Display Format panel

The Display Format panel displays Format properties but does not allow them to be changed.

How to Get There

Press 5 for a format in the Work with Formats panel.

Field Descriptions

Name

The name you use to refer to this Format within Powertech SIEM Agent.

This name is required to be a valid OS name.

Description

A short description you assign to the Format.

Message Style

Message style determines the order and format of the event data in the message section of the output syslog event. Styles are provided that mimic the Powertech Interact 3 output formats. The following styles are provided:

Style Description
*CEF

This legacy style mimics the output produced by Powertech Interact 3 when using Host role *CEF.

EXAMPLE:
Mar 15 14:47:02 DWSIEM73 CEF:0|Powertech|SIEM Agent|4.4|TOW0001|Changes to object ownership|6|src=10.60.33.177 dst=10.60.135.40 cat=AuditJournal cs1Label=eventType cs1=JRN cs2Label=eventClass cs2=AUD cnt=1 fname=QUSRSYS/PSATSTUSR fileType=*MSGQ suser=PSATSTUSR dproc=537013/QSECOFR/QPADEV0002 cs3Label=programName cs3=PSATESTPAS duser=QSECOFR cs6Label=Sequence cs6=1579233 msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
*MODERN

This style constructs the output syslog event message section entirely from Extensions you provide for Event Descriptions, Event Subtypes and Rules.

EXAMPLE:
1 2021-03-15T14:59:06.100-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
*LEEF

The LEEF (Log Event Extended Format) style conforms to the LEEF 2.0 header format standards for IBM QRadar. SIEM Agent adds IBM i-specific name value pairs, which provide additional value for messages related to IBM i events.

EXAMPLE:
LEEF:2.0|HelpSystems|SIEM Agent|4.4|TOW0001| |cat=AUDIT devTime=2021-03-15T14:32:18.987-6:00 devTimeFormat=yyyy-MM-dd hh:mm:ss.SSS Z sev=4 src=10.60.33.177 dst=10.60.135.40 usrName=QSECOFR jobNumber=537013 jobUser=QSECOFR jobName=QPADEV0002 resource=DWSIEM73 domain=DWSIEM73.HELPSYSTEMS.COM pgmName=PSATESTPAS pgmLib=PSATEST journalReceiverLib=QSYS journalReceiverName=AUDRCV0057 journalID=AUDRCV0057 journalSeqNumber=1576885 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
*JSON

This style (JavaScript Object Notation) is an open standard file format.

EXAMPLE:
{"FullyQualifiedJob":{"JobName":"QPADEV0002","JobNumber":"537013","JobUser":"QSECOFR"},"CurrentUser":"QSECOFR","EventID":"TOW0001","EventText":"User profile &CPONAM& was created."}
*SYSLOG

This legacy style mimics the output produced by Powertech Interact 3 when using Host role *SYSLOG.

EXAMPLE:
1 2021-03-15T14:53:10.175-6:00 DWSIEM73.HELPSYSTEMS.COM - - Changes to object ownership src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * * MSG: The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR.
Header specification

The specification compliance level of the syslog header.

RFC3164
The syslog event will conform to the legacy RFC 3164 specification.
RFC5424
The syslog event will conform to the modern RFC 5424 specification.
*NONE
No header included in the event output. This is the default value for *JSON Formats.

For more details, see Syslog Header Specifications.

Microseconds

Specifies the number of microsecond digits to be used in the formatted timestamp when using the Modern Header specification. The Legacy header specification does not display microseconds. You may specify *NONE (zero digits), or 3 or 6 microsecond digits. Within the LEEF Format, Microseconds are fixed to a value of 3.

User Header Format Compatibility

The User Header Format Compatibility flag, if set to Y, outputs the header in the format that was used by SIEM Agent/Interact prior to version 4.2 of SIEM Agent. This setting may be preferred when the SYSLOG configuration is dependent on the format from the legacy product versions. A setting of N provides a more accurate representation of the syslog standard.

Time zone

Specifies the time zone indication to be applied to the syslog event timestamp when using the Modern header specification. The Legacy header specification only displays a very simplistic month and day without a year and offers no formatting options for the timestamp. Within the LEEF Format, Time zone is fixed to *UTC.

*NONE
The timestamp is formatted as a local time with no time zone indication is provided.
*UTC
The timestamp is formatted as a local time with the Universal Coordinated Time (UTC) offset appended.
*ZULU
The timestamp is formatted as Universal Coordinated Time with a "Z" appended.
EXAMPLE: Elton John was born on March 25, 1947 at 2:00:00am UTC (Coordinated Universal Time) in Pinner, Middlesex, England. In Minneapolis, MN, USA (Central Standard Time), the local date and time was March 24, 1947 at 8:00:00pm (UTC-06:00). The following time information will be output depending on the time zone setting:
time zone Formatted output
*NONE 1947-03-24T20:00:00
*UTC 1947-03-24T20:00:00-06:00
*ZULU 1947-03-25T02:00:00Z

Command Keys

F3=Exit

Exit the program.

F5=Refresh

Discards changes and remains on this panel.