EMC VMWare sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
EMC VMWare sample message when you use the Syslog protocol
Sample 1: The following sample event messages shows that an event is generated by the hostd process on an ESXi/ESX host to report that a user is logged out.
<166>2019-05-21T19:27:32.479Z emc.vmware.test Hostd: info hostd[111111] [Originator@1111 sub=Vimsvc.ha-eventmgr opID=1a111a11 user=root] Event 136 : User root@10.21.120.237 logged out (login time: Tuesday, 21 May, 2019 19:11:51, number of API invocations: 0, user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/10.0.3729.131 Safari/537.36)
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | User |
Source IP | 10.21.120.237 |
Username | root |
Identity IP | 10.21.120.237 |
Identity Username | root |
Sample 2: The following sample event message shows that a virtual machine (VM) is powered off.
1111111111111 emc.vmware.test LEEF:1.0|EMC|VMWare|1|VmPoweredOffEvent|usrName=userName devTime=1369411554256 msg=example on 10.16.210.163 in company is powered off
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | VmPoweredOffEvent |
Source IP | 10.16.210.163 |
Username | userName |
Sample 3: The following sample event message shows that a user login session is in progress.
Dec 23 14:43:56 172.16.210.175 LEEF:1.0|EMC|VMWare|1|UserLoginSessionEvent|usrName=root src=172.16.210.35 msg=User root@172.16.210.35 logged in
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | UserLoginSessionEvent |
Source | 172.16.210.35 |
Destination IP | 172.16.210.175 |
Username | root |