the Event Description level, the Extension field defines the default Extensions. Additional Extensions can be added for individual Subtypes and Rules defined within the Event Description, for example, those specified in the Add Extension field of the respective Create Event Subtype panel and Create Rule panel.

Event Text

At the Event Description level, this field defines the default Event Text for the Event Description. If you leave this field blank, most Events will have blank Event Text. The Event Text for Subtypes and Rules defined within this Event Description can be overridden using the Override Event Text field in, for example, the respective Create Event Subtype panel and Create Rule panel.

Command Keys

F3=Exit

Exit the program.

F4=Prompt

Displays a list of items from which one or more may be selected.

F5=Refresh

Discards changes and remains on this panel.

F12=Cancel

Discards changes and returns to the prior panel.