Triple Syslog Definitions (#1-#3)
Events from IBM i and different Audit entry types are sent to a remote SYSLOG server according to a range of severities such as Emergency, Alert, Critical, Error, and Warning. When Send SYSLOG messages (for SIEM) is set to Yes in the Main Control for SIEM & DAM definitions, the product will automatically send all events according to the Severity range to auto send for the message structure selected, as described in the table below.
The option to use more than one SIEM is implemented on a separate job per SIEM. This is enabled by an intermediate buffer which assists SIEM in overcoming communication problems or SIEM downtime, while sending a message to QSYSOPR when the buffer is full or processes are delayed. For this purpose Triple Syslog definitions are required, which are described in this section.
To configure SIEM message structure:
- Select the SIEM system from the iSecurity/Base System Configuration menu (STRAUD> 81).
- For SIEM 1, Select 31. SIEM 1 (STRAUD> 81 > 31).
- For SIEM 2, Select 32. SIEM 2 (STRAUD> 81 > 32).
- For SIEM 3, Select 33. SIEM 3 (STRAUD> 81 > 33).
- The selected SIEM Definitions screen appears.
SIEM 1 Definitions 23⁄07⁄19 11:52:10 SIEM 1 name . . . . . . . . . . Kiwi Port: 514 SYSLOG type . . . . . . . . . . 1 1=UDP, 2=TCP, 3=TLS Destination address . . . . . . 1.1.1.129 "Severity" range to auto send . 0 - 5 Emergency - Notice (significant) "Facility" to use . . . . . . . 22 Local use 6 (Local6) Msg structure or *LEEF, *CEF . *CEF *LEEF, *CEF, *CEF-SPLUNK, or mix variables and constants (ex & %): &1=First level msg &3=Msg Id. &4=System &5=Module &6=IP &7=Audit type &E=SubType &8=Host name &9=User &H=Hour &M=Minute &S=Second &X=Time &d=Day in month &m=Month (mm) &y=Year (yy) &x=Date &a⁄&A=Weekday (abbr⁄full) &b⁄&B=Month name (abbr⁄full) Convert data to CCSID . . . . . 0 0=Default, 65535=No conversion Maximum length . . . . . . . . 1024 128-9800 Note: Re-activate subsystem after changes. F3=Exit F12=Cancel F22=Set SYSLOG handling per audit sub-type |
Parameter |
Description |
---|---|
SIEM # name |
The name of the Syslog |
Port |
The port the Syslog is listening to according to the SYSLOG type |
SYSLOG type |
1=UDP 2=TCP 3=TLS (SYSLOG over TLS uses port number 6514) |
Destination address |
Enter the destination IP address (without quotes) |
Severity range to auto send |
Enter the severity range at which the SYSLOG message will be sent: 0-7 Emergency – DEBUG Where:
|
Facility to use |
Enter the facility from which the SYSLOG message will be sent Where:
|
Message Structure |
Two built-in message structures are available which send data in Field Mode by pairs of Field name and Field value: *LEEF = Log Event Extended Format *CEF = Common Event Format -Or- Use mixed variables and constants (ex & %). (For more information on LEEF/CEF, see Original Input Formats). |
Convert data to CCSID |
0 = Default 65535 = No conversion |
Maximum length |
128 - 9800 |
Variable |
Description |
---|---|
&a |
Abbreviated name of the day of the week (Sun, Mon, and so on). |
&A |
Full name of the day of the week (Sunday, Monday, and so on). |
&b |
Abbreviated month name (Jan, Feb, and so on). |
&B |
Full month name (January, February, and so on). |
&c |
Date/Time in the format of the locale. |
&C |
Century number [00-99], the year divided by 100 and truncated to an integer. |
&d |
Day of the month [01-31]. |
&D |
Date Format, same as &m/&d/&y. |
&e |
Same as &d, except single digit is preceded by a space [1-31]. |
&g |
2 digit year portion of ISO week date [00,99]. |
&G |
4 digit year portion of ISO week date. Can be negative. |
&h |
Same as &b. |
&H |
Hour in 24-hour format [00-23]. |
&I |
Hour in 12-hour format [01-12]. |
&j |
Day of the year [001-366]. |
&L |
Three digit milliseconds part of event time |
&m |
Month [01-12]. |
&M |
Minute [00-59]. |
&n |
Newline character. |
&O |
UTC offset. Output is a string with format +HH:MM or –HH:MM, where + indicates east of GMT, - indicates west of GMT, HH indicates the number of hours from GMT, and MM indicates the number of minutes from GMT. |
&p |
AM or PM string. |
&r |
Time in AM/PM format of the locale. If not available in the locale time format, defaults to the POSIX time AM/PM format: &I:&M:&S &p. |
&R |
24-hour time format without seconds, same as &H:&M. |
&S |
Second [00-61]. The range for seconds allows for a leap second and a double leap second. |
&t |
Tab character. |
&T |
24-hour time format with seconds, same as &H:&M:&S. |
&u |
Weekday [1,7]. Monday is 1 and Sunday is 7. |
&U |
Week number of the year [00-53]. Sunday is the first day of the week. |
&V |
ISO week number of the year [01-53]. Monday is the first day of the week. If the week containing January 1st has four or more days in the new year then it is considered week 1. Otherwise, it is the last week of the previous year, and the next year is week 1 of the new year. |
&w |
Weekday [0,6], Sunday is 0. |
&W |
Week number of the year [00-53]. Monday is the first day of the week. |
&x |
Date in the format of the locale. |
&X |
Time in the format of the locale. |
&y |
2 digit year [00,99]. |
&Y |
4-digit year. Can be negative. |
&z |
UTC offset. Output is a string with format +HHMM or -HHMM, where + indicates east of GMT, - indicates west of GMT, HH indicates the number of hours from GMT, and MM indicates the number of minutes from GMT. |
&Z |
Time zone name. |
&1 |
The first level message |
&3 |
The ID of the first level message |
&4 |
The name of the system where the event took place |
&5 |
The full name of the RazLee product |
&6 |
The IP address of the system where the event took place |
&7 |
The two character Audit type of the transaction |
&8 |
The Host name of the system where the event took place |
&9 |
The user ID for the event |
- Enter the required parameters and press Enter.
- &0 or &2 can be used as last parameter in SYSLOG format.
- &0 = bytes 1-9800 in USRDTA (9800 bytes)
- &2 = bytes 1101-9800 in USRDTA (8700 bytes)
Notes:
- These fields are not converted to ASCII.
- SYSLOG manager must set maximum message length from default (1024) to expected size (10000).
- SYSLOG manager must take care of non-printable characters option.