SonicWALL sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
SonicWALL sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows that a probable port scan is detected.
<1> id=firewall sn=01234567ABCD time="2018-11-07 11:16:02" fw=10.0.0.2 pri=1 c=32 m=83 msg="Probable port scan detected" n=2 src=10.0.0.3:443:X1 dst=172.16.194.2:47379:X1 srcMac=00:00:5E:00:53:ff dstMac=00:00:5E:00:53:00 proto=tcp/1 note="TCP scanned port list, 14551, 61968, 53577, 27976, 29050, 25330, 21761, 23903, 7412, 47379" fw_action="NA"| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | 83 |
| Source IP | 10.0.0.3 |
| Source Port | 443 |
| Source Mac | 00:00:5E:00:53:ff |
| Destination IP | 172.16.194.2 |
| Destination Port | 47379 |
| Destination Mac | 00:00:5E:00:53:00 |
| Device Time | 2018-11-07 11:16:02 |
Sample 2: The following sample event message shows that NTP updated successfully.
<133> id=firewall sn=12345678123 time="2018-11-13 00:26:12" fw=10.0.0.253 pri=5 c=128 m=1231 msg="Time update from NTP server was successful" sess="None" n=1104 src=10.0.2.3:123:X0 dst=10.0.5.6:123:X1 proto=0/ntp note="Received reply from NTP server 10.2.2.5. Update system time from 11/13/2018 00:26:12.624 to 11/13/2018 00:26:12.736"| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | 1231 |
| Source IP | 10.0.2.3 |
| Source Port | 123 |
| Destination IP | 10.0.5.6 |
| Destination Port | 123 |
| Device Time | 2018-11-13 00:26:12 |