Display Format panel
The Display Format panel displays Format properties but does not allow them to be changed.
How to Get There
Press 5 for a format in the Work with Formats panel.
Field Descriptions
Name
The name you use to refer to this Format within Powertech SIEM Agent.
This name is required to be a valid OS name.
Description
A short description you assign to the Format.
Message Style
Message style determines the order and format of the event data in the message section of the output syslog event. Styles are provided that mimic the Powertech Interact 3 output formats. The following styles are provided:
Style | Description |
---|---|
*CEF |
This legacy style mimics the output produced by Powertech Interact 3 when using Host role *CEF. EXAMPLE:
Mar 15 14:47:02 DWSIEM73 CEF:0|Powertech|SIEM Agent|4.4|TOW0001|Changes to object ownership|6|src=10.60.33.177 dst=10.60.135.40 cat=AuditJournal cs1Label=eventType cs1=JRN cs2Label=eventClass cs2=AUD cnt=1 fname=QUSRSYS/PSATSTUSR fileType=*MSGQ suser=PSATSTUSR dproc=537013/QSECOFR/QPADEV0002 cs3Label=programName cs3=PSATESTPAS duser=QSECOFR cs6Label=Sequence cs6=1579233 msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
*MODERN |
This style constructs the output syslog event message section entirely from Extensions you provide for Event Descriptions, Event Subtypes and Rules. EXAMPLE:
1 2021-03-15T14:59:06.100-6:00 DWSIEM73.HELPSYSTEMS.COM - - TOW0001 src=10.60.33.177 dst=10.60.135.40 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
*LEEF |
The LEEF (Log Event Extended Format) style conforms to the LEEF 2.0 header format standards for IBM QRadar. SIEM Agent adds IBM i-specific name value pairs, which provide additional value for messages related to IBM i events. EXAMPLE:
LEEF:2.0|HelpSystems|SIEM Agent|4.4|TOW0001| |cat=AUDIT devTime=2021-03-15T14:32:18.987-6:00 devTimeFormat=yyyy-MM-dd hh:mm:ss.SSS Z sev=4 src=10.60.33.177 dst=10.60.135.40 usrName=QSECOFR jobNumber=537013 jobUser=QSECOFR jobName=QPADEV0002 resource=DWSIEM73 domain=DWSIEM73.HELPSYSTEMS.COM pgmName=PSATESTPAS pgmLib=PSATEST journalReceiverLib=QSYS journalReceiverName=AUDRCV0057 journalID=AUDRCV0057 journalSeqNumber=1576885 reason=Changes to object ownership msg=The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
*JSON |
This style (JavaScript Object Notation) is an open standard file format. EXAMPLE:
{"FullyQualifiedJob":{"JobName":"QPADEV0002","JobNumber":"537013","JobUser":"QSECOFR"},"CurrentUser":"QSECOFR","EventID":"TOW0001","EventText":"User profile &CPONAM& was created."} |
*SYSLOG |
This legacy style mimics the output produced by Powertech Interact 3 when using Host role *SYSLOG. EXAMPLE:
1 2021-03-15T14:53:10.175-6:00 DWSIEM73.HELPSYSTEMS.COM - - Changes to object ownership src=10.60.135.40 dst=10.60.33.177 msg=TYPE:JRN CLS:AUD JJOB:QPADEV0002 JUSER:QSECOFR JNBR:537013 PGM:PSATESTPAS DETAIL:A PSATSTUSR QUSRSYS *MSGQ QSECOFR PSATSTUSR 0 0 * * MSG: The message queue QUSRSYS/PSATSTUSR ownership was changed from user profile QSECOFR to user profile PSATSTUSR. |
Header specification
The specification compliance level of the syslog header.
For more details, see Syslog Header Specifications.
Microseconds
Specifies the number of microsecond digits to be used in the formatted timestamp when using the Modern Header specification. The Legacy header specification does not display microseconds. You may specify *NONE (zero digits), or 3 or 6 microsecond digits. Within the LEEF Format, Microseconds are fixed to a value of 3.
User Header Format Compatibility
The User Header Format Compatibility flag, if set to Y, outputs the header in the format that was used by SIEM Agent/Interact prior to version 4.2 of SIEM Agent. This setting may be preferred when the SYSLOG configuration is dependent on the format from the legacy product versions. A setting of N provides a more accurate representation of the syslog standard.
Time zone
Specifies the time zone indication to be applied to the syslog event timestamp when using the Modern header specification. The Legacy header specification only displays a very simplistic month and day without a year and offers no formatting options for the timestamp. Within the LEEF Format, Time zone is fixed to *UTC.
time zone | Formatted output |
---|---|
*NONE | 1947-03-24T20:00:00 |
*UTC | 1947-03-24T20:00:00-06:00 |
*ZULU | 1947-03-25T02:00:00Z |
Command Keys
F3=Exit
Exit the program.
F5=Refresh
Discards changes and remains on this panel.