EMC VMWare sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

EMC VMWare sample message when you use the Syslog protocol

Sample 1: The following sample event messages shows that an event is generated by the hostd process on an ESXi/ESX host to report that a user is logged out.

<166>2019-05-21T19:27:32.479Z emc.vmware.test Hostd: info hostd[111111] [Originator@1111 sub=Vimsvc.ha-eventmgr opID=1a111a11 user=root] Event 136 : User root@10.21.120.237 logged out (login time: Tuesday, 21 May, 2019 19:11:51, number of API invocations: 0, user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/10.0.3729.131 Safari/537.36)
Table 1. Highlighted values in the EMC VMWare event
QRadar field name Highlighted values in the event payload
Event ID User
Source IP 10.21.120.237
Username root
Identity IP 10.21.120.237
Identity Username root

Sample 2: The following sample event message shows that a virtual machine (VM) is powered off.

1111111111111 emc.vmware.test LEEF:1.0|EMC|VMWare|1|VmPoweredOffEvent|usrName=userName    devTime=1369411554256    msg=example on  10.16.210.163 in company is powered off
Table 2. Highlighted values in the EMC VMWare event
QRadar field name Highlighted values in the event payload
Event ID VmPoweredOffEvent
Source IP 10.16.210.163
Username userName

Sample 3: The following sample event message shows that a user login session is in progress.

Dec 23 14:43:56 172.16.210.175 LEEF:1.0|EMC|VMWare|1|UserLoginSessionEvent|usrName=root	src=172.16.210.35	msg=User root@172.16.210.35 logged in
Table 3. Highlighted values in the EMC VMWare event
QRadar field name Highlighted values in the event payload
Event ID UserLoginSessionEvent
Source 172.16.210.35
Destination IP 172.16.210.175
Username root