Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
SSHD Messages |
Base Rule |
SSHD Notice |
Information |
|
Accepted Keyboard-interactive/pam |
Sub Rule |
General SSHD Audit Message |
Other Audit |
|
Authentication Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
Check Pass |
Sub Rule |
General Authentication Information |
Information |
|
Connection Closed |
Sub Rule |
Session Closed |
Information |
|
Identification String Not Received |
Sub Rule |
Connection Information |
Information |
|
Failed With Invalid Argument |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
User Does Not Exist |
Sub Rule |
User Identity Missing |
Warning |
|
Postponed Keyboard-interactive |
Sub Rule |
SSHD Information Message |
Information |
|
Received Disconnect |
Sub Rule |
Session Disconnected |
Other Audit Success |
|
Session Closed For User |
Sub Rule |
Session Closed For User |
Other Audit Success |
|
Session Opened |
Sub Rule |
Session Started |
Other Audit Success |
|
User Not Known |
Sub Rule |
Ambiguous User |
Warning |
|
Sshtest User Not Known |
Sub Rule |
Ambiguous User |
Warning |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
SAU1 |
<severity> |
Text/String |
|
N/A |
<process> |
Text/String |
|
N/A |
<processid> |
Number |
|
PAM |
<subject> |
Text/String |
|
PAM |
<tag1> |
Text/String |
|
for |
<object> |
Text/String |
|
from |
<sip> |
Ipaddress/Number |
|
N/A |
<sport> |
Numeric |
|
N/A |
<protname> |
Text/String |
|
N/A |
<login> |
Text/String |
|
N/A |
<session> |
Number |
|
N/A |
<status> |
Text/String |
|
N/A |
<amount> |
Number |