Forcepoint V-Series Content Gateway sample event messages

Use these sample event messages to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Forcepoint V-Series Content Gateway sample messages when you use the Syslog protocol

Sample 1: The following sample event message shows that access is blocked by websense.

<159>Jul 16 16:37:26 forcepoint.vseries.test LEEF:1.0|Forcepoint|Security|8.5.3|transaction:blocked|sev=7	cat=1504	usrName=qradar1	loginID=qradar1	src=10.223.7.33	srcPort=34311	srcBytes=0	dstBytes=0	dst=10.10.10.10	dstPort=443	proxyStatus-code=403	serverStatus-code=0	duration=66	method=POST	disposition=1064	contentType=-	reason=0-17336-Generic.Content.Web.RTSS	policy=Super Administrator**IM Chat and Conferencing Policy	role=8	userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36	url=https://www.qradar.example.test/psettings/jobs/profile-shared-with-recruiter logRecordSource=%<logRecordSource>

Table 1. Highlighted values in the Forcepoint V-Series Content Gateway event payload
QRadar field name	Highlighted values in the event payload
Event ID	disposition
Category	cat
Source IP	src
Source Port	srcPort
Destination IP	dst
Destination Port	dstPort
Username	usrName

Sample 2: The following sample event message shows that access is permitted by websense.

<159>Jun 25 10:45:18 forcepoint.vseries.test LEEF:1.0|Forcepoint|Security|8.5.3|transaction:permitted|sev=1	cat=209	usrName=testUser	loginID=testID	src=10.252.88.231	srcPort=7434	srcBytes=636	dstBytes=63385	dst=10.10.10.10	dstPort=443	proxyStatus-code=200	serverStatus-code=200	duration=32	method=GET	disposition=1065	contentType=text/html; charset\=utf-8	reason=0-14057-Generic.Content.Web.RTSS	policy=testPolicy Videos from testCompany	role=8	userAgent=Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36	url=https://www.qradar.example.test/watch?v\=VsxpUZaggcw logRecordSource=%<logRecordSource>

Table 2. Highlighted values in the Forcepoint V-Series Content Gateway event payload
QRadar field name	Highlighted values in the event payload
Event ID	disposition
Category	cat
Source IP	src
Source Port	srcPort
Destination IP	dst
Destination Port	dstPort
Username	usrName