Cisco ACS sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cisco ACS sample message when you use the Syslog protocol

The following sample event is a passed authentication event.

<181>Jul 22 06:43:25 cisco.acs.test CSCOacs_Passed_Authentications 0082331393 3 0 2017-07-22 06:43:25.226 +00:00 1076613766 5203 NOTICE Device-Administration: Session Authorization succeeded, ACSVersion=acs-192.168.0.1-B.462.x86_64, ConfigVersionId=149, Device IP Address=10.129.16.29, DestinationIPAddress=10.20.64.165, DestinationPort=49, UserName=qradar_user1 Protocol=Tacacs, RequestLatency=6, Type=Authorization, Privilege-Level=0, Authen-Type=PAP, Service=PPP, User=qradar_user1 Port=ssh, Authen-Method=TacacsPlus, Service-Argument=ppp, Protocol-Argument=ip, AcsSessionID=qradar/266281348/80642976, AuthenticationIdentityStore=AD1, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=F5-RW, IdentityGroup=IdentityGroup:All Groups:Network Admin, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24432 , Step=24325 , Step=24313 , Step=24319 , Step=24367 , Step=24367 , Step=24323 , Step=24326 , Step=24327 , Step=24351 , Step=24420 ,
Table 1. Highlighted values in the Cisco ACS event
QRadar field name Highlighted values in the event payload
Event ID Passed_Authentications
Source IP 10.129.16.29
Destination IP 10.20.64.165
Destination Port 49
Username qradar_user1