IBM Guardium sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
IBM Guardium sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that an attempted login to the database is not successful.
<30>Aug 19 12:33:31 ibm.guardium.test guard_sender[4486]: LEEF:1.0|IBM|Guardium|8.0|Login failures|ruleID=20026|ruleDesc=Login failures|severity=INFO|devTime=2013-8-19 6:34:41|serverType=DB2|classification=|category=|dbProtocolVersion=3.0|usrName=|sourceProgram=DB2JCC_APPLICATION|start=1376908481000|dbUser=user|dst=10.30.2.124|dstPort=50000|src=10.30.5.152|srcPort=38754|protocol=TCP|type=LOGIN_FAILED|violationID=15|sql=|error=08001-XXXX:30082-01
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Login failures |
Username | user |
Source IP | 10.30.5.152 |
Source port | 38754 |
Destination IP | 10.30.2.124 |
Destination port | 50000 |
Device time | Aug 19 12:33:31 |
Sample 2: The following sample event message shows that unauthorized users on cardholder objects are detected.
<25>Jun 11 13:47:19 ibm.guardium.test guard_sender[3432]: LEEF:1.0|IBM|Guardium|8.0|Unauthorized Users on Cardholder Objects - Alert|ruleID=159|ruleDesc=Unauthorized Users on Cardholder Objects - Alert|severity=MED|devTime=2013-6-11 12:46:21|serverType=MS SQL SERVER|classification=Violation|category=PCI|dbProtocolVersion=8.0|usrName=|sourceProgram=ABCDEF.EXE|start=1370965581000|dbUser=SYSTEM|dst=172.16.107.92|dstPort=1433|src=172.16.107.92|srcPort=60621|protocol=TCP|type=SQL_LANG|violationID=0|sql=SELECT * FROM EPOAgentHandlerAssignment INNER JOIN EPOAgentHandlerAssignmentPriority ON (EPOAgentHandlerAssignment.AutoID = EPOAgentHandlerAssignmentPriority.AssignmentID) ORDER BY EPOAgentHandlerAssignmentPriority.Priority ASC|error=TDS_MS-
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Unauthorized Users on Cardholder Objects - Alert |
Username | SYSTEM |
Source IP | 172.16.107.92 |
Source port | 60621 |
Destination IP | 172.16.107.92 |
Destination port | 1433 |
Device time | Jun 11 13:47:19 |