Broadcom Symantec SiteMinder sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Symantec SiteMinder sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that authorization is accepted.

<173>Mar 11 15:53:54 ca.siteminder.test ca-siteminder [Auth][AuthAccept][][ca.siteminder.test][11/Mar/2021:15:53:45 -0500][31l-apache-aaaaa111-agent][A1aAaAAAAAaAa11aaaaAaaA1AAA=][CN=Test Useruser,OU=Standard,OU=Domain Users,DC=ad,DC=example,DC=com][01-00001a11-0111-1a1a-1111-11a111a10000][root-realm][01-000011aa-1111-111a-aaa1-111111a1a1aa][10.236.235.223][/aaaa/aaaAaaaAaaaaaAaaaaaaaaaa.jsp][GET][Production AD][plswa245:636 plswa246:636,plswa247:636 plswa245:636,prewa223:636 prewa224:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,plswa248:636 plswa248:636,plswa246:636 plswa247:636,prewa224:636 prewa225:636,prewa227:636 prewa226:636,plswa245:636 plswa246:636,plswa246:636 plswa247:636,plswa247:636 plswa245:636,prewa223:636 prewa224:636,prewa224:636 prewa225:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,prewa227:636 prewa226:636,plswa248:636 plswa248:636,plswa245:636 plswa246:636,prewa223:636 prewa224:636,prewa224:636 prewa225:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,prewa227:636 prewa226:636,plswa248:636 plswa248:636][LDAP:][idletime=3600;maxtime=7200;authlevel=5;][][http://aaaaa111.aaa.example.com-11][][][][][]
Table 1. Highlighted fields in the Symantec SiteMinder event
QRadar field name Highlighted values in the event payload
Event ID AuthAccept
Source IP 10.236.235.223
Username Test Useruser
Log Source Time 11/Mar/2021:15:53:45 -0500 (extracted from date and time fields)
Identity IP 10.236.235.223
Identity Username Test Useruser

Sample 2: The following sample event message shows an authorization logout.

AuthLogout osand001 [24/May/2012:14:14:50 -0500] "10.6.172.171 uid=Testuser01TesTU@example.com,ou=people,ou=AAAA A AA-AAAAA LTD.,ou=dcp,dc=aaaaaa,dc=com" "aaaa01aaa01-aaaa1  " [] [41]  [] []
Table 2. Highlighted fields in the Symantec SiteMinder event
QRadar field name Highlighted values in the event payload
Event ID AuthLogout
Source IP 10.6.172.171
Username Testuser01TesTU@example.com
Log Source Time 24/May/2012:14:14:50 -0500 (extracted from date and time fields)