/
l. Secure Shell (SSH)

l. Secure Shell (SSH)

Owned by Svetlana Sheptiy
Last updated: Jan 13, 2021 by Karein Directo (Unlicensed)
1 min read

Records Secure Socket Shell events.

 

Sample Events

date=2018-12-27 time=14:36:15 logid="1600061002" type="utm" subtype="ssh" eventtype="ssh-command" level="notice" vd="vdom1" eventtime=1545950175 policyid=1 sessionid=12921 user="bob" profile="test-ssh" srcip=10.1.100.11 srcport=56698 dstip=172.16.200.55 dstport=22 srcintf="port12" srcintfrole="lan" dstintf="port11" dstintfrole="wan" proto=6 action="passthrough" direction="outgoing" login="root" command="ls" severity="low"

date=2019-05-15 time=16:18:17 logid="1601061010" type="utm" subtype="ssh" eventtype="ssh-channel" level="warning" vd="vdom1" eventtime=1557962296 policyid=1 sessionid=344 profile="sshdeepscan" srcip=10.1.100.11 srcport=43580 dstip=172.16.200.44 dstport=22 srcintf="port21" srcintfrole="undefined" dstintf="port23" dstintfrole="undefined" proto=6 action="blocked" direction=" outgoing" login="root" channeltype="shell"

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

FortiGateSSH

CRITICALITY

 

LOGID  

Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry

TYPE  

Represented by the first two digits of the log ID

SUBTYPE  

Represented by the first/second two digits of the log ID

EVENTTYPE  

Represented by the second two digits of the log ID

DEVNAME  

 

DEVID  

Serial number of the device for the traffic's origin

LEVEL  

Security level rating

VD  

Name of the virtual domain in which the log message was recorded

EVENTTIME  

Epoch time the log was triggered by FortiGate

TZ

 

POLICYID

Policy ID

SESSIONID

Session ID

USER

 

PROFILE

 

SRCIP

Source IP

SRCPORT

Source port

SRCINTF

Source interface

SRCINTFROLE

 

DSTIP

Destination IP

DSTPORT

Destination port

DSTINTF

Destination interface

DSTINTFROLE

 

PROTO

 

ACTION

 

DIRECTION

 

LOGIN

 

CHANNELTYPE

 

COMMAND

 

SEVERITY

 

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference

 

Related content

m. Secure Socket Layer (SSL)
m. Secure Socket Layer (SSL)
Snare Central v8 Documentation
More like this
a. System
a. System
Snare Central v8 Documentation
More like this
c. User
c. User
Snare Central v8 Documentation
More like this
f. WAD
f. WAD
Snare Central v8 Documentation
More like this
Log Types: Cisco FTD User Authentication log type
Log Types: Cisco FTD User Authentication log type
Snare Central v8 Documentation
More like this
c. Intrusion Prevention Services (IPS)
c. Intrusion Prevention Services (IPS)
Snare Central v8 Documentation
More like this