SSH 成功警示規則
Microsoft.HPUX.11iv2.LogFile.Syslog.SSHAuth.PAM.Root.Success.Alert (Rule)
以根 (root) 身分進行 SSH 成功的訊息警示規則。
Knowledge Base article:
Element properties:
Member Modules:
Source Code:
<Rule ID="Microsoft.HPUX.11iv2.LogFile.Syslog.SSHAuth.PAM.Root.Success.Alert" Target="Microsoft.HPUX.11iv2.Computer" Enabled="true" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<!-- [TYPE] HP SSH True -->
<!-- [INPUT] Nov 6 11:41:04 scxhpi10 sshd[26629]: Accepted keyboard-interactive/pam for root from 10.195.172.49 port 52266 ssh2 -->
<!-- [INPUT] Nov 6 11:39:20 scxhpi10 sshd[26526]: Accepted publickey for root from 10.195.172.49 port 52262 ssh2 -->
<!-- [INPUT-MISS] Nov 6 14:11:03 scxhpr3 sshd[21094]: Accepted keyboard-interactive/pam for jonas from 10.195.172.83 port 64853 ssh2 -->
<!-- [INPUT-MISS] Nov 6 14:11:23 scxhpr3 sshd[21113]: Accepted publickey for jonas from 10.195.172.83 port 64854 ssh2 -->
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Datasource">
<Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
<LogFile>/var/adm/syslog/syslog.log</LogFile>
<RegExpFilter>[[:space:]]sshd\[[[:digit:]]+\]: Accepted [^[:space:]]+ for root from [^[:space:]]+</RegExpFilter>
<IndividualAlerts>false</IndividualAlerts>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>0</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.HPUX.11iv2.LogFile.Syslog.SSHAuth.PAM.Root.Success.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>
Home
ZHH