Citrix NetScaler sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Citrix NetScaler sample message when you use the Syslog protocol
The following sample event message shows a successful SSL handshake.
Tip: Citrix NetScaler does not send events with RFC3164 or RFC5424 headers, so the log
source is not discovered by using a hostname or IP address in the header. Instead, log sources are
automatically discovered by using the log source identifier of the event's packet IP. Use the Syslog
Redirect protocol to use the value in the header instead of the value in the packet IP. For more
information, see QRadar: Syslog Redirect Protocol FAQ
(https://www.ibm.com/support/pages/qradar-syslog-redirect-protocol-faq).
<135> 12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "RC4-MD5 TLSv1.2 Non-Export 128-bit" - Session Reuse| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | SSL_HANDSHAKE_SUCCESS |
| Source IP | 172.25.184.157 |
| Source Port | 19849 |
| Destination IP | 10.254.14.94 |
| Destination Port | 443 |
| Device Time | 12/04/2017:17:21:00 GMT |