Broadcom Symantec SiteMinder sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Symantec SiteMinder sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that authorization is accepted.
<173>Mar 11 15:53:54 ca.siteminder.test ca-siteminder [Auth][AuthAccept][][ca.siteminder.test][11/Mar/2021:15:53:45 -0500][31l-apache-aaaaa111-agent][A1aAaAAAAAaAa11aaaaAaaA1AAA=][CN=Test Useruser,OU=Standard,OU=Domain Users,DC=ad,DC=example,DC=com][01-00001a11-0111-1a1a-1111-11a111a10000][root-realm][01-000011aa-1111-111a-aaa1-111111a1a1aa][10.236.235.223][/aaaa/aaaAaaaAaaaaaAaaaaaaaaaa.jsp][GET][Production AD][plswa245:636 plswa246:636,plswa247:636 plswa245:636,prewa223:636 prewa224:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,plswa248:636 plswa248:636,plswa246:636 plswa247:636,prewa224:636 prewa225:636,prewa227:636 prewa226:636,plswa245:636 plswa246:636,plswa246:636 plswa247:636,plswa247:636 plswa245:636,prewa223:636 prewa224:636,prewa224:636 prewa225:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,prewa227:636 prewa226:636,plswa248:636 plswa248:636,plswa245:636 plswa246:636,prewa223:636 prewa224:636,prewa224:636 prewa225:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,prewa227:636 prewa226:636,plswa248:636 plswa248:636][LDAP:][idletime=3600;maxtime=7200;authlevel=5;][][http://aaaaa111.aaa.example.com-11][][][][][]
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | AuthAccept |
Source IP | 10.236.235.223 |
Username | Test Useruser |
Log Source Time | 11/Mar/2021:15:53:45 -0500 (extracted from date and time fields) |
Identity IP | 10.236.235.223 |
Identity Username | Test Useruser |
Sample 2: The following sample event message shows an authorization logout.
AuthLogout osand001 [24/May/2012:14:14:50 -0500] "10.6.172.171 uid=Testuser01TesTU@example.com,ou=people,ou=AAAA A AA-AAAAA LTD.,ou=dcp,dc=aaaaaa,dc=com" "aaaa01aaa01-aaaa1 " [] [41] [] []
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | AuthLogout |
Source IP | 10.6.172.171 |
Username | Testuser01TesTU@example.com |
Log Source Time | 24/May/2012:14:14:50 -0500 (extracted from date and time fields) |