SSHD Messages
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| SSHD Messages | Base Rule | SSHD Notice | Information |
| Accepted Keyboard-interactive/pam | Sub Rule | General SSHD Audit Message | Other Audit |
| Authentication Failure | Sub Rule | Authentication Failure Activity | Authentication Failure |
| Check Pass | Sub Rule | General Authentication Information | Information |
| Connection Closed | Sub Rule | Session Closed | Information |
| Identification String Not Received | Sub Rule | Connection Information | Information |
| Failed With Invalid Argument | Sub Rule | Authentication Failure Activity | Authentication Failure |
| User Does Not Exist | Sub Rule | User Identity Missing | Warning |
| Postponed Keyboard-interactive | Sub Rule | SSHD Information Message | Information |
| Received Disconnect | Sub Rule | Session Disconnected | Other Audit Success |
| Session Closed For User | Sub Rule | Session Closed For User | Other Audit Success |
| Session Opened | Sub Rule | Session Started | Other Audit Success |
| User Not Known | Sub Rule | Ambiguous User | Warning |
| Sshtest User Not Known | Sub Rule | Ambiguous User | Warning |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| SAU1 | <severity> | Text/String |
| N/A | <process> | Text/String |
| N/A | <processid> | Number |
| PAM | <subject> | Text/String |
| PAM | <tag1> | Text/String |
| for | <object> | Text/String |
| from | <sip> | Ipaddress/Number |
| N/A | <sport> | Numeric |
| N/A | <protname> | Text/String |
| N/A | <login> | Text/String |
| N/A | <session> | Number |
| N/A | <status> | Text/String |
| N/A | <amount> | Number |