PostEvent

The PostEvent action posts an event to the QRadar® product event pipeline, which allows the event to be parsed, correlated, and stored.

The following table shows the parameters for the PostEvent action.

Table 1. PostEvent action parameters
Name Data type Required Notes
path JPath Yes The path of the element to post.
encoding String No

The encoding of the event.

Possible values:

  • UTF-8
  • BASE64
  • HEX

The default is UTF-8.

source String Yes

The source (host) of the event.

The source value is used to route the event within the event pipeline to the correct log source. The event is matched to the log source identifier of an existing log source.

If no log source exists with a matching log source identifier, the event is stored without parsing and a copy of the event is sent to the log source autodetection engine.

If a log source is autodetected from the event, it is created with its log source identifier set to the source value.

XML Example:

This action posts the string that is stored in the State at /event into the QRadar product event pipeline as an event. If a log source has a log source identifier that matches the value that is stored in /host, the event is routed to that log source.

<PostEvent path="/event" source="${/host}" />