IBM® Red Hat® OpenShift® sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

IBM Red Hat OpenShift sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that audit type events are received from the cluster.

<15>1 2023-02-06T09:52:42.243795+00:00 ibm.redhatopenshift.test myapp myproc mymsg - {"kind":"Event","apiVersion":"audit.k8s.io/ v1","level":"Metadata","auditID":"45459782-7777-4444-9e49- ccdc07a66cbd","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/ kube-node-lease","verb":"get","user":{"username":"testuser","uid":"420c62cd2  IBM Red Hat OpenShift DRAFT - NOT FOR PUBLICATION bbbb-4444-92f0-f52bfd543e98","groups":["system:masters"]},"sourceIPs": ["::1"],"userAgent":"kube-apiserver/v1.23.5+8471591 (linux/amd64) kubernetes/3c28e7a","objectRef":{"resource":"namespaces","namespace":"kube-nodelease","name":"kube-node-lease","apiVersion":"v1"},"responseStatus":{"metadata": {},"code":200},"requestReceivedTimestamp":"2023-02-06T07:00:02.814290Z","stageTimestamp":"2023-02-06T07:00:02.{"authorization.k8s.io/decision":"allow","authorization.k8s.io/ reason":""},"@timestamp":"2023-02-06T07:00:02.814290Z","k8s_audit_level":"Metadata","message":null,"hostname":{"collector":{"ipaddr4":"10.22.40.128","inputname":"fluent-pluginsystemd","name":"fluentd","received_at":"2023-02-06T07:00:02.838164+00:00","version":"1.14.6 1.6.0"}},"openshift":{"labels":{"syslog":"qradartcp"}},"viaq_msg_id":"YYYYYY111111aaaaaa","log_type":"audit"}
Table 1. Highlighted fields in the IBM Red Hat OpenShift event
QRadar field name Highlighted payload field name
Event ID get
Event Category namespaces
Source IP SourceIPs
Username username
Device Time stageTimestamp

Sample 2: The following sample event message shows that infrastructure event types are received from the cluster.

<15>1 2023-02-15T17:07:09.514393+00:00 ibm.redhatopenshift.test myapp myproc mymsg - {"_SOURCE_MONOTONIC_TIMESTAMP":"2311043623145","systemd":{"t": {"BOOT_ID":"444444aaaaaa","MACHINE_ID":"333333aaaaaa","TRANSPORT":"kernel"},"u": {"SYSLOG_FACILITY":"0","SYSLOG_IDENTIFIER":"kernel"}},"level":"info","message":"device veth5db1717a entered promiscuous mode","hostname":"test.host.com","pipeline_metadata": {"collector":{"ipaddr4":"10.22.44.158","inputname":"fluent-pluginsystemd","name":"fluentd","received_at":"2023-02-15T15:36:25.306285+00:00","version":"1.14.6 1.6.0"}},"openshift":{"labels":{"syslog":"qradartcp"}},"@timestamp":"2023-02-15T15:36:25.212659+00:00","viaq_msg_id":"YYYYYY111111aaaaaa","log_type":"infrastructure"}
Table 2. Highlighted fields in the IBM Red Hat OpenShift event
QRadar field name Highlighted payload field name
Event ID infrastructure + info
Event Category The Event Category value is always IBMRedHatOpenShift in QRadar.
Source IP ipaddr4
Device Time @timestamp