IBM Security Guardium Insights sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

IBM Security Guardium Insights sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that an attempted login to the database is not successful.

<6>2023-05-28T03:55:22Z ibm.guardiuminsight.test qradar[14]: LEEF:1.0|IBM|Guardium|3.0|6472d05f7125753b04c11c8d|xa6|5 failed logins within 1 minute for any user on any database|x7c|eventTime=2023-01-07T00:00:00Z|serverType=POSTGRESQL|client=10.0.0.248|clientName=|server=10.0.0.72|serverName=|clientPort=2878|serverPort=432|serviceName=TIDNCSAE7M|databaseName=POSTGRES|netProtocol=TCP|dbProtocol=AURORA POSTGRESQL|dbProtocol Version=12.12.2|dbUser=user2|userName=|sourceProgram=|authCode=0|requestType=LOGIN_FAILED|lastError=28P01|sql=|sqlStatus=EXCEPTION
Table 1. Highlighted values in the IBM Security Guardium Insights sample event
QRadar field name Highlighted values in the event payload
Event ID Login_failed
Username user2
Source IP 10.0.0.248
Source port 2878
Destination IP 10.0.0.72
Destination port 432
Device time 2023-05-28T03:55:22Z

Sample 2: The following sample event message shows the event ID that is generated based on an out of the box rule violation description.

<6>2023-05-24T06:15:26Z ibm.guardiuminsight.test qradar[14]: LEEF:1.0|IBM|Guardium|3.0|646daaf39ed5984ef46404a7|xa6|sql err|x7c|eventTime=2023-01-01T00:00:00Z|serverType=POSTGRESQL|client=10.0.0.5|clientName=|server=10.0.0.6|serverName=34682495|clientPort=6785|serverPort=200|serviceName=3468249|databaseName=3468|netProtocol=TCP|dbProtocol=UC: POSTGRESQL|dbProtocol Version=|dbUser=user1|userName=user11|sourceProgram=|authCode=0|requestType=UNKNOWN|lastError=syntax error at or near . at character 22|sql=NA|sqlStatus=EXCEPTION
Table 2. Highlighted values in the IBM Security Guardium Insights sample event
QRadar field name Highlighted values in the event payload
Event ID sql err
Username user11
Source IP 10.0.0.5
Source port 6785
Destination IP 10.0.0.6
Destination port 200
Protocol 6
Device time 2023-01-01T00:00:00Z