Create Event Subtype panel

The Change Event Subtype panel allows you to modify the properties of an existing Event Subtype.

How to Get There

Press F6 in the Work with Event Subtypes panel.

Field Descriptions

Event Source

An Event Source is a location from which IBM i events are extracted. Currently, journals and message queues are supported as Event Sources. Common event sources are QAUDJRN (journal) and QSYSOPR (message queue). You may define your own journals and message queues as Event Sources.

Name

An Event Description is a specification that defines how to identify the IBM i events in which you are interested.

Event Field

Event Field names the definition of the field whose content determines the Event Subtype at the time an event is intercepted.

An Event Field is a specification that defines how to interpret different sections of the IBM i event's data.

Name

The name you use to refer to this Event Subtype within Powertech SIEM Agent. The name must match exactly whatever data the "subtype field" can contain in the actual event data at execution time.

Description

A short description you assign to the Event Subtype.

Active

Indicates whether the Event Subtype is available for processing. When an Event Subtype is not active, the event it identifies will not be processed.

Event Class ID

Event Class ID is simply placed into the syslog output event when using the Legacy Interact 3 Syslog format. Interact 3 formatted this data as a message ID, but you are free to specify whatever data is meaningful to you.

Specify *NAME to display the Event Description's Name followed by the Subtype, separated by a colon. For example, TCD:A.

You can specify a single asterisk (*) to inherit the value from the parent Event Description at run time.

Severity

Indicates the severity of the event. This severity is used in the output syslog packet.

0=Emergency
System is unusable; A panic condition.
1=Alert
Action must be taken immediately; A condition that should be corrected immediately, such as a corrupted system database.
2=Critical
Critical conditions; Hard device errors.
3=Error
Error conditions
4=Warning
Warning conditions
5=Notice
Normal but significant conditions; Conditions that are not error conditions, but that may require special handling.
6=Informational
Informational messages
7=Debug
Debug-level messages; Messages that contain information normally of use only when debugging a program.
Class

Class is simply placed into the syslog output event when using the Legacy Interact 3 formats. Typical values implemented by Interact 3 include:

AUD - Audit event
POL - Policy event
VULN - Vulnerability event
FW - Firewall event
IDS - Intrusion detected event
SYS - System event
STG - Storage event
Add Extension

This field indicates whether additional Extensions should be attached beyond those specified for the Event Description (see Change Event Description panel).

An extension is simply a user-specified "name=value" string appended to a syslog event.

Override Event Text

Allows access to the Event Text override for the Event Subtype. Event Text dictates how to format the event data into a human-readable format. Fields defined for the Event Description can be used to provide data for the text at run time. If this field is left undefined, the default Event Text (from the Event Description) will be shown. See Change Event Description panel.

Command Keys

F3=Exit

Exit the program.

F5=Refresh

Discards changes and remains on this panel.

F12=Cancel

Discards changes and returns to the prior panel.

F13=Extensions

Work with any Extensions that may be attached. After typing data and pressing Enter, this option appears.

F14=Event Text

Work with an Event Text that may be attached. After typing data and pressing Enter, this option appears.