Cisco IOS sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cisco IOS sample message when you use the Syslog protocol

Sample 1: This sample event shows that a TCP session is dropped.

<190>2116989: cisco.ios.test: Aug  1 13:42:04.497: %IOSXE-6-PLATFORM:  SIP1: cpp_cp: QFP:0.0 Thread:001 TS:00006808302886264846 %FW-6-DROP_PKT: Dropping tcp pkt from Vlan100 10.1.2.230:12321 => 172.16.3.20:42150(target:class)-(ESP-DMVPN:class-default) due to Policy drop:classify result with ip ident 1203 tcp flag 0x2, seq 1227798955, ack 0
Table 1. Highlighted values in the Cisco IOS event
QRadar field name Highlighted values in the event payload
Event ID %FW-6-DROP_PKT
Event Category IOS
Source IP 10.1.2.230
Source Port 12321
Destination IP 172.16.3.20
Destination Port 42150
Protocol 6

Sample 2: This sample event shows the opening of an inspection session. The message is issued at the start of each inspected session and it records the source and destination addresses, and ports.

<190>1321321: cisco.ios.test: Jul 12 15:42:06.035: %IOSXE-6-PLATFORM:  SIP1: cpp_cp: QFP:0.0 Thread:001 TS:00005087480388332015 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(DMVPN-ESP:CLS_ESP-Out):Start tcp session: initiator (192.168.150.120:49290) -- responder (10.40.0.27:20000) from Tunnel1
Table 2. Highlighted values in the Cisco IOS sample event
QRadar field name Highlighted values in the event payload
Event ID SESS_AUDIT_TRAIL_START
Event Category IOS
Source IP 192.168.150.120:49290
Source Port 49290
Destination IP 10.40.0.27
Destination Port 20000
Protocol 6