Welcome to Powertech SIEM Agent for IBM i

Powertech SIEM Agent for IBM i (SIEM Agent) allows you to:

  • Monitor journals and message queues for critical system messages, audit entries, and requests logged by Powertech Exit Point Manager, Authority Broker, and Command Security.
  • Filter and extract desired event messages and identify them with custom field substitutions.
  • Reformat the data to a preferred format.
  • Transmit the messages using your choice of protocols including UDP, TCP, TLS, message queue, or stream file (IFS).

SIEM Agent facilitates real-time notification to an enterprise syslog sever or messaging solution while ensuring only important events are escalated.

SIEM Agent Overview

SIEM Agent finds informative data, reformats it, and transmits it to another location. The following overview outlines, in general, how SIEM Agent does this.

Events and Event Sources

IBM i journals and message queues are SIEM Agent's Event Sources and the records within are its Events. Events are found by one or more monitor jobs running in the PTWRKMGT subsystem. Each Event has an identifier. For journal Events, the identifier is Journal Code + Entry Type (like T:AF). For message queues, the identifier is the message ID. Each Event includes fields that define how to break up the data by offset, length, and data type. Each of these fields can have a Substitution associated with it, which is a 'this-for-that data replacement' that can be used during viewing of the Event. You can define the fields and Substitutions for an Event, and one field can be labeled as the field that delivers the Event Subtype value (up to 30 bytes).

Events sometimes have different meanings based on data within the event. An Event Subtype divides an Event into different categories (like T-AD with subtype of D (for DLO) or O (for Objects)). The Event Subtype is determined by the content of a specified field.

In order for Events to be comprehended, a device-event-class-id is assigned to each Event. The device-event-class-id (user-defined or defined by SIEM Agent) is placed into the output event verbatim. (Previous versions of SIEM Agent (called Interact) surfaced this value as the “Message ID.”) This user-customizable and human-readable message text for the output is called the Event Text. The Event Description/Subtype/Rule determines the specific human-readable explanation for the device-event-class-id that was delivered by the Event Subtype above using Event Text (a set of message formatting strings).

See Configuring Events and Event Sources.

Rules

SIEM Agent uses Rules to identify the Events to be transmitted. Rules have the final say in determining whether or not to post a syslog event, to which Output(s) to post the syslog event, and the class and severity for that Event. They are based on Conditions that interrogate Event field data. Special fields are available for general information about the event (when, whom, which day of the week, and so forth). This list of special fields may include data form the journal entry “header” that is not available for use in Rules for message queues. Likewise, there may be valuable data for messages that are not available for journals.

Conditions perform the evaluation. Rules supply the values to use in the output event. Rules can specify the severity and proprietary “class” of the output event.

See Configuring Rules.

Outputs and Formats

Finally, the data is reformatted and written to another location, the Output. An Output Target object defines this location. A Format object attached to an Output specifies output formatting options for that Output. The Format object also specifies the compliance level of the syslog header: RFC3164 or RFC5424. The Output monitor runs in PTWRKMGT. The Output is packaged in a syslog “packet”. The content of the MSG portion of the syslog packet is always formatted in compliance with Micro Focus ArcSight Common Event Format (CEF) v25 dated Sept 2017. The “interesting event details” may be packed into a msg=extension, or laid out as individual extensions as determined by the Format object.

See Configuring Outputs, Configuring Formats, and Syslog Header Specifications.


These instructions are intended as a guide for quick installation and basic configuration, to be supplemented, where referenced, with the SIEM Agent User Guide. Find all documentation and reference materials on the Fortra Support Portal at https://support.fortra.com.