Cisco IOS sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Cisco IOS sample message when you use the Syslog protocol
Sample 1: This sample event shows that a TCP session is dropped.
<190>2116989: cisco.ios.test: Aug 1 13:42:04.497: %IOSXE-6-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:001 TS:00006808302886264846 %FW-6-DROP_PKT: Dropping tcp pkt from Vlan100 10.1.2.230:12321 => 172.16.3.20:42150(target:class)-(ESP-DMVPN:class-default) due to Policy drop:classify result with ip ident 1203 tcp flag 0x2, seq 1227798955, ack 0
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | %FW-6-DROP_PKT |
Event Category | IOS |
Source IP | 10.1.2.230 |
Source Port | 12321 |
Destination IP | 172.16.3.20 |
Destination Port | 42150 |
Protocol | 6 |
Sample 2: This sample event shows the opening of an inspection session. The message is issued at the start of each inspected session and it records the source and destination addresses, and ports.
<190>1321321: cisco.ios.test: Jul 12 15:42:06.035: %IOSXE-6-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:001 TS:00005087480388332015 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(DMVPN-ESP:CLS_ESP-Out):Start tcp session: initiator (192.168.150.120:49290) -- responder (10.40.0.27:20000) from Tunnel1
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | SESS_AUDIT_TRAIL_START |
Event Category | IOS |
Source IP | 192.168.150.120:49290 |
Source Port | 49290 |
Destination IP | 10.40.0.27 |
Destination Port | 20000 |
Protocol | 6 |