SSH log support for CEF
The following is an example of an SSH log on the FortiGate disk:
date=2018-12-27 time=14:36:15 logid="1600061002" type="utm" subtype="ssh" eventtype="ssh-command" level="notice" vd="vdom1" eventtime=1545950175 policyid=1 sessionid=12921 user="bob" profile="test-ssh" srcip=10.1.100.11 srcport=56698 dstip=172.16.200.55 dstport=22 srcintf="port12" srcintfrole="lan" dstintf="port11" dstintfrole="wan" proto=6 action="passthrough" direction="outgoing" login="root" command="ls" severity="low"
The following is an example of an SSH sent in CEF format to a syslog server:
Dec 27 14:36:15 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|61002|utm:ssh ssh-command passthrough|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1600061002 cat=utm:ssh FTNTFGTsubtype=ssh FTNTFGTeventtype=ssh-command FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545950175 FTNTFGTpolicyid=1 externalId=12921 duser=bob FTNTFGTprofile=test-ssh src=10.1.100.11 spt=56698 dst=172.16.200.55 dpt=22 deviceInboundInterface=port12 FTNTFGTsrcintfrole=lan deviceOutboundInterface=port11 FTNTFGTdstintfrole=wan proto=6 act=passthrough FTNTFGTlogin=root FTNTFGTcommand=ls FTNTFGTseverity=low