- SIEM Agent 4 has been re-invented to significantly improve the power and flexibility of SIEM Agent's capabilities.
- Any IBM i journal or message queue can now be monitored for critical system messages, audit entries, and requests logged by Powertech Exit Point Manager, Authority Broker, and Command Security.
- Outputs define the format and destination of notification events to be sent from SIEM Agent 4, which can be sent to multiple targets. An output target can be a network location, message queue, or IFS stream file.
- Formats include settings that control the formatting of syslog event data, including the header specification. SIEM Agent 4 now supports variations of the syslog format, including CEF, RFC3164, the original published standard for Syslog, and RFC5424, a more modern version of the RFC3164 standard.
- Specific, highly relevant information from event fields can be included in your event notifications by configuring Extensions and Event Text.
- Extensions are name-value pairs that display simple values from the event (such as pgm=QSYS/QLESPI, user=QSECOFR, etc.).
- Event Text can be used to define the dynamic pattern used to assemble a highly-informative, human-readable message accompanying your notifications.
- Event Descriptions now allow you to easily accommodate events from custom journals and message queues.
- Rules now allow you to include additional Extensions, alternative Event Text, or send to alternative Outputs based on a relevant piece of data within an event, such as a user profile name.
- Entry types and subtypes have been added for IBM i 7.4 compatibility.
- Journal and message queue data is now stored in a normalized, relational way for improved performance.
- The monitor jobs have been rewritten for improved integrity and performance.
- SIEM Agent 3.0 user-defined journals are converted to 4.0 data stores as part of the upgrade process to 4.0 in order to reduce the amount of configuration required after upgrading.
- Message Queue events support message field insertion in Extensions.
- Event monitoring can now optionally be restarted to a specific a date.
- The current product name, Powertech SIEM Agent for IBM i, is now used throughout the interface. (The product was previously called Powertech Interact.)
- The app-name value included in syslog messages has been changed from "Interact" to "SIEM Agent", to reflect the product name (updated in 2018). If you have created rules in your SIEM that use the app-name value as a condition, you will need to update those rules to check for app-name = "SIEM Agent" instead of app-name="Interact".
- The new PLICHGAPP command allows you to separate syslog messages with delimiter characters when using the TCP protocol.
- The Interact license entry program and license checker now recognizes LPAR numbers greater than 255.
- CEF entries for custom journals are no longer missing the file information (library, file, member).
- Commands STRPLIAMON and ENDPLIAMON can now be run outside of the product.
- Help text from the Work with Brokers/Agents screen that incorrectly stated all messages sent to QSYSMSG are also sent to QSYSOPR has been corrected.
Event Filters have been added for new PTF related journal entries added in OS V7R2 (T/PF & T/PU):
Msg Id Function Desc TPF0009 Type: PF/I PTF IPL operation TPF0012 Type: PF/L PTF product(s) operation TPF0016 Type: PF/P PTF operations TPU0004 Type: PU/D Directory PTF object changed TPU0012 Type: PU/L Library PTF object changed TPU0019 Type: PU/S LIC PTF object changed
New fields have been added to T/CD entries in *CEF format:
- Subfile issues when paging up and down on the ‘Work with Event Filters’ screen (e.g. partial screens, odd cursor positioning) have been fixed.
- Interact is now delivered with new deployment functionality, including the ability to stage the product installation.
- Prior releases of Interact provided communication with syslog and SIEM solutions via a transport layer protocol called “User Datagram Protocol” or UDP. UDP does not provide encryption or guarantee delivery of events. Transmission Control Protocol (TCP) has been added to Interact to address these issues. TCP provides reliable, ordered, and error-checked delivery of Events. In order to encrypt event data, Interact now also includes Secured TCP communications using TLS certificates. This allows you to encrypt the traffic between Interact and your syslog server or SIEM product. (User Datagram Protocol (UDP), Interact's former method of event data communication, which does not offer guaranteed delivery or encryption, is still supported). See Work with Interact Broker/Agent Properties for more details on TCP in Interact.
- The following Hardware Message ID’s are no longer missing from Interact:
- When outputting in *CEF format, T/CD information is no longer missing.
- Support for 3rd party journals has been added.
- Missing sub-types CD/X, DO/I, SV/D, SV/E, and SV/F for Host Role *CEF have been added.
- The Interact Network Security monitor job will now run on a system with Network Security 7.
- Subtypes CD/X, DO/I, SV/D, SV/E, and SV/F have been added to accommodate PCI-DSS System Time Change requirements.
- The space offset error (MCH0601) in the Interact Journal Monitor (PLIRAJE) has been fixed.
- Duplicate record messages during product update have been eliminated.
- User checks on T/PW filters have been fixed.
- Add support for the Interact Local Filter (ILF)
- Change the default User Class (USRCLS) *USER and Special Authorities (SPCAUT) *NONE for the PTIAADM user profile