Create Format panel

The Create Format panel allows you to create a Format.

See also Configuring Formats.

How to Get There

Press F6 on the Work with Formats panel.

Field Descriptions

Name

The name you use to refer to this Format within Powertech SIEM Agent.

This name is required to be a valid OS name.

Description

A short description you assign to the Format.

Message Style

Message style determines the order and format of the event data in the message section of the output syslog event. Styles are provided that mimic the Powertech Interact 3 output formats. The following styles are provided:

Style Description
*CEF

This legacy style mimics the output produced by Powertech Interact 3 when using Host role *CEF.

EXAMPLE:
Mar 15 14:47:02 DWSIEM73 CEF:0|Powertech|SIEM Agent|4.4|TOW0001|Changes to object ownership|6|src=10.60.33.177 dst=10.60.135.40 cat=AuditJournal cs1Label=eventType cs1=JRN cs2Label=eventClass cs2=AUD cnt=1 fname=QUSRSYS/PSATSTUSR fileType=*MSGQ suser=PSATSTUSR dproc=537013/QSECOFR/QPADEV0002 cs3Label=programName cs3=PSATESTPAS duser=QSECOFR cs6Label=Sequence cs6=1579233 msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
*MODERN

This style constructs the output syslog event message section entirely from Extensions you provide for Event Descriptions, Event Subtypes and Rules.

EXAMPLE:
1 2021-03-15T14:59:06.100-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
*LEEF

The LEEF (Log Event Extended Format) style conforms to the LEEF 2.0 header format standards for IBM QRadar. SIEM Agent adds IBM i-specific name value pairs, which provide additional value for messages related to IBM i events.

EXAMPLE:
LEEF:2.0|HelpSystems|SIEM Agent|4.4|TOW0001| |cat=AUDIT devTime=2021-03-15T14:32:18.987-6:00 devTimeFormat=yyyy-MM-dd hh:mm:ss.SSS Z sev=4 src=10.60.33.177 dst=10.60.135.40 usrName=QSECOFR jobNumber=537013 jobUser=QSECOFR jobName=QPADEV0002 resource=DWSIEM73 domain=DWSIEM73.HELPSYSTEMS.COM pgmName=PSATESTPAS pgmLib=PSATEST journalReceiverLib=QSYS journalReceiverName=AUDRCV0057 journalID=AUDRCV0057 journalSeqNumber=1576885 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
*JSON

This style (JavaScript Object Notation) is an open standard file format.

EXAMPLE:
{"FullyQualifiedJob":{"JobName":"QPADEV0002","JobNumber":"537013","JobUser":"QSECOFR"},"CurrentUser":"QSECOFR","EventID":"TOW0001","EventText":"User profile &CPONAM& was created."}
*SYSLOG

This legacy style mimics the output produced by Powertech Interact 3 when using Host role *SYSLOG.

EXAMPLE:
1 2021-03-15T14:53:10.175-6:00 DWSIEM73.HELPSYSTEMS.COM - - Changes to object ownership src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * * MSG: The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Header specification

The specification compliance level of the syslog header.

RFC3164
The syslog event will conform to the legacy RFC 3164 specification.
RFC5424
The syslog event will conform to the modern RFC 5424 specification.
LEEF
The LEEF (Log Event Extended Format) format conforms to the LEEF 2.0 header format standards for IBM QRadar. SIEM Agent adds IBM i-specific name value pairs, which provide additional value for messages related to IBM i events.
*NONE
No header included in the event output. This is the default value for *JSON Formats.

For more details, see Syslog Header Specifications.

EXAMPLE:
Header specification: RFC3164 (Legacy)
<38>Mar 15 15:28:06 DWSIEM73 TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Header specification: RFC5424 (Modern)
<38>1 2021-03-15T15:28:06-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
User Header Format Compatibility

The User Header Format Compatibility flag, if set to Y, outputs the header in the format that was used by SIEM Agent/Interact prior to version 4.2 of SIEM Agent. This setting may be preferred when the SYSLOG configuration is dependent on the format from the legacy product versions. A setting of N provides a more accurate representation of the syslog standard.

EXAMPLE:
User Header Format Compatibility: N
<38>1 2021-03-15T14:32:18.987-6:00 DWSIEM73.HELPSYSTEMS.COM - - The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * *

User Header Format Compatibility: Y
<38>1 2021-03-15T14:32:18.987-6:00 DWSIEM73.HELPSYSTEMS.COM - - CEF:0|Powertech|SIEM Agent|4.4|TOW0001|The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.|6| src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * *
Microseconds

Specifies the number of microsecond digits to be used in the formatted timestamp when using the Modern header specification. The Legacy header specification (RFC3164) does not support microseconds. You can specify *NONE (zero digits), or 3 or 6 microsecond digits. Within the LEEF Format, Microseconds are fixed to a value of 3.

EXAMPLE:
Microseconds: *NONE:
<38>1 2021-03-25T07:16:32-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Microseconds: 3:
<38>1 2021-03-25T07:16:32.400-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Microseconds: 6:
<38>1 2021-03-15T07:16:32.100080-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Time zone

Specifies the time zone indication to be applied to the syslog event timestamp when using the Modern header specification. The Legacy header specification (RFC3164) displays only a simplistic month and day without a year, and offers no formatting options for the timestamp. Within the LEEF Format, Time zone is fixed to *UTC.

*NONE
The timestamp is formatted as a local time with no time zone indication is provided.
*UTC
The timestamp is formatted as a local time with the Universal Coordinated Time (UTC) offset appended.
*ZULU
The timestamp is formatted as Universal Coordinated Time with a "Z" appended.
EXAMPLE:
Time Zone: *NONE:
<38>1 2021-03-25T15:25:41.334 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Time Zone: *UTC:
<38>1 2021-03-15T15:25:41.334-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Time Zone: *ZULU:
<38>1 2021-03-15T15:25:41.334Z DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.

Let's use Elton John's birthday as an example. Elton was born March 25, 1947 at 2:00:00am in Pinner, Middlesex, England. In Minneapolis (Central Standard Time), the local time would be March 24, 1947 at 8:00:00pm (UTC-06:00). One of the following results can be achieved (without microseconds).

time zone Formatted output
*NONE 1947-03-24T20:00:00
*UTC 1947-03-24T20:00:00-06:00
*ZULU 1947-03-25T02:00:00Z

Command Keys

F3=Exit

Exit the program.

F5=Refresh

Discards changes and remains on this panel.

F12=Cancel

Discards changes and returns to the prior panel.