Novell eDirectory sample event message

Use this sample event message to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Novell eDirectory sample message when you use the Syslog protocol

The following sample event message shows that an account security token modification failed.

eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "DOMAIN-EXAMPLE-TEST","Name" : "CN=ws,OU=SRV,O=COMPANY"},"Entity" : {"SysAddr" : "172.16.20.1","SysName" : "ws.domain.example.test"}},"Initiator" : {"Account" : {"Domain" : "DOMAIN-EXAMPLE-TEST","Name" : "CN=ws,OU=SRV,O=COMPANY"},"Entity" : {"SysAddr" : "172.16.20.1"}},"Target" : {"Data" : {"ClassName" : "User","Version" : "2"},"Account" : {"Domain" : "DOMAIN-EXAMPLE-TEST","Name" : "CN=TEST,OU=usr,O=ORG","Id" : "11111111"}},"Action" : {"Event" : {"Id" : 0.0.0.6","Name" : "MODIFY_ACCOUNT_SECURITY_TOKEN","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_CHGPASS"},"Time" : {"Offset" : 1567083869},"Log" : {"Severity" : 7},"Outcome" : "1.10","ExtendedOutcome" : "-215"}}
Table 1. Highlighted values in the Novell eDirectory sample event
QRadar field name Highlighted values in the event payload
Event ID MODIFY_ACCOUNT_SECURITY_TOKEN - FAILED is extracted from the Event.Name and Outcome fields in Action object.

If Outcome = 0, then eventID = Event.Name.

Otherwise, eventID = Event.Name + "-FAILED", as shown in this sample event.

Device Category eDirectory
Username TEST
Source IP 172.16.20.1
Device Time 1567083869 (which is Aug 29, 2019, 10:04:29 AM)