ForeScout CounterACT Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
ForeScout CounterACT Sample Messages When You Use the Syslog Protocol
Sample 1: The following sample event message shows that an authentication certificate issuer is detected.
LEEF:1.0|ForeScout|CounterACT|8.0.1-99|agent_auth_issuer|cat=Property sev=1 src=10.84.144.14 usrName=testUser srcMAC=00:00:5E:00:53:00 domain=testDomain identHostName=testHostName Folder_Name=Authentication Property_Name=Authentication Certificate Issuer devTime=Mar 7 2019 07:50:32.000 EST devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z Property_Value=\DC=BLAH\DC=testDomain\CN=testDomain2-CA
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
agent_auth_issuer |
Category |
Property |
Source IP |
10.84.144.14 |
Username |
testUser |
Device Time |
Mar 7 2019 07:50:32.000 EST |
Sample 2: The following sample event message shows when the last credentials succeeded on this host.
LEEF:1.0|ForeScout|CounterACT|8.0.1-99|cached_credentials|cat=Property sev=1 src=192.168.74.25 usrName=qradar1 srcMAC=00:00:5E:00:53:C8 domain=testDomain identHostName=D-q1labs1 Folder_Name= Property_Name=Last credentials to succeed on this host devTime=Mar 26 2019 15:56:14.000 PDT devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z Property_Value=admin1@example.test2001:db8:4D1C:A2FA:3EC9:C66D:8522:B7A4
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
cached_credentials |
Category |
Property |
Source IP |
192.168.74.25 |
Username |
qradar1 |
Device Time |
Mar 26 2019 15:56:14.000 PDT |