Cisco Web Security Appliance¶
About¶
SSHD is the OpenSSH server process. It listens to incoming connections using the SSH protocol and acts as the server for the protocol. It handles user authentication, encryption, terminal connections, file transfers, and tunneling.
Product Details¶
Vendor URL: Sshd is the Linux OpenSSH server process
Product Type: SSH proxy
Product Tier: Tier I
Integration Method: Unknown
Log Guide: SSHD Logging
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 75%
Data Label: WMT_SSHD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Defined | metadata.event_type |
| Defined | extensions.auth.type |
| command | src.process.command_line |
| target_host | target.hostname |
| domain | target.administrative_domain |
| suser | src.user.userid |
| target_user | src.user.userid |
| src_host | principal.hostname |
| target_ip | target.ip |
| userid | principal.user.userid |
| src_port | principal.port |
| summary | metadata.description |
| pool_data | additional.fields |
| thread | additional.fields |
| url | target.url |
| vendor | metadata.vendor_name |
| product_event | metadata.product_event_type |
| Defined | metadata.product_name |
| observer | observer.hostname |
| observer | observer.ip |
| odomain | observer.administrative_domain |
| severity | security_result.severity |
Product Event Types¶
| Event Type |
|---|
| SSHD |
| dzdo |
| FTPD |
| HTTPD |
| sshd.AgentUtil |
| sshd.PublicKeyAuthenticationProviderImpl |
| sshd.PasswordAuthenticationProviderImpl |
| sshd.AgentEventsFileSystem |
| sshd.STKeyboardInteractiveAuthentication |
Log Sample¶
<134>Aug 4 23:59:50 device.domain.com 0000-00-00 SecTransport (SSHD) 2021-08-04 23:59:50,118 INFO [pool-1-thread-43483] com.website.domain.server.sshd.AgentUtil - Login agent success [accountName=johndoe remoteAddress=devicename/10.10.10.10]
Sample Parsing¶
metadata.event_timestamp = "2021-09-09T18:21:50Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "SecTransport"
metadata.product_name = "SSHD"
metadata.product_event_type = "SSHD"
metadata.description = "Login agent success"
metadata.ingested_timestamp = "2021-09-09T18:21:53.008036Z"
additional.Pool = "1"
additional.Thread = "57694"
principal.hostname = "devicename"
principal.user.userid = "johndoe"
principal.ip = "10.10.10.10"
principal.namespace = "domain"
target.url = "com.website.domain.server.sshd.AgentUtil"
target.namespace = "website"
observer.hostname = "Obeserver"
observer.administrative_domain = "domain.com"
observer.namespace = "tenantname"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon