Create Format panel
The Create Format panel allows you to create a Format.
See also Configuring Formats.
How to Get There
Press F6 on the Work with Formats panel.
Field Descriptions
Name
The name you use to refer to this Format within Powertech SIEM Agent.
This name is required to be a valid OS name.
Description
A short description you assign to the Format.
Message Style
Message style determines the order and format of the event data in the message section of the output syslog event. Styles are provided that mimic the Powertech Interact 3 output formats. The following styles are provided:
Style | Description |
---|---|
*CEF |
This legacy style mimics the output produced by Powertech Interact 3 when using Host role *CEF. EXAMPLE:
Mar 15 14:47:02 DWSIEM73 CEF:0|Powertech|SIEM Agent|4.4|TOW0001|Changes to object ownership|6|src=10.60.33.177 dst=10.60.135.40 cat=AuditJournal cs1Label=eventType cs1=JRN cs2Label=eventClass cs2=AUD cnt=1 fname=QUSRSYS/PSATSTUSR fileType=*MSGQ suser=PSATSTUSR dproc=537013/QSECOFR/QPADEV0002 cs3Label=programName cs3=PSATESTPAS duser=QSECOFR cs6Label=Sequence cs6=1579233 msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
*MODERN |
This style constructs the output syslog event message section entirely from Extensions you provide for Event Descriptions, Event Subtypes and Rules. EXAMPLE:
1 2021-03-15T14:59:06.100-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
*LEEF |
The LEEF (Log Event Extended Format) style conforms to the LEEF 2.0 header format standards for IBM QRadar. SIEM Agent adds IBM i-specific name value pairs, which provide additional value for messages related to IBM i events. EXAMPLE:
LEEF:2.0|HelpSystems|SIEM Agent|4.4|TOW0001| |cat=AUDIT devTime=2021-03-15T14:32:18.987-6:00 devTimeFormat=yyyy-MM-dd hh:mm:ss.SSS Z sev=4 src=10.60.33.177 dst=10.60.135.40 usrName=QSECOFR jobNumber=537013 jobUser=QSECOFR jobName=QPADEV0002 resource=DWSIEM73 domain=DWSIEM73.HELPSYSTEMS.COM pgmName=PSATESTPAS pgmLib=PSATEST journalReceiverLib=QSYS journalReceiverName=AUDRCV0057 journalID=AUDRCV0057 journalSeqNumber=1576885 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
*JSON |
This style (JavaScript Object Notation) is an open standard file format. EXAMPLE:
{"FullyQualifiedJob":{"JobName":"QPADEV0002","JobNumber":"537013","JobUser":"QSECOFR"},"CurrentUser":"QSECOFR","EventID":"TOW0001","EventText":"User profile &CPONAM& was created."} |
*SYSLOG |
This legacy style mimics the output produced by Powertech Interact 3 when using Host role *SYSLOG. EXAMPLE:
1 2021-03-15T14:53:10.175-6:00 DWSIEM73.HELPSYSTEMS.COM - - Changes to object ownership src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * * MSG: The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
Header specification
The specification compliance level of the syslog header.
For more details, see Syslog Header Specifications.
Header specification: RFC3164 (Legacy)
<38>Mar 15 15:28:06 DWSIEM73 TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Header specification: RFC5424 (Modern)
<38>1 2021-03-15T15:28:06-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
User Header Format Compatibility
The User Header Format Compatibility flag, if set to Y, outputs the header in the format that was used by SIEM Agent/Interact prior to version 4.2 of SIEM Agent. This setting may be preferred when the SYSLOG configuration is dependent on the format from the legacy product versions. A setting of N provides a more accurate representation of the syslog standard.
User Header Format Compatibility: N
<38>1 2021-03-15T14:32:18.987-6:00 DWSIEM73.HELPSYSTEMS.COM - - The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * *
User Header Format Compatibility: Y
<38>1 2021-03-15T14:32:18.987-6:00 DWSIEM73.HELPSYSTEMS.COM - - CEF:0|Powertech|SIEM Agent|4.4|TOW0001|The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.|6| src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * *
Microseconds
Specifies the number of microsecond digits to be used in the formatted timestamp when using the Modern header specification. The Legacy header specification (RFC3164) does not support microseconds. You can specify *NONE (zero digits), or 3 or 6 microsecond digits. Within the LEEF Format, Microseconds are fixed to a value of 3.
Microseconds: *NONE:
<38>1 2021-03-25T07:16:32-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Microseconds: 3:
<38>1 2021-03-25T07:16:32.400-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Microseconds: 6:
<38>1 2021-03-15T07:16:32.100080-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Time zone
Specifies the time zone indication to be applied to the syslog event timestamp when using the Modern header specification. The Legacy header specification (RFC3164) displays only a simplistic month and day without a year, and offers no formatting options for the timestamp. Within the LEEF Format, Time zone is fixed to *UTC.
Time Zone: *NONE:
<38>1 2021-03-25T15:25:41.334 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Time Zone: *UTC:
<38>1 2021-03-15T15:25:41.334-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Time Zone: *ZULU:
<38>1 2021-03-15T15:25:41.334Z DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Let's use Elton John's birthday as an example. Elton was born March 25, 1947 at 2:00:00am in Pinner, Middlesex, England. In Minneapolis (Central Standard Time), the local time would be March 24, 1947 at 8:00:00pm (UTC-06:00). One of the following results can be achieved (without microseconds).
time zone | Formatted output |
---|---|
*NONE | 1947-03-24T20:00:00 |
*UTC | 1947-03-24T20:00:00-06:00 |
*ZULU | 1947-03-25T02:00:00Z |
Command Keys
F3=Exit
Exit the program.
F5=Refresh
Discards changes and remains on this panel.
F12=Cancel
Discards changes and returns to the prior panel.