osquery sample event message

Use this sample event message as a way of verifying a successful integration with QRadar.

The following table provides a sample event message when using the TCP multiline syslog protocol for the osquery DSM:
Table 1. osquery DSM sample message supported by osquery.
Event name Low-level category Sample log message
User Added User Account Added
<158>Sep 23 08:48:48 osquery.test osqueryd[16768]: {"name":"pack_qradar_users","hostIdentifier":"osquery.test.localdomain","calendarTime":"Mon Sep 23 12:48:48 2019 UTC","unixTime":1569242928,"epoch":0,"counter":21041,"decorations":{"host_uuid":"dd4b2142-1fa2-e1cd-c755-6bfb3cc33b55","last_logged_in_user":"root","username":"root"},"columns":{"Unique_ID":"1030-","description":"","directory":"/home/username6001","gid":"1030","gid_signed":"1030","query_name":"users","shell":"/bin/bash","uid":"1030","uid_signed":"1030","username":"username6001","uuid":""},"action":"added"}