HPE Tandem sample event message

Use this sample event message to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

HPE Tandem sample message when you use the Syslog protocol

The following sample event message shows that permission to attempt the requested operation is denied.

HPTandemHostname=172.16.90.30	auditFileName=/store/tmp/AAAAAAAA.log	recordType=ZSFG_VAL_AUD_REC_PRIMARY	recordLength=436	auditNumber.auditNumber=BBBBBBBBBBBBBBBBBBBB	timeReported=18 Sep 2012 22:32:28	timeReceived=18 Sep 2012 22:32:28	veracity=ZSFG_VAL_VER_TR	groupCount=0	operation=ZSFG_VAL_OPER_UPDATE	outcome=ZSFG_VAL_OUTCOME_DENIED	masterAuditNumber.auditNumber=BBBBBBBBBBBBBBBBBBBB	subject.subjectType=151	subject.subjectUserNumber.userNumberGroup=255	subject.subjectUserNumber.userNumberMember=1	subject.subjectUsername=USERNAME	subject.creatorUserNumber.userNumberGroup=255	subject.creatorUserNumber.userNumberMember=1	subject.subjectCreatorName=SUPER.SUPERUSER	subject.subjectSystemNumber=1	subject.subjectSystemName=\TEST	subject.subjectAuthLocNumber=1	subject.subjectAuthLocName=\TEST	subject.subjectProcessName=\TEST.4,578	subject.subjectSsid.ssidOwner=	subject.subjectSsid.ssidNumber=8224	subject.subjectSsid.ssidVersion=8224	subject.subjectTerminalName=\TEST.$CCCCCC#DDDDDDD	auditCreator.subjectType=151	auditCreator.subjectUserNumber.userNumberGroup=255	auditCreator.subjectUserNumber.userNumberMember=255	auditCreator.subjectUsername=SUPER.SUPER	auditCreator.creatorUserNumber.userNumberGroup=255	auditCreator.creatorUserNumber.userNumberMember=255	auditCreator.subjectCreatorName=SUPER.SUPER	auditCreator.subjectSystemNumber=1	auditCreator.subjectSystemName=\TEST	auditCreator.subjectAuthLocNumber=1	auditCreator.subjectAuthLocName=\TEST	auditCreator.subjectProcessName=\TEST.$EEEE  ,4,309	auditCreator.subjectSsid.ssidOwner=FFFFFF	auditCreator.subjectSsid.ssidNumber=94	auditCreator.subjectSsid.ssidVersion=18182	auditCreator.subjectTerminalName=$ZHOME	objectType.objectType=200	objectType.ownerIsRemote=701	objectType.ownerUserNumber.userNumberGroup=111	objectType.ownerUserNumber.userNumberMember=1	objectType.ownerUserName=GGG.HHHHHHH	objectType.objectName.type=200	objectType.objectName.objectName=$DATA.FTP.GETAPF3
Table 1. Highlighted values in the HPE Tandem sample event
QRadar field name Highlighted values in the event payload
Event ID ZSFG_VAL_OPER_UPDATE
Event Category ZSFG_VAL_OUTCOME_DENIED
Username USERNAME
Log Source Time 18 Sep 2012 22:32:28