SSH Server Events

Vendor Documentation

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-8214/Content/fir-int.htm

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-8214.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
SSH Server Events	Base Rule	General Information Log Message	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Event ID	<vmid>	Number	Event ID 5201, 5202, 5203, 5204, 5205, 5207, 5208, 5209, 5210, 5211, 5212, 5213, 5214, 5215, 5216, 5217, 5218, 5219, 5220, 5221, 5222, 5223
Severity	<severity>	Text/String	For 5201, 5202, 5203, 5204, 5205, 5207, 5209, 5211, 5218: Information For 5208, 5210, 5215, 5216, 5217, 5219, 5220, 5221, 5222: Error For 5212, 5213, 5214, 5223: Warning
Message	<subject> <object>	Text/String	Event ID 5201: Logs a message when the SSH host-key generated
	<subject> <object>	Text/String	Event ID 5202: Logs a message when the SSH server is enabled on a VRF
	<subject> <object>	Text/String	Event ID 5203: Logs a message when the SSH server is disabled on a VRF
	<subject> <object> <account>	Text/String	Event ID 5204: Logs a message when add ssh client-public-key into authorized_keys file
	<subject> <object> <account>	Text/String	Event ID 5205: Logs a message when delete ssh client-public-key into authorized_keys file
	<subject> <object>	Text/String	Event ID 5207: Logs a message when the SSH host-key is corrupted
	<subject> <object>	Text/String	Event ID 5208: Logs a message when a user tries to enable SSH server without setting admin password
	<subject> <account> <dip>	Text/String/IP Address	Event ID 5209: Logs a message when a user login is successful
	<subject> <account> <dip>	Text/String/IP Address	Event ID 5210: Logs a message when a user login fails
	<subject> <account> <dip>	Text/String/IP Address	Event ID 5211: Logs a message when a user logs out of a session
	<subject> <dip>	Text/String/IP Address	Event ID 5212: Logs a message when a user tries to login while maximum number of sessions are reached.
	<subject> <dip>	Text/String/IP Address	Event ID 5214: Logs a message when a user session is closed due to host key failure.