Zscaler Private Access sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Zscaler Private Access sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that a user is successfully authenticated in Zscaler Private Access (ZPA).
<166>Tue Apr 20 22:23:25 2021 zscaler.privateaccess.test LEEF:1.0|Zscaler|ZPA|4.1|ZPN_STATUS_AUTHENTICATED|cat=ZPA User Status Customer=Zscaler Test usrName=testuser2@domain.test SessionID=VbPnANNR+Ua/B2OHOMwx SessionStatus=ZPN_STATUS_AUTHENTICATED Version=2.1.2.81.225296 ZEN=BETA-CA-7987 CertificateCN=aaaaabbbbbccccceeeee1111122222=@domain.test srcPreNAT=10.2.3.4 src=10.2.2.2 Latitude=44.972686 Longitude=-65.860879 CountryCode=CA TimestampAuthentication:iso8601=2021-04-20T10:35:15.000Z TimestampUnAuthentication:iso8601= dstBytes=175590 srcBytes=109370 Idp=TestIdp identHostName=ws1client1 Platform=windows ClientType=zpn_client_type_zapp TrustedNetworks= TrustedNetworksNames= SAMLAttributes={"FirstName":["testuser2"],"LastName":["testuser2"],"Email":["testuser2@domain.test"]} PosturesHit= PosturesMiss=72057767984103498,72057767984103503,72057767984103590,72057767984103745 ZENLatitude=0.000000 ZENLongitude=0.000000 ZENCountryCode=
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | ZPN_STATUS_AUTHENTICATED |
Event Category | ZPA User Status |
Source IP | 10.2.2.2 |
PreNat IP | 10.2.3.4 |
Username | testuser2@domain.test |
Device Time | Tue Apr 20 22:23:25 2021 |
Sample 2: The following sample event message shows that App Connector is successfully authenticated in ZPA.
<166>Tue Apr 20 22:23:19 2021 zscaler.privateaccess.test LEEF:1.0|Zscaler|ZPA|4.1|ZPN_STATUS_AUTHENTICATED|cat=Connector Status Customer=Zscaler Test SessionID=0FQhOAfbQ4yWYSAAUrUn SessionType=ZPN_ASSISTANT_BROKER_CONTROL Version=21.88.1 Platform=el7 ZEN=BETA-CA-1234 Connector=AWS Connector account-1 ConnectorGroup=Connector Group1 srcPreNAT=10.3.4.3 src=192.168.2.2 Latitude=44.972686 Longitude=-65.860879 CountryCode=CA TimestampAuthentication:iso8601=2021-04-20T13:19:19.154Z TimestampUnAuthentication:iso8601= CPUUtilization=1 MemUtilization=17 ServiceCount=2 InterfaceDefRoute=ens5 DefRouteGW=10.79.0.1 PrimaryDNSResolver=10.11.11.11 HostUpTime=1587783907 ConnectorUpTime=1618924759 NumOfInterfaces=2 BytesRxInterface=80385754338 PacketsRxInterface=824116164 ErrorsRxInterface=0 DiscardsRxInterface=0 BytesTxInterface=65456179168 PacketsTxInterface=683050042 ErrorsTxInterface=0 DiscardsTxInterface=0 TotalBytesRx=688700 TotalBytesTx=1101224
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | ZPN_STATUS_AUTHENTICATED |
Event Category | Connector Status |
Source IP | 192.168.2.2 |
PreNat IP | 10.3.4.3 |
Device Time | Tue Apr 20 22:23:19 2021 |