Syslog - IBM QRadar: IPS Messages | LogRhythm Documentation

Vendor Documentation

https://www.ibm.com/docs/en/qns/5.5.0?topic=logs-viewing-event-log

Classification

Rule Name	Rule Type	Classification	Common Event
IPS Messages	Base Rule	Information	General IPS Message

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Syslog Header	N/A	N/A	The syslog header is an optional field. The syslog header contains the timestamp and IPv4 address or host name of the system that sends the event.
N/A	N/A	N/A	No current information about this data coming in the header.
N/A	N/A	N/A	No current information about this data coming in the header.
N/A	N/A	N/A	No current information about this data coming in the header.
N/A	N/A	N/A	No current information about this data coming in the header.
N/A	N/A	N/A	No current information about this data coming in the header.
N/A	N/A	N/A	No current information about this data coming in the header.
AdapterID	<vmid>	Number	The XGS adapter ID on which the event was triggered.
AdapterMode	<vendorinfo>	Text/String	The protection mode of the XGS adapter.
IssueID	N/A	N/A	N/A
algorithm-id	N/A	N/A	N/A
appid	N/A	N/A	The Application Identifier.
block	N/A	N/A
count	N/A	N/A
dstip	<dip>	IP Address	The IP address of the event destination (IPv4 or IPv6 Address).
dstport	<dport>	Number	The destination port of the event (Attribute Limits: 0 - 65535).
event-type	<subject>	Text/String	Displays the type of security event: attack, audit, or status (status events gather statistical information).
filterid	N/A	N/A	N/A
iprdststate	N/A	N/A	N/A
iprenabled	N/A	N/A	N/A
iprlicensed	N/A	N/A	N/A
iprsrcstate	N/A	N/A	N/A
ipsid	N/A	N/A	N/A
name	<object>	Text/String	Specifies a meaningful name for the response.
nvpdata	N/A	N/A	N/A
priority	<serverity>	Text/String	Displays the threat level as default, high, medium, and low. Low: Security issues that deny service or provide non-system information that could be used to formulate structured attacks on a target, but not directly gain unauthorized access. Med: Security issues that have the potential of granting access or allowing code execution with complex or lengthy exploit procedures. These issues can be low risk issues applied to major Internet components. High: Security issues that allow immediate remote or local access, or immediate execution of code or commands, with unauthorized privileges.
protocol	<protname>	Text/String	Displays the protocol of the security event.
quarantineendtime	N/A	N/A	N/A
ruleid	N/A	N/A	N/A
rulelabel	<action>	Text/String	N/A
ruleorder	N/A	N/A	The rule order the event was triggered on.
srcip	<sip>	IP Address	The IP address of the event source (IPv4 or IPv6 Address).
srcport	<sport>	Number	The source port of the event (Attribute Limits: 0 - 65535).
sslmethod	N/A	N/A	The SSL method that the XGS policy rule is using.
target-ip-addr-end	N/A	N/A	N/A
target-ip-addr-start	N/A	N/A	N/A
time	N/A	N/A	N/A
timestamp	N/A	N/A	N/A
userid	N/A	N/A	N/A
vulnstatus	<result>	N/A	N/A
SensorAddress	N/A	N/A	N/A
SensorName	N/A	N/A	N/A
SensorGUID	N/A	N/A	N/A
ProductID	N/A	N/A	N/A
IANAProtocolId	<protnum>	N/A	N/A