HPE Tandem sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
HPE Tandem sample message when you use the Syslog protocol
The following sample event message shows that permission to attempt the requested operation is denied.
HPTandemHostname=172.16.90.30 auditFileName=/store/tmp/AAAAAAAA.log recordType=ZSFG_VAL_AUD_REC_PRIMARY recordLength=436 auditNumber.auditNumber=BBBBBBBBBBBBBBBBBBBB timeReported=18 Sep 2012 22:32:28 timeReceived=18 Sep 2012 22:32:28 veracity=ZSFG_VAL_VER_TR groupCount=0 operation=ZSFG_VAL_OPER_UPDATE outcome=ZSFG_VAL_OUTCOME_DENIED masterAuditNumber.auditNumber=BBBBBBBBBBBBBBBBBBBB subject.subjectType=151 subject.subjectUserNumber.userNumberGroup=255 subject.subjectUserNumber.userNumberMember=1 subject.subjectUsername=USERNAME subject.creatorUserNumber.userNumberGroup=255 subject.creatorUserNumber.userNumberMember=1 subject.subjectCreatorName=SUPER.SUPERUSER subject.subjectSystemNumber=1 subject.subjectSystemName=\TEST subject.subjectAuthLocNumber=1 subject.subjectAuthLocName=\TEST subject.subjectProcessName=\TEST.4,578 subject.subjectSsid.ssidOwner= subject.subjectSsid.ssidNumber=8224 subject.subjectSsid.ssidVersion=8224 subject.subjectTerminalName=\TEST.$CCCCCC#DDDDDDD auditCreator.subjectType=151 auditCreator.subjectUserNumber.userNumberGroup=255 auditCreator.subjectUserNumber.userNumberMember=255 auditCreator.subjectUsername=SUPER.SUPER auditCreator.creatorUserNumber.userNumberGroup=255 auditCreator.creatorUserNumber.userNumberMember=255 auditCreator.subjectCreatorName=SUPER.SUPER auditCreator.subjectSystemNumber=1 auditCreator.subjectSystemName=\TEST auditCreator.subjectAuthLocNumber=1 auditCreator.subjectAuthLocName=\TEST auditCreator.subjectProcessName=\TEST.$EEEE ,4,309 auditCreator.subjectSsid.ssidOwner=FFFFFF auditCreator.subjectSsid.ssidNumber=94 auditCreator.subjectSsid.ssidVersion=18182 auditCreator.subjectTerminalName=$ZHOME objectType.objectType=200 objectType.ownerIsRemote=701 objectType.ownerUserNumber.userNumberGroup=111 objectType.ownerUserNumber.userNumberMember=1 objectType.ownerUserName=GGG.HHHHHHH objectType.objectName.type=200 objectType.objectName.objectName=$DATA.FTP.GETAPF3
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | ZSFG_VAL_OPER_UPDATE |
Event Category | ZSFG_VAL_OUTCOME_DENIED |
Username | USERNAME |
Log Source Time | 18 Sep 2012 22:32:28 |