Create Output panel
The Create Output Target panel allows you to create an Output Target.
For information on configuring an output, see Configuring Outputs.
How to Get There
On the Select Output Target panel or Work with Outputs panel, press F6.
Field Descriptions
System
System indicates the target of any operations you perform. When you add items, for example, those items will be sent to, and will affect processing on, the System named.
Name
The name you use to refer to this Output Target within Powertech SIEM Agent. It does not need to match the name of any object on the system; it is a name you invent for your reference.
This name is required to be a valid OS name.
Description
A short description you assign to the Output Target.
Active
Indicates whether the Output Target is available for processing. When the Output Target is not active, it will not have syslog events transmitted to it.
Format
Names the Format that controls how the output event is constructed. See Create Format for more details.
Type
The type of output location defined by the Output Target. The allowed values are:
Value | Meaning |
---|---|
*NETWORK | The output syslog events are sent to a network location, typically an IP address or registered DNS name. Several protocols are available for network locations. |
*MSGQ |
The output syslog events are sent to a message queue on the local system. You must create the message queue. NOTE: When creating the message queue, set the MSGQFULL attribute to *WRAP in order for the system to accommodate wrapping the message queue when it becomes full. If MSGQFULL is not set to *WRAP, errors and job logs may result within SIEM Agent during message processing, due to the message queue becoming full. Also, consider the size of the message queue. Be sure it is able to store an adequate number of messages before wrapping and over-writing the oldest messages.
|
*STREAM | The output syslog events are sent to a stream file in the Integrated File System. The file will be created if it does not exist. |
*KAFKA | The selected output events are sent to a Kafka server location, typically an IP address or registered DNS name. Generally, ports used for Kafka are 9092 or 9093. Several protocols are available for network locations. |
*NETWORK
Location
A network location specification. This could be an IP address, a DNS-defined name, or something completely different, as long as the name can be resolved by your network configuration.
Port
A port at the target location.
Protocol
Indicates the protocol used to communicate with the syslog server.
Specify one of the following values:
Recovery limit
After having failed to communicate, this specifies the number of times to retry the connection to the network location before giving up.
Time interval
After having failed to communicate, this specifies the number of seconds between attempts to re-connect to the network location.
ArcSight compatibility
Indicates whether output syslog events are to be formatted specially for the ArcSight syslog event manager server. Specify 1 to indicate that the Output targets an ArcSight server; specify 0 otherwise. Note the effect of this setting in the following output example: the dst and src attributes are swapped.
ArcSight compatibility: N:
1 2021-03-15T21:28:06.100Z DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
ArcSight compatibility: Y:
1 2021-03-15T21:47:06.684Z DWSIEM73.HELPSYSTEMS.COM - - TOW0001 dst=10.60.33.177 src=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
*MSGQ
Message queue; Library
Syslog output will be written to this message queue in the form of messages. The syslog event is provided in the message second-level text.
ASP Group
The name of the ASP group on which the message queue can be found.
*STREAM
CCSID for stream file
The CCSID of the text data written to the stream file.
Line ends
The line endings that will terminate each syslog event written to the stream file. The following values are supported:
Value | Meaning |
---|---|
*CR | A carriage return character will terminate each line. |
*LF | A line feed character will terminate each line. |
*CRLF | A carriage return and line feed character will terminate each line. |
Path
Path names the stream file to which each syslog event will be written. Each event will be written as a "line", terminated by the line end specified by the Line ends property.
When creating the path, begin with / and end with the log file name. You must include the log file name or no log will be created. Full access rights must be given to the user profile PTUSER.
In the following example the log file name is SIEM4LOG.
The complete path and log name might look like /home/SIEM4log
*KAFKA
Kafka Location
A Kafka server location specification. This could be an IP address, a DNS name, or other name so long as it can be resolved by your network configuration.
Kafka Port
A port at the target location.
Kafka Protocol
Indicates the protocol used to communicate with the Kafka server.
Specify one of the following values:
Kafka Topic
A Kafka topic must be entered. This should be a topic that has already been configured on the Kafka server configuration.
Kafka Trustsore
A Kafka truststore path must be entered that points to the location of the truststore file used in TLS protocol with the Kafka server. A truststore must be created on the Kafka server and the security certificate must be imported into the truststore and then stored on the IFS for successful TLS communication.
Kafka Truststore Password
A Kafka truststore password must be entered for the truststore file used in TLS protocol with the Kafka server.
Encrypt Password
A Kafka truststore password can be encrypted using a Y in this field. N will not encrypt the field. Valid values are Y or N.
Kafka Jar Path
A Kafka jar path must be entered that points to the location of the jar file used to communicate with the Kafka server. During the installation process, kafka-clients-2.5.0.jar and slf4j-api-1.7.30.jar are loaded into the Powertech/SIEMAgent directory. These jar files are needed to communicate with the IBM i systems.
Kafka KeyStore
A Kafka keystore path must be entered that points to the location of the keystore file used in TLS protocol with the Kafka server. A keystore must be created on the Kafka server and the security certificate must be imported into the keystore and then stored on the IFS for successful TLS communication.
Kafka KeyStore Password
A Kafka keystore password must be entered for the keystore file used in TLS protocol with the Kafka server.
Encrypt Password
A Kafka keystore password can be encrypted using a Y in this field. N will not encrypt the field.
Kafka Key Password
A Kafka key password must be entered for the key file used in TLS protocol with the Kafka server.
Encrypt Password
A Kafka key password can be encrypted using a Y in this field. N will not encrypt the field.
Command Keys
F3=Exit
Exit the program.
F4=Prompt
Displays a list of items from which one or more may be selected.
F5=Refresh
Discards changes and remains on this panel.
F12=Cancel
Discards changes and returns to the prior panel.