IBM® Red Hat® OpenShift® sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
IBM Red Hat OpenShift sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that audit type events are received from the cluster.
<15>1 2023-02-06T09:52:42.243795+00:00 ibm.redhatopenshift.test myapp myproc mymsg - {"kind":"Event","apiVersion":"audit.k8s.io/ v1","level":"Metadata","auditID":"45459782-7777-4444-9e49- ccdc07a66cbd","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/ kube-node-lease","verb":"get","user":{"username":"testuser","uid":"420c62cd2 IBM Red Hat OpenShift DRAFT - NOT FOR PUBLICATION bbbb-4444-92f0-f52bfd543e98","groups":["system:masters"]},"sourceIPs": ["::1"],"userAgent":"kube-apiserver/v1.23.5+8471591 (linux/amd64) kubernetes/3c28e7a","objectRef":{"resource":"namespaces","namespace":"kube-nodelease","name":"kube-node-lease","apiVersion":"v1"},"responseStatus":{"metadata": {},"code":200},"requestReceivedTimestamp":"2023-02-06T07:00:02.814290Z","stageTimestamp":"2023-02-06T07:00:02.{"authorization.k8s.io/decision":"allow","authorization.k8s.io/ reason":""},"@timestamp":"2023-02-06T07:00:02.814290Z","k8s_audit_level":"Metadata","message":null,"hostname":{"collector":{"ipaddr4":"10.22.40.128","inputname":"fluent-pluginsystemd","name":"fluentd","received_at":"2023-02-06T07:00:02.838164+00:00","version":"1.14.6 1.6.0"}},"openshift":{"labels":{"syslog":"qradartcp"}},"viaq_msg_id":"YYYYYY111111aaaaaa","log_type":"audit"}
QRadar field name | Highlighted payload field name |
---|---|
Event ID | get |
Event Category | namespaces |
Source IP | SourceIPs |
Username | username |
Device Time | stageTimestamp |
Sample 2: The following sample event message shows that infrastructure event types are received from the cluster.
<15>1 2023-02-15T17:07:09.514393+00:00 ibm.redhatopenshift.test myapp myproc mymsg - {"_SOURCE_MONOTONIC_TIMESTAMP":"2311043623145","systemd":{"t": {"BOOT_ID":"444444aaaaaa","MACHINE_ID":"333333aaaaaa","TRANSPORT":"kernel"},"u": {"SYSLOG_FACILITY":"0","SYSLOG_IDENTIFIER":"kernel"}},"level":"info","message":"device veth5db1717a entered promiscuous mode","hostname":"test.host.com","pipeline_metadata": {"collector":{"ipaddr4":"10.22.44.158","inputname":"fluent-pluginsystemd","name":"fluentd","received_at":"2023-02-15T15:36:25.306285+00:00","version":"1.14.6 1.6.0"}},"openshift":{"labels":{"syslog":"qradartcp"}},"@timestamp":"2023-02-15T15:36:25.212659+00:00","viaq_msg_id":"YYYYYY111111aaaaaa","log_type":"infrastructure"}
QRadar field name | Highlighted payload field name |
---|---|
Event ID | infrastructure + info |
Event Category | The Event Category value is always IBMRedHatOpenShift in QRadar. |
Source IP | ipaddr4 |
Device Time | @timestamp |