Citrix NetScaler sample event message

Use this sample event message to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Citrix NetScaler sample message when you use the Syslog protocol

The following sample event message shows a successful SSL handshake.

Tip: Citrix NetScaler does not send events with RFC3164 or RFC5424 headers, so the log source is not discovered by using a hostname or IP address in the header. Instead, log sources are automatically discovered by using the log source identifier of the event's packet IP. Use the Syslog Redirect protocol to use the value in the header instead of the value in the packet IP. For more information, see QRadar: Syslog Redirect Protocol FAQ (https://www.ibm.com/support/pages/qradar-syslog-redirect-protocol-faq).
<135> 12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 :  SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "RC4-MD5 TLSv1.2 Non-Export 128-bit" - Session Reuse
Table 1. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID SSL_HANDSHAKE_SUCCESS
Source IP 172.25.184.157
Source Port 19849
Destination IP 10.254.14.94
Destination Port 443
Device Time 12/04/2017:17:21:00 GMT