Successful ssh login (SUSE Linux Enterprise Server 11) - Microsoft.ACS.Linux.SLES.11.Ssh.Succeeded (Rule)

Microsoft.ACS.Linux.SLES.11.Ssh.Succeeded (Rule)

Rule to collect events for successful ssh login

Knowledge Base article:

Summary

An ssh command has been detected in the system log files.

Causes

User was granted access to the system remotely. This monitor allows system administrators to track 'ssh' usage.

Resolutions

The description of the alert and/or the output data item contains information on the event encountered. If the activity appears suspicious, please check the associated event details and any other events that happened around the time of this event.

Element properties:

Target	Microsoft.ACS.Linux.SLES.11.ACSEndPoint
Category	EventCollection
Enabled	True
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
EventDS	DataSource	Microsoft.Unix.SCXLog.Privileged.Datasource	Default
WA	WriteAction	Microsoft.ACS.Unix.SecureEventLogWriter	Default

Module Type

TypeId

RunAs

EventDS

DataSource

Microsoft.Unix.SCXLog.Privileged.Datasource

Default

WriteAction

Microsoft.ACS.Unix.SecureEventLogWriter

Default

Source Code:

<Rule ID="Microsoft.ACS.Linux.SLES.11.Ssh.Succeeded" Enabled="true" Target="Microsoft.ACS.Linux.SLES.11.ACSEndPoint" Remotable="true"> <Category>EventCollection</Category> <DataSources> <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource"> <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host> <LogFile>/var/log/messages</LogFile>    <RegExpFilter>sshd\[[[:digit:]]+\]: Accepted \S+ for \S+ from \S+</RegExpFilter> </DataSource> </DataSources> <WriteActions> <WriteAction ID="WA" TypeID="ACS.Unix!Microsoft.ACS.Unix.SecureEventLogWriter"> <RegExp>(?'date'\S+\s+\d+\s+\d+:\d+:\d+)\s+(?:\S+:)?(?'hostname'\S+)\s+(?'process'sshd)\[(?'processId'\d+)\]: Accepted \S+ for (?'user'\S+) from (?'clientHost'\S+)</RegExp> <EventType>1</EventType> <EventId>27002</EventId> </WriteAction> </WriteActions> </Rule>