IBM Guardium sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

IBM Guardium sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that an attempted login to the database is not successful.

<30>Aug 19 12:33:31 ibm.guardium.test guard_sender[4486]: LEEF:1.0|IBM|Guardium|8.0|Login failures|ruleID=20026|ruleDesc=Login failures|severity=INFO|devTime=2013-8-19 6:34:41|serverType=DB2|classification=|category=|dbProtocolVersion=3.0|usrName=|sourceProgram=DB2JCC_APPLICATION|start=1376908481000|dbUser=user|dst=10.30.2.124|dstPort=50000|src=10.30.5.152|srcPort=38754|protocol=TCP|type=LOGIN_FAILED|violationID=15|sql=|error=08001-XXXX:30082-01
Table 1. Highlighted values in the IBM Guardium sample event
QRadar field name Highlighted values in the event payload
Event ID Login failures
Username user
Source IP 10.30.5.152
Source port 38754
Destination IP 10.30.2.124
Destination port 50000
Device time Aug 19 12:33:31

Sample 2: The following sample event message shows that unauthorized users on cardholder objects are detected.

<25>Jun 11 13:47:19 ibm.guardium.test guard_sender[3432]: LEEF:1.0|IBM|Guardium|8.0|Unauthorized  Users on Cardholder Objects - Alert|ruleID=159|ruleDesc=Unauthorized  Users on Cardholder Objects - Alert|severity=MED|devTime=2013-6-11 12:46:21|serverType=MS SQL SERVER|classification=Violation|category=PCI|dbProtocolVersion=8.0|usrName=|sourceProgram=ABCDEF.EXE|start=1370965581000|dbUser=SYSTEM|dst=172.16.107.92|dstPort=1433|src=172.16.107.92|srcPort=60621|protocol=TCP|type=SQL_LANG|violationID=0|sql=SELECT * FROM EPOAgentHandlerAssignment INNER JOIN EPOAgentHandlerAssignmentPriority ON (EPOAgentHandlerAssignment.AutoID = EPOAgentHandlerAssignmentPriority.AssignmentID) ORDER BY EPOAgentHandlerAssignmentPriority.Priority ASC|error=TDS_MS-
Table 2. Highlighted values in the IBM Guardium sample event
QRadar field name Highlighted values in the event payload
Event ID Unauthorized Users on Cardholder Objects - Alert
Username SYSTEM
Source IP 172.16.107.92
Source port 60621
Destination IP 172.16.107.92
Destination port 1433
Device time Jun 11 13:47:19