IBM i sample event message

Use this sample event message to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

IBM i sample message when you use the Syslog protocol

The following sample event message shows that DRDA Distributed Relational DB access is allowed.

Important: The logs that you send to QRadar must be tab-delimited. If you cut and paste the code from this sample, make sure that you press the tab key where indicated by the <tab> variables, then remove the variables.
<176>Apr 24 15:31:58 ibm.i.test LEEF:1.0|Raz-Lee iSecurity|Firewall|1.0|GRE7860|usrName=USERNAME<tab>devTime=2019-04-24-<tab><tab>source=<tab>sev=10<tab>jobName=948290/QUSER/QRWTSRVR<tab>pgmName=*NONE<tab>pgmLib=*NONE<tab>entryType=36/A<tab>entryDesc=DRDA Distributed Relational DB access<tab>Action_allowed=1<tab>Src_user_before_Pre-chk=USERNAME<tab>Source_system=SYSTEM1<tab>Decision_level=USSRV<tab>Authority_set_to_user=USERNAME<tab>Server_Id=36
Table 1. Highlighted values in the IBM i event payload
QRadar field name Highlighted values in the event payload
Event ID GRE7860
Severity 10