IBM i sample event message
Use this sample event message to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage returns or line feed characters.
IBM i sample message when you use the Syslog protocol
The following sample event message shows that DRDA Distributed Relational DB access is allowed.
Important: The logs that you send to QRadar must be tab-delimited. If
you cut and paste the code from this sample, make sure that you press the tab key where indicated by
the <tab> variables, then remove the variables.
<176>Apr 24 15:31:58 ibm.i.test LEEF:1.0|Raz-Lee iSecurity|Firewall|1.0|GRE7860|usrName=USERNAME<tab>devTime=2019-04-24-15.31.58.000<tab>devTimeFormat=yyyy-MM-dd-HH.mm.ss.SSS<tab>source=172.16.1.1<tab>sev=10<tab>jobName=948290/QUSER/QRWTSRVR<tab>pgmName=*NONE<tab>pgmLib=*NONE<tab>entryType=36/A<tab>entryDesc=DRDA Distributed Relational DB access<tab>Action_allowed=1<tab>Src_user_before_Pre-chk=USERNAME<tab>Source_system=SYSTEM1<tab>Decision_level=USSRV<tab>Authority_set_to_user=USERNAME<tab>Server_Id=36| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | GRE7860 |
| Username | USERNAME |
| Severity | 10 |