Novell eDirectory sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Novell eDirectory sample message when you use the Syslog protocol
The following sample event message shows that an account security token modification failed.
eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "DOMAIN-EXAMPLE-TEST","Name" : "CN=ws,OU=SRV,O=COMPANY"},"Entity" : {"SysAddr" : "172.16.20.1","SysName" : "ws.domain.example.test"}},"Initiator" : {"Account" : {"Domain" : "DOMAIN-EXAMPLE-TEST","Name" : "CN=ws,OU=SRV,O=COMPANY"},"Entity" : {"SysAddr" : "172.16.20.1"}},"Target" : {"Data" : {"ClassName" : "User","Version" : "2"},"Account" : {"Domain" : "DOMAIN-EXAMPLE-TEST","Name" : "CN=TEST,OU=usr,O=ORG","Id" : "11111111"}},"Action" : {"Event" : {"Id" : 0.0.0.6","Name" : "MODIFY_ACCOUNT_SECURITY_TOKEN","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_CHGPASS"},"Time" : {"Offset" : 1567083869},"Log" : {"Severity" : 7},"Outcome" : "1.10","ExtendedOutcome" : "-215"}}
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | MODIFY_ACCOUNT_SECURITY_TOKEN - FAILED is extracted from the Event.Name
and Outcome fields in Action object. If Outcome = 0, then eventID = Event.Name. Otherwise, eventID = Event.Name + "-FAILED", as shown in this sample event. |
Device Category | eDirectory |
Username | TEST |
Source IP | 172.16.20.1 |
Device Time | 1567083869 (which is Aug 29, 2019, 10:04:29 AM) |