23.1.6. SSH inspection log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

ssh

Name

Source type.

log

Threat Level

Application threat level.

Available values: from 1 (if no application) to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

A unique name of the device which generated the event.

utmcore@ersthetatica

act

Action taken by the device according to the configured policies.

accept

app

Application layer protocol.

SSH or SFTP

suser

User name.

user_example (Unknown, if the user is unknown)

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

SSH inspection rule

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port.

Values: 0-65535.

smac

Source MAC address.

FA:16:3E:65:1C:B4

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port.

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

cs6Label

Refers to the command transmitted via SSH.

Command

cs6

Command transmitted via SSH, in JSON format.

whoami