Work with Event Sources panel

The Work with Event Sources panel allows you to define and work with Event Sources.

An Event Source is a location from which IBM i events are extracted. Currently, journals and message queues are supported as Event Sources. Common event sources are QAUDJRN (journal) and QSYSOPR (message queue). You may define your own journals and message queues as Event Sources.

How to Get There

On the Main Menu, choose option 1. Work with Event Sources.

Options

Opt

Enter a valid option from the list of options provided on the list panel.

2=Change
Opens the Change Event Source panel, which allows you to modify the properties of an existing Event Source.
3=Copy
Opens the Copy Event Source panel, which allows you to create a new Event Source by copying the properties and content of an existing Event Source.
4=Delete
Deletes the Event Source. You are prompted to confirm.
5=Display
Opens the Display Event Source panel, which displays Event Source properties but does not allow them to be changed.
9=Event Description
Opens the Work with Event Descriptions panel, which allows you to define and work with Event Descriptions.
Facility

The name you use to refer to this Event Source within Powertech SIEM Agent. It does not need to match the name of any object on the system; it is a name you invent for your reference.

This name is required to be a valid OS name.

Type

The type of object from which IBM i events will be extracted. Journals and message queues are supported as Event Sources. Common event sources are QAUDJRN (journal) and QSYSOPR (message queue).

*AUDIT
Defines the IBM Security Audit Journal, QAUDJRN, to be monitored. This type includes some canned definitions of the journal codes and entry types for the security-related journal entries.
*SYSMSG
Defines the IBM System Messages in QSYSOPR or QSYSMSG to be monitored. This type includes some canned definitions of some interesting system management messages.
*EPM
Defines the Powertech Exit Point Manager Journal to be monitored. This type includes canned definitions of the journal codes and entry types for Exit Point Manager entries.
*AB
Defines the Powertech Authority Broker Journal to be monitored. This type includes canned definitions of the journal codes and entry types for Authority Broker.
*CMDSEC
Defines the Powertech Command Security Journal to be monitored. This type includes canned definitions of the journal codes and entry types for Command Security.
*MSGQ
Defines a user-defined message queue to be monitored. You define the messages you would like monitored.
*JRN
Defines a user-defined journal to be monitored. You define the journal codes and entry types you would like monitored.
Default Output

Indicates that there is, or is not, a set of Outputs attached to the Event Source that act as Default Outputs.

Names the default Output(s) to which syslog events will be sent for this Event Source. These Outputs will be used when a Rule specifies *SOURCE for a target Output.

Command Keys

F3=Exit

Exit the program.

F5=Refresh

Refreshes the panel with the most current data.

F6=Create

Creates a new item.

F12=Retrieve

Discards changes and returns to the prior panel.