IBM Security Guardium Insights sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
IBM Security Guardium Insights sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that an attempted login to the database is not successful.
<6>2023-05-28T03:55:22Z ibm.guardiuminsight.test qradar[14]: LEEF:1.0|IBM|Guardium|3.0|6472d05f7125753b04c11c8d|xa6|5 failed logins within 1 minute for any user on any database|x7c|eventTime=2023-01-07T00:00:00Z|serverType=POSTGRESQL|client=10.0.0.248|clientName=|server=10.0.0.72|serverName=|clientPort=2878|serverPort=432|serviceName=TIDNCSAE7M|databaseName=POSTGRES|netProtocol=TCP|dbProtocol=AURORA POSTGRESQL|dbProtocol Version=12.12.2|dbUser=user2|userName=|sourceProgram=|authCode=0|requestType=LOGIN_FAILED|lastError=28P01|sql=|sqlStatus=EXCEPTION
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Login_failed |
Username | user2 |
Source IP | 10.0.0.248 |
Source port | 2878 |
Destination IP | 10.0.0.72 |
Destination port | 432 |
Device time | 2023-05-28T03:55:22Z |
Sample 2: The following sample event message shows the event ID that is generated based on an out of the box rule violation description.
<6>2023-05-24T06:15:26Z ibm.guardiuminsight.test qradar[14]: LEEF:1.0|IBM|Guardium|3.0|646daaf39ed5984ef46404a7|xa6|sql err|x7c|eventTime=2023-01-01T00:00:00Z|serverType=POSTGRESQL|client=10.0.0.5|clientName=|server=10.0.0.6|serverName=34682495|clientPort=6785|serverPort=200|serviceName=3468249|databaseName=3468|netProtocol=TCP|dbProtocol=UC: POSTGRESQL|dbProtocol Version=|dbUser=user1|userName=user11|sourceProgram=|authCode=0|requestType=UNKNOWN|lastError=syntax error at or near . at character 22|sql=NA|sqlStatus=EXCEPTION
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | sql err |
Username | user11 |
Source IP | 10.0.0.5 |
Source port | 6785 |
Destination IP | 10.0.0.6 |
Destination port | 200 |
Protocol | 6 |
Device time | 2023-01-01T00:00:00Z |