Fair Warning Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Fair Warning Sample Message when you use the Log File Protocol
Sample 1: The following sample event message shows that an employee is snooping in the Fair Warning DSM.
FairWarning::Alert Time Stamp=2010-08-06 19:25:29.0 Alert ID=71 Alert Name=Epic: Employee Snooping Event Source=Epic HS Category=HIPAA Best Practice Severity=high Timestamp=2010-08-05 00:00:01.0 Event ID=1155646552611 User ID=111 User Name=Test User User First Name=Test User Last Name=User Patient ID=1111 Patient Name=Admin root Patient First Name=Admin Patient Last Name=root Event Type=PATIENT CLINICAL INFO Event Description=MR_REPORTS Workstation ID=11111.11 Workstation IP=10.16.22.21 FileName=/path/ test.txt
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
Epic: Employee Snooping |
|
Source IP |
10.16.22.21 |
|
Username |
Test User |
|
Device Time |
Aug 6, 2010, 7:25:29 PM (extracted from date and time fields) |
Sample 2: The following sample event message shows excess failed logins.
FairWarning::Alert Time Stamp=2010-08-08 19:35:45.0 Alert ID=86 Alert Name=Epic Failed Logins- Exceeding Thresholds Event Source=Epic Failed Logins Category=Medical Identity Theft Severity=high Timestamp=2010-08-07 08:26:00.0 Event ID=1155644965984 User ID=2222 User Name=TestTest UserUser User First Name=TestTest User Last Name=UserUser Department=AA Application=111111-2222222.2 Event Description=A setup or operations error occured. Please consult a system administrator Details: Epic LDAP User (extended) login failed 49-ELDAP_FAIL_SBIND:failed to sbind (bind+search) using given credentials 49:Invalid credentials Workstation IP=10.251.243.41 FileName=/path/test.txt
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
Epic Failed Logins- Exceeding Thresholds |
|
Source IP |
10.251.243.41 |
|
Username |
TestTest UserUser |
|
Device Time |
Aug 8, 2010, 7:35:45 PM (extracted from date and time fields) |