Let's say you are sending messages to a SIEM like IBM's QRadar from IBM i.  Now you're about to undergo training in getting reports from QRadar.  What are the general messages one might see from QRadar?  These messages get to QRadar from IBM's Syslog Reporting Manager (SRM), etc.

• Repeated invalid logins?
• Diskspace messages?
• Expiring licenses?
• Hardware errors?

Hi Robert, 

A few that I might find useful: 

1. Subsystem Information.(started or ended)
2. CPU Thresholds perhaps reached in certain time intervals. 
3. System User password expired or disabled. (or attempted usage of those privileged profiles as attack indicator). 
4. Critical Job failures (day end jobs). 
5. Job tables details (if your system needs an IPL soon). 
6. When last the system was IPLed and perhaps for what reason (sort of like when you shutdown a windows server if it was planned , why did the shutdown occured?)
   Preventative Security PTFs that need to be installed on the system - send the notification on alert
7. When a privileged user like QSECOFR signs on and off. (perhaps also REASON why someone used that as interactive login the first place). 
8. Critical messages (those that exist in QSYSMSG for example). 
9. Job Monitoring (some Long running SQL / Batch Jobs that might be looping and causing resources?) 
10. Regular checks on how many interactive users are signed in (this is helpful for determining usage thresholds on peak periods for example). 
11. Webservice status - if any failure and when was the last time started. (same with a threshold set in HTTP REQUESTS , if that threshold is reached, send the message to SIEM, could be someone DDOSing service in peak /offpeak time). 

Let's say you are sending messages to a SIEM like IBM's QRadar from IBM i.  Now you're about to undergo training in getting reports from QRadar.  What are the general messages one might see from QRadar?  These messages get to QRadar from IBM's Syslog Reporting Manager (SRM), etc.

• Repeated invalid logins?
• Diskspace messages?
• Expiring licenses?
• Hardware errors?

Hi Robert, 

A few that I might find useful: 

1. Subsystem Information.(started or ended)
2. CPU Thresholds perhaps reached in certain time intervals. 
3. System User password expired or disabled. (or attempted usage of those privileged profiles as attack indicator). 
4. Critical Job failures (day end jobs). 
5. Job tables details (if your system needs an IPL soon). 
6. When last the system was IPLed and perhaps for what reason (sort of like when you shutdown a windows server if it was planned , why did the shutdown occured?)
   Preventative Security PTFs that need to be installed on the system - send the notification on alert
7. When a privileged user like QSECOFR signs on and off. (perhaps also REASON why someone used that as interactive login the first place). 
8. Critical messages (those that exist in QSYSMSG for example). 
9. Job Monitoring (some Long running SQL / Batch Jobs that might be looping and causing resources?) 
10. Regular checks on how many interactive users are signed in (this is helpful for determining usage thresholds on peak periods for example). 
11. Webservice status - if any failure and when was the last time started. (same with a threshold set in HTTP REQUESTS , if that threshold is reached, send the message to SIEM, could be someone DDOSing service in peak /offpeak time). 

Let's say you are sending messages to a SIEM like IBM's QRadar from IBM i.  Now you're about to undergo training in getting reports from QRadar.  What are the general messages one might see from QRadar?  These messages get to QRadar from IBM's Syslog Reporting Manager (SRM), etc.

• Repeated invalid logins?
• Diskspace messages?
• Expiring licenses?
• Hardware errors?