IBM zOS sample event message
Use this sample event message to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
IBM zOS sample message when you use the Syslog protocol
The following sample event message shows event summary information.
LEEF:1.0|IBM|z/OS|2.4|119-12|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ devTime=2020-05-17T8:31:30.100+0200 usrName=User01 name=SYSTEM jobname=User01 src=172.16.0.1 srcPort=1000 dst=172.16.0.2 dstPort=3000 srcBytes=0 dstBytes=0 srcPackets=0 dstPackets=0 FIPSlvl=Off FIPS140=No IPproto=TCP jobid=JOB01023 sysname=SYSTEM sysplex=PLEX1 stack=TCPIP tlsalg=AES tlschn=CBC tlskeylen=128 tlsCCertSig=RSA-SHA1 tlsKexAlg=DHE-RSA tlsMsgAuth=HMAC-SHA1 tlsNegCipher=00AB tlsProtVer=TLSv1.1 tlsSCertSig=RSA-SHA1 connsBeg=1 connsEnd=3 partialBeg=1 partialEnd=2 shortBeg=2 shortEnd=1 activeBeg=1 activeEnd=1 saConnId=000004Q2 dn=TLS_server_subject:'CN=COM1,OU=ORG1,O=IBM,C=US' TLS_server_issuer:'CN=COM2,OU=ORG1,O=IBM,C=US' TLS_client_subject:'CN=COM1,OU=ORG1,O=IBM,C=US' TLS_client_issuer:'CN=COM2,OU=ORG1,O=IBM,C=US' action=INIT sum=Connection initiation TLSv1.1 AES-CBC-128 server RSA-1024 client RSA-1024 local port 3000 CN=COM1,OU=ORG1,O=IBM,C=US| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event Category | z/OS |
| Event ID | 119-12 |
| Event Summary (custom) | Connection initiation TLSv1.1 AES-CBC-128 server RSA-1024 client RSA-1024 local port 3000 CN=COM1,OU=ORG1,O=IBM,C=US |
| Source IP | 172.16.0.1 |
| Source Port | 1000 |
| Destination IP | 172.16.0.2 |
| Destination Port | 3000 |
| Username | User01 |