Work with Rules panel

The Work with Rules panel allows you to define and work with Rules.

The purpose of Rules is to deliver a set of values to be placed within columns of the notification event sent to a syslog server.

How to Get There

For events, on the Work with Event Descriptions panel, choose option 9 for an event.

For event subtypes, on the Work with Event Subtypes panel, choose option 9 for an event subtype.

Options

Event Source

An Event Source is a location from which IBM i events are extracted. Currently, journals and message queues are supported as Event Sources. Common event sources are QAUDJRN (journal) and QSYSOPR (message queue). You may define your own journals and message queues as Event Sources.

Event Description

Indicates the Event Description to which the listed Event Subtype pertains.

An Event Description is a specification that defines how to identify the IBM i events in which you are interested.

Event Subtype

Indicates the Event Subtype to which the listed Rules pertain.

An Event Subtype is a specification that further defines how to identify the IBM i events in which you are interested. Many times an Event Description will represent an action that occurred, and this "subtype" will indicate the subject of the action or different classes of the action.

Opt

Enter a valid option from the list of options provided on the list panel.

Sequence

Sequence is a unique number used to determine the order in which rules are evaluated.

Active

Indicates whether the Rule is available for processing. When a Rule is not active its values will not be used in determining contents sent to the SYSLOG server.

Severity

Indicates the severity of the event. This severity is used in the output syslog packet.

0=Emergency
System is unusable; A panic condition.
1=Alert
Action must be taken immediately; A condition that should be corrected immediately, such as a corrupted system database.
2=Critical
Critical conditions; Hard device errors.
3=Error
Error conditions
4=Warning
Warning conditions
5=Notice
Normal but significant conditions; Conditions that are not error conditions, but that may require special handling.
6=Informational
Informational messages
7=Debug
Debug-level messages; Messages that contain information normally of use only when debugging a program.
Class

Class is simply placed into the syslog output event when using the Legacy Interact 3 formats. Typical values implemented by Interact 3 include:

AUD - Audit event
POL - Policy event
VULN - Vulnerability event
FW - Firewall event
IDS - Intrusion detected event
SYS - System event
STG - Storage event
End

End determines whether to end rule processing after a rule whose conditions are all satisfied.

Description

A short description you assign to the Rule.

Command Keys

F3=Exit

Exit the program.

F5=Refresh

Discards changes and remains on this panel.

F6=Create

Creates a new item. See Create Rule panel.

F11=View

Toggles the panel between different views.

F12=Cancel

Discards changes and returns to the prior panel.