Create Event Source panel

The Create Event Source panel allows you to provide the properties for a new Event Source.

For information on defining Event Sources, see Configuring Event Sources.

How to Get There

Enter F6 for an entry in the Work with Event Sources panel.

Field Descriptions

Name

The name you use to refer to this Event Source within Powertech SIEM Agent. It does not need to match the name of any object on the system; it is a name you invent for your reference.

This name is required to be a valid OS name.

Description

A short description you assign to the Event Source.

Type

The type of object from which IBM i events will be extracted. Journals and message queues are supported as Event Sources. Common event sources are QAUDJRN (journal) and QSYSOPR (message queue).

*AUDIT
Defines the IBM Security Audit Journal, QAUDJRN, to be monitored. This type includes some canned definitions of the journal codes and entry types for the security-related journal entries.
*SYSMSG
Defines the IBM System Messages in QSYSOPR or QSYSMSG to be monitored. This type includes some canned definitions of some interesting system management messages.
*EPM
Defines the Powertech Exit Point Manager Journal to be monitored. This type includes canned definitions of the journal codes and entry types for Exit Point Manager entries.
*AB
Defines the Powertech Authority Broker Journal to be monitored. This type includes canned definitions of the journal codes and entry types for Authority Broker.
*CMDSEC
Defines the Powertech Command Security Journal to be monitored. This type includes canned definitions of the journal codes and entry types for Command Security.
*MSGQ
Defines a user-defined message queue to be monitored. You define the messages you would like monitored.
*JRN
Defines a user-defined journal to be monitored. You define the journal codes and entry types you would like monitored.
Facility

Indicates the "facility", as defined by the Common Event Format specification. This value is used in the syslog output event. The allowed values are:

Value Meaning
0 Kernel messages
1 User-level messages
2 Mail system
3 System daemons
4 Security/authentication messages
5 Messages generated internally by syslogd
6 Line printer subsystem
7 Network news subsystem
8 UUCP subsystem
9 Clock daemon
10 Security/authentication messages
11 FTP daemon
12 NTP subsystem
13 Log audit
14 Log alert
15 Scheduling daemon
16 Locally used facilities (local0 through local7)
Active

Indicates whether the Event Source is available for processing. When an Event Source is not active, it will not be monitored.

Object

The name of object from which IBM i events will be extracted.

This name is required to be a valid OS name.

Library

The library in which the Event Source object is located.

This name is required to be a valid OS name.

ASP Group

The name of the ASP Group in which the library containing the object resides.

This name is required to be a valid OS name.

Default Output

Indicates that there is, or is not, a set of Outputs attached to the Event Source that act as Default Outputs.

Names the default Output(s) to which syslog events will be sent for this Event Source. These Outputs will be used when a Rule specifies *SOURCE for a target Output.

Command Keys

F3=Exit

Exit the program.

F5=Refresh

Discards changes and remains on this panel.

F12=Cancel

Discards changes and returns to the prior panel.