Syslog Fortinet FortiGate - V 2.0 : UTM : SSH

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
V 2.0 : UTM : SSH	Base Rule	SSH Information-Only Event	Information
V 2.0 : LOG_ID_SSH_COMMAND_BLOCK	Sub Rule	Blocked Message	Failed Activity
V 2.0 : LOG_ID_SSH_COMMAND_BLOCK_ALERT	Sub Rule	Blocked Message	Failed Activity
V 2.0 : LOG_ID_SSH_COMMAND_PASS	Sub Rule	Command String	Information
V 2.0 : LOG_ID_SSH_COMMAND_PASS_ALERT	Sub Rule	Command String	Information
V 2.0 : LOG_ID_SSH_CHANNEL_BLOCK	Sub Rule	Blocked Message	Failed Activity
V 2.0 : LOG_ID_SSH_CHANNEL_PASS	Sub Rule	Channel Status	Information

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
date	N/A	N/A	The date of the event.
time	N/A	N/A	The time of the event.
logid	<vmid>	Number	The log ID.
type	<vendorinfo>	Text/String	The type of event.
subtype	N/A	N/A	The subtype of the event.
eventtype	N/A	N/A	The specific type of SSH event.
level	<severity>	Text/String	The level of the event.
vd	<sessiontype>	Text/String	The virtual domain.
eventtime	N/A	N/A	The event time in epoch format.
policyid	<policy>	Number	The ID of the policy associated with the log event.
sessionid	<session>	Number	The ID of the session associated with the log event.
profile	N/A	N/A	The SSH profile.
srcip	<sip>	IP Address	The source IP address.
srcport	<sport>	Number	The source port.
dstip	<dip>	IP Address	The destination IP address.
dstport	<dport>	Number	The destination port.
srcintf	<sinterface>	Text/String	The source interface.
srcintfrole	N/A	N/A	The role of the source interface.
dstintf	<dinterface>	Text/String	The destination interface.
dstintfrole	N/A	N/A	The role of the destination interface.
proto	<protnum>	Number	The protocol.
action	<action>	Text/String	The action taken by the firewall.
direction	N/A	N/A	The direction of the communication.
login	<login>	Text/String	The source username.
channeltype	<object>	Text/String	N/A