23.2.6. SSH inspection log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

node

A unique name of the device which generated the event.

utmcore@ersthetatica

command

Command sent via SSH.

whoami

app_threat

Application threat level.

Available values: from 2 to 10 (set application threat level multiplied by 2)

app_protocol

Application layer protocol.

SSH or SFTP

app_id

Application ID.

195

action

Action taken by the device according to the configured policies.

block

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Traffic source zone name.

Trusted

country

Source country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic source.

10.10.10.10

port

Source port.

Values: 0-65535.

mac

Source MAC address.

FA:16:3E:65:1C:B4

destination

zone

guid

Unique ID of the traffic destination zone.c

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

Destination country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic destination.

104.19.197.151

port

Destination port.

Values: 0-65535.

rule

guid

Unique ID of the rule triggered to cause the event.

59e38e06-533a-4771-9664-031c3e8b2e1f

name

Name of the rule triggered to cause the event.

SSH Rule Example

user

guid

Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000.

a7a3cd49-8232-4f1a-962a-3659af89e96f

name

User name.

Admin

groups

guid

Unique ID of the group the user is a member of.

919878b2-e882-49ed-3331-8ec72c3c79cb

name

Name of the group the user is a member of.

Default Group