Cisco ACS sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Cisco ACS sample message when you use the Syslog protocol
The following sample event is a passed authentication event.
<181>Jul 22 06:43:25 cisco.acs.test CSCOacs_Passed_Authentications 0082331393 3 0 2017-07-22 06:43:25.226 +00:00 1076613766 5203 NOTICE Device-Administration: Session Authorization succeeded, ACSVersion=acs-192.168.0.1-B.462.x86_64, ConfigVersionId=149, Device IP Address=10.129.16.29, DestinationIPAddress=10.20.64.165, DestinationPort=49, UserName=qradar_user1 Protocol=Tacacs, RequestLatency=6, Type=Authorization, Privilege-Level=0, Authen-Type=PAP, Service=PPP, User=qradar_user1 Port=ssh, Authen-Method=TacacsPlus, Service-Argument=ppp, Protocol-Argument=ip, AcsSessionID=qradar/266281348/80642976, AuthenticationIdentityStore=AD1, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=F5-RW, IdentityGroup=IdentityGroup:All Groups:Network Admin, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24432 , Step=24325 , Step=24313 , Step=24319 , Step=24367 , Step=24367 , Step=24323 , Step=24326 , Step=24327 , Step=24351 , Step=24420 ,
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Passed_Authentications |
Source IP | 10.129.16.29 |
Destination IP | 10.20.64.165 |
Destination Port | 49 |
Username | qradar_user1 |