Powertech SIEM Agent for IBM i

NOTE: In versions 3.10 and earlier, SIEM Agent for IBM i was called Interact.

July 2024

Version 4.8

July 2, 2024

New Features
  • The User Guide now contains a section "Monitoring SSH Activity with SIEM Agent", describing at a high level how SIEM Agent can monitor SSH (SFTP, SCP) activity with SIEM Agent. For detailed instructions, the section refers to Knowledge Article: Setting up and Testing Monitoring of SSH Activity with SIEM Agent.

  • The User Guide now contains a section, "Monitoring File Changes with SIEM Agent", with a short description of how SIEM Agent can be used to monitor changes to database files.

Fixes
  • An issue where the monitoring of a message failed, and messages stopped being sent to output targets has been resolved.

  • An issue where the output contains an exclamation mark (!) instead of the pipe symbol (|) has been resolved.

  • Event descriptions for Command Security journal entries 'MM' and 'MN' have been updated to clearly distinguish the two event types.

  • Additional information will now be included in Command Security Events when the *CEF message style is used.

  • An issue where under specific circumstances, an incorrect journal receiver was being used when the Audit monitor was started has been resolved.

  • Predefined information (such as job name and number, user, and program) will now be included in the Events from *JOURNAL-type Event Sources when the *CEF message style is used.

  • An issue where new IBM i 7.5 journal entries C3 and FT were causing the AUDIT monitor job to fail has been resolved.

  • An issue where data was not removed from SIEM Agent’s internal work data when Outputs were deleted has been resolved.

  • An issue where the JSON information was not displaying correctly has been resolved.

  • The update process will now verify that, in accordance with the installation requirements, the system value QALWUSRDMN is either set to *ALL or includes both libraries PTPLLIB and PTSALIB.

  • An issue when updating from Interact / SIEM Agent 3.x to SIEM Agent 4.x has been resolved.

  • For Fields defined in event descriptions, the CCSID setting was being ignored. This has been fixed.

December 2022

Version 4.7

December 22, 2022

Enhancements
  • Increased the password maximum length to 120 characters for the Apache Kafka keystore. Note: This increase affects only outputs of type *KAFKA. If the password to the keystore is already encrypted, it must be re-entered after upgrading to this release.

  • Added the ability to override the host name and fully qualified host name.

  • New audit journal entry types and changed entry fields in IBM i 7.5, such as the new C3 (Advanced Analysis Configuration) and FTP (FTP client operations) entry types, are now supported.

Fixes
  • Fixed an issue that could cause a monitor job to loop.

  • Fixed an issue where the RNX0100 error message was visible in SIEM Agent monitor jobs.

  • Fixed an issue with the Powertech Command Security CMDSEC event text that had omitted the command string of the monitored command that was executed.

  • Fixed an issue with Powertech Command Security CMDSTR event field definitions.

  • Fixed an issue where the Powertech Command Security UAE and UAF event fields had incorrect offsets.

  • Fixed an issue with the Powertech Exit Point Manager EPMLOC event field definition. The EPMLOC field contains the location (IP address) of the transaction requests.

April 2022

Version 4.6

April 6, 2022

Enhancements
  • Added extension functions %extract and %int to now support EPOCH format.

  • JSON data type override provides ability for JSON to treat the outcome of a value as character or numeric versus its original field data type.

  • Updated to Log4j 2.17.

Fixes
  • Fixed issue with CEF listing job user as DUSER instead of *CURUSER.

  • Output now correctly shows HOST name instead of system name.

  • Fixed issue with update failing on error VLD40A4.

  • We now verify that *STREAM output configuration is pointing to an STMF, and notify the user if it points to a directory.

  • Fixed issue with Rule Conditions using Fields *RMTADDR or *RMTADDR(1–14).

  • Fixed issue with rule output field being input capable.

  • In Event output, the value of the application name ("APP-NAME") field changed from "Interact" to "SIEM Agent" in Release 4. To ensure compatibility with SIEMs that do not accept blank application names, users can now change the application name to "SIEM_Agent" with an underscore instead of the blank, by executing the SQL statement INSERT INTO PTSALIB/PSASYP values('ProductBlank', 'N').

August 2021

Version 4.5

August 23, 2021

Enhancements
  • On the Create/Change Rule panel PSA4711 and Create/Change Event Subtype panel (PSA4511), the text of the "Extension" field has been changed to "Add Extension" and the text of the "Event Text" field has been changed to "Override Event Text" to more accurately describe the functionality of these fields.
Fixes
  • Events from the SYSMSG Event Source that were output using the *SYSLOG Message Style did not contain Event Text. This has been resolved.

  • Errors in the descriptions of some *FTPCLIENT-related Subtypes in the Exit Point Manager Event Source have been corrected.

  • Corrections have been made to Event examples for *CEF and *SYSLOG Message Styles in the User Guide.

  • Excessive configuration data is no longer removed when a Central Administration endpoint is removed from the managing system.

  • An issue that caused output to be incomplete when long sequences of blanks were contained in Journal data has been resolved.

  • An issue that could cause line-end characters to be sent inconsistently when using TCP or TLS to send Events has been resolved.

  • Events sent in LEEF format no longer contain redundant control characters.

April 2021

Version 4.4

April 28, 2021

Enhancements
  • The "Commit Configuration Changes" option has been added to SIEM Agent's Main Menu for easier access.
  • Subtypes for Event Description TNA are now supported.
  • Event Text has been added for events that indicate commands that have been allowed or rejected by Powertech Command Security.
  • Upon installation, some Event Descriptions are now set to Active in the AUDIT Event Source so that once AUDIT has been connected to an Output useful information is available while monitoring.
Fixes
  • A performance issue related to the message queue monitor for QSYSOPR has been resolved.
  • Inconsistencies in CEF Arcsight event output between Interact 3 and SIEM Agent 4 have been resolved.
  • A blank now separates the Syslog header from the Syslog structured-data for events sent in the *MODERN message style.
  • An issue causing incorrect values in common fields, such as the Remote Address field, has been corrected.
  • Events sent in the *MODERN message style with the RFC 5424 header format no longer contain too many "-" or "NILVALUE" entries.
  • An issue that caused missing request data in Syslog transactions from the Exit Point Manager Event Source has been resolved.
  • The Act column in Select Output Targets now indicates the Outputs that are active.
  • Header Format Compatibility on the MODERN Format is now set to "No" for first-time installations. This setting is required for upgrades only, to provide consistent (but non-standard) Syslog output with previous versions of the software so as not to interfere with existing operations.
  • An issue that caused missing event text in SYSLOG messages for Audit and Custom journals has been corrected.

November 2020

Version 4.3

November 19, 2020

  • An issue that caused excessive job logs for TCP output monitors when the target system was unavailable has been resolved.
Version 4.2

November 2, 2020

New Features
  • SIEM Agent now supports the LEEF format, which allows events from SIEM Agent to be forwarded to QRadar, IBM's SIEM solution. While SIEM Agent previously integrated with QRadar via the SYSLOG protocol, LEEF is QRadar's preferred protocol.
  • SIEM Agent now supports the JSON Format, which allows events to be forwarded to destinations such as Apache Kafka.
  • SIEM Agent now supports integration with Apache Kafka, and includes the Kafka Agent and YAJL JSON parser, offering an event management solution for very large environments.
Enhancements
  • The process used for sending messages to a TCP server is now more resilient.
  • The default start behavior of SIEM Agent has been adjusted to improve performance.
Fixes
  • Events output in SYSLOG and MODERN formats formerly included data intended only for events in CEF format. This data is no longer included in new installations. For backward compatibility, the "Use Header Format Compatibility" flag has been added to the Work with Formats panel. It allows the CEF data to be included with SYSLOG and MODERN Formats.
  • While copying an Event Source, all Subtypes and Rules of the Event Source are now copied.
  • A problem causing extraneous output when an event description has inactive sub-types has been corrected.
  • Missing predefined data for Event Descriptions in the Audit Event Source is now included during installation.
  • Message CPF1393 is now formatted correctly for SYSLOG and CEF.
  • When using option 4 to delete entities (such as Event Sources, or Outputs) in conjunction with other options, entries for all options are no longer shown as deletions on the confirmation panel.
  • During conversion from SIEM Agent 3 (Interact), warning messages regarding custom journals are no longer included in the conversion log when no custom journals were defined.
  • Monitor jobs are no longer started when no active outputs are defined.
  • An issue that could cause the message queue monitor job to fail if more than 25 messages were received within a one-second interval has been corrected.
  • SIEM Agent now displays a warning message when an attempt is made to create an Extension with a name that already exists. (Duplicate Extension names are not allowed.)
  • An error causing incorrect formatting when multiple extensions are defined for an event has been corrected.
  • Encrypted data is no longer erroneously included in the output when capturing event types UNA and UNR from Powertech Exit Point Manager.
  • Error MCH1210 is no longer logged in the job log if a user creates a new rule for an event, and inadvertently presses Enter with all entry fields empty.
  • At install time, a pre-checker now checks to ensure a PTF required for the RNXIE program has been installed.
  • The "Position to Name" function on the Work with Event Descriptions panel now positions the list correctly.
  • Minor text and formatting changes have been made to several panels to improve usability.
  • SIEM Agent users are now protected from incidental removal of Powertech Central Administration on a system. (Powertech Central Administration is required for SIEM Agent to function.)
  • The "Special" field in the Create Output panel has been renamed "ArcSight Compatibility" to more clearly indicate its function.
  • *WSG SIGNON Workstation Gateway Server - Signon has been removed from SIEM Agent's list of servers as it has been discontinued by IBM and is not included in recent IBM i versions.
  • When IBM i 7.4 entry types TM0, TM6, TM7, TM8, and TM9 are configured as Active in SIEM Agent, and SIEM Agent is active on IBM i 7.3 or earlier, SIEM Agent jobs no longer fail.
  • A problem causing SYSLOG events to omit data in the OBJECT, LIBRARY, and MEMBER fields has been resolved.
  • SIEM Agent's event source monitor no longer fails when the journal entry type is not supported on the OS.
  • The T:CP field description is no longer missing values.
  • A problem causing lines to lose their delimiter when a trace file is shared across multiple outputs has been corrected.

April 2020

Version 4.1

April 2, 2020

  • Outputs can no longer be created without specifying a Format.
  • A problem causing incorrect data to be added to T:SV (System Value change) transactions has been resolved.
  • A rules processing improvement removes the requirement to create catch-all rules in certain scenarios, improving the user experience.
  • The inability to resolve the IP address when a fully qualified domain name is set as the Location for an Output has been corrected.
  • A journal monitor performance issue has been resolved.
  • The inability to create Output files in some scenarios has been corrected.
  • A problem causing the field values in Conditions to not be included in copied rules has been resolved.

December 2019

Version 4.0
New Features
  • SIEM Agent 4 has been re-invented to significantly improve the power and flexibility of SIEM Agent's capabilities.
    • Any IBM i journal or message queue can now be monitored for critical system messages, audit entries, and requests logged by Powertech Exit Point Manager, Authority Broker, and Command Security.
    • Outputs define the format and destination of notification events to be sent from SIEM Agent 4, which can be sent to multiple targets. An output target can be a network location, message queue, or IFS stream file.
    • Formats include settings that control the formatting of syslog event data, including the header specification. SIEM Agent 4 now supports variations of the syslog format, including CEF, RFC3164, the original published standard for Syslog, and RFC5424, a more modern version of the RFC3164 standard.
    • Specific, highly relevant information from event fields can be included in your event notifications by configuring Extensions and Event Text.
      • Extensions are name-value pairs that display simple values from the event (such as pgm=QSYS/QLESPI, user=QSECOFR, etc.).
      • Event Text can be used to define the dynamic pattern used to assemble a highly-informative, human-readable message accompanying your notifications.
    • Event Descriptions now allow you to easily accommodate events from custom journals and message queues.
    • Rules now allow you to include additional Extensions, alternative Event Text, or send to alternative Outputs based on a relevant piece of data within an event, such as a user profile name.
Enhancements
  • Entry types and subtypes have been added for IBM i 7.4 compatibility.
  • Journal and message queue data is now stored in a normalized, relational way for improved performance.
  • The monitor jobs have been rewritten for improved integrity and performance.
  • SIEM Agent 3.0 user-defined journals are converted to 4.0 data stores as part of the upgrade process to 4.0 in order to reduce the amount of configuration required after upgrading.
  • Message Queue events support message field insertion in Extensions.
  • Event monitoring can now optionally be restarted to a specific a date.
Fixes
  • The current product name, Powertech SIEM Agent for IBM i, is now used throughout the interface. (The product was previously called Powertech Interact.)
  • The app-name value included in syslog messages has been changed from "Interact" to "SIEM Agent", to reflect the product name (updated in 2018). If you have created rules in your SIEM that use the app-name value as a condition, you will need to update those rules to check for app-name = "SIEM Agent" instead of app-name="Interact".

May 2018

Version 3.10
  • The new PLICHGAPP command allows you to separate syslog messages with delimiter characters when using the TCP protocol.
  • The Interact license entry program and license checker now recognizes LPAR numbers greater than 255.

April 2017

Version 3.09
  • CEF entries for custom journals are no longer missing the file information (library, file, member).
  • Commands STRPLIAMON and ENDPLIAMON can now be run outside of the product.
  • Help text from the Work with Brokers/Agents screen that incorrectly stated all messages sent to QSYSMSG are also sent to QSYSOPR has been corrected.

November 2016

Version 3.08
  • Event Filters have been added for new PTF related journal entries added in OS V7R2 (T/PF & T/PU):

    Msg Id Function Desc
    TPF0009 Type: PF/I PTF IPL operation
    TPF0012 Type: PF/L PTF product(s) operation
    TPF0016 Type: PF/P PTF operations
    TPU0004 Type: PU/D Directory PTF object changed
    TPU0012 Type: PU/L Library PTF object changed
    TPU0019 Type: PU/S LIC PTF object changed
  • New fields have been added to T/CD entries in *CEF format:

cs4Label=commandDetail

cs4=Entry_Specific_Data_up_to_the_Command_String

cs5Label=commandString

cs5=Command_String_from_Entry_Specific_Data

  • Subfile issues when paging up and down on the ‘Work with Event Filters’ screen (e.g. partial screens, odd cursor positioning) have been fixed.

November 2016

Version 3.07
  • Interact is now delivered with new deployment functionality, including the ability to stage the product installation.

August 2016

Version 3.06
  • Prior releases of Interact provided communication with syslog and SIEM solutions via a transport layer protocol called “User Datagram Protocol” or UDP. UDP does not provide encryption or guarantee delivery of events. Transmission Control Protocol (TCP) has been added to Interact to address these issues. TCP provides reliable, ordered, and error-checked delivery of Events. In order to encrypt event data, Interact now also includes Secured TCP communications using TLS certificates. This allows you to encrypt the traffic between Interact and your syslog server or SIEM product. (User Datagram Protocol (UDP), Interact's former method of event data communication, which does not offer guaranteed delivery or encryption, is still supported). See Work with Interact Broker/Agent Properties for more details on TCP in Interact.
  • The following Hardware Message ID’s are no longer missing from Interact:
    • CPPEA01
    • CPPEA03
    • CPPEA06
    • CPPEA10
    • CPPEA11
    • CPPEA14
    • CPPEA23
    • CPPEA25
    • CPPEA30
    • CPPEA31
    • CPPEA40
    • CPPEA42
    • CPPEA45
    • CPPEA46
    • CPPEA47
    • CPPEA5A
    • CPPEA51
    • CPPEA52
    • CPPEA53
    • CPPEA54
    • CPPEA55
    • CPPEA56
    • CPPEA57
    • CPPEA58
    • CPPEA59
    • CPPEA60
  • When outputting in *CEF format, T/CD information is no longer missing.

January 2016

Version 3.05
  • Support for 3rd party journals has been added.
  • Missing sub-types CD/X, DO/I, SV/D, SV/E, and SV/F for Host Role *CEF have been added.
  • The Interact Network Security monitor job will now run on a system with Network Security 7.

December 2014

Version 3.04
  • Subtypes CD/X, DO/I, SV/D, SV/E, and SV/F have been added to accommodate PCI-DSS System Time Change requirements.
  • The space offset error (MCH0601) in the Interact Journal Monitor (PLIRAJE) has been fixed.
  • Duplicate record messages during product update have been eliminated.
  • User checks on T/PW filters have been fixed.

May 2013

Version 3.02
  • Add support for the Interact Local Filter (ILF)
  • Change the default User Class (USRCLS) *USER and Special Authorities (SPCAUT) *NONE for the PTIAADM user profile

Back to Powertech Products