Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.1.1 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

JSON-CIM

In One Identity Safeguard for Privileged Sessions (SPS) version 5.11 and later versions of SPS, the JSON-CIM external message format is also supported. The JSON-CIM format is a JSON format following Splunk's CIM field names. As a result, Splunk applications can interpret the JSON-CIM format.

Keys that are always present and filled:

dvc: string, equal to Device FQDN

event_name: string, the name of the event

product: string, the short name of the product and its version number

session_id: The unique ID of the session

_time: Timestamp when the event occurred

vendor: Contains the OneIdentity string

For details on the exact messages and the fields they contain, see JSON_CIM messages.

CEF messages

SessionClosed due to content policy violation

Description of the message: Emitted when content policy with termination action enabled is violated

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-9S9nqpGqdns6GAJxULWjHp-my_connection-52 cs1Label=Session ID cs2=TERMINATED cs2Label=Verdict dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=45928 src=10.30.0.24 start=1568639938032 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: TERMINATED

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

ChannelAlert triggered

Description of the message: Emitted when channel alert triggered by content policy

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1244069864|ChannelAlert|0|app=SSH cs1=svc-fPr7beYhfY11DuFUXa2628-my_connection-17 cs1Label=Session ID cs2=Commands cs2Label=Event type cs3=sudo cs3Label=Matched regexp dst=10.170.255.206 duser=root dvc=10.30.24.20 reason=PatternMatcherRule src=10.30.0.24 start=1567600928995 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1244069864

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ChannelAlert

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

cs2

Event type

message

sometimes

Description: the type of the event triggering the alert e.g. Command, Full screen content

Example: Command

Field

Name

Scope

Present

cs2Label

Event type label

message

sometimes

Description: fixed to Event type

Example: Event type

Field

Name

Scope

Present

cs3

Matched regexp

message

sometimes

Description: the regexp matching the content that triggered the alert

Example: sudo

Field

Name

Scope

Present

cs3Label

Matched regexp label

message

sometimes

Description: fixed to Matched regexp

Example: Matched regexp

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

reason

Reason

message

sometimes

Description: the rule triggering alert

Example: PatternMatcherRule

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

CEF:0|OneIdentity|SPS|5.11.0|107115592|ServerConnect|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser= dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470650290 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|107115592|ServerConnect|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470650290 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1865245228|ServerAuthenticationSuccess|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1865245228

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerAuthenticationSuccess

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1262825953|ServerAuthenticationFailure|0|app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1262825953

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: ServerAuthenticationFailure

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: contains the non authenticated server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1843867026|GatewayAuthenticationFailure|0|app=SSH cs1=svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-3 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=46296 src=10.30.0.24 start=1557912667169 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1843867026

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: GatewayAuthenticationFailure

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

message

always

Description: the non authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs2=ACCEPT cs2Label=Verdict cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser=root dvc=10.30.24.20 shost=client.acme.com spt=38014 src=10.30.0.24 start=1554470652340 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: ACCEPT

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-iiCfsG48oJG5smpuocBLAN-my_connection-25 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=54632 src=10.30.0.24 start=1557913042048 suser= cs2=AUTH_FAIL cs2Label=Verdict

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|449510124|SessionClosed|0|app=SSH cs1=svc-iiCfsG48oJG5smpuocBLAN-my_connection-27 cs1Label=Session ID dhost=server.acme.com dpt=22 dst=10.170.255.206 duser= dvc=10.30.24.20 shost=client.acme.com spt=55084 src=10.30.0.24 start=1557913066163 suser=gwtestauto cs2=AUTH_FAIL cs2Label=Verdict

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

cs2

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

Field

Name

Scope

Present

cs2Label

Verdict label

message

always

Description: fixed to Verdict

Example: Verdict

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|998298775|RdpEmbeddedInTsg|0|app=RDP cs1=svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-44-1 cs1Label=Session ID dhost= dpt= dst= duser= dvc=10.30.24.20 shost=client.acme.com spt=51083 src=10.30.0.24 start=1558006199668 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 998298775

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: RdpEmbeddedInTsg

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dhost

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

duser

Destination username

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dpt

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

shost

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

suser

Source username

session

always

Description: the authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

spt

Source port

session

always

Description: the port number on the client

Example: 38014

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1991765353|SessionScored|7|app=SSH cs1=svc-822TNSfws1M6qixvRjQX8b-my_connection-4 cs1Label=Session ID cs2=70 cs2Label=Aggregated session score cs3=keystroke cs3Label=Scorer algorithm name cs4=18 cs4Label=Score given by algorithm dst=10.170.255.206 duser=root dvc=10.30.24.20 src=10.30.0.24 start=1558008998716 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1991765353

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: SessionScored

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Aggregated score

message

always

Description: the average score from all enabled analytics algorithms

Example: 50

Field

Name

Scope

Present

cs2Label

Aggregated score label

message

always

Description: fixed to Aggregated session score

Example: Aggregated session score

Field

Name

Scope

Present

cs3

Algorithm name

message

always

Description: the name of the algorithm that changed value

Example: keystroke

Field

Name

Scope

Present

cs3Label

Algorithm name label

message

always

Description: fixed to Scorer algorithm name

Example: Scorer algorithm name

Field

Name

Scope

Present

cs4

Algorithm score

message

always

Description: the new score value of the algorithm that changed value

Example: 60

Field

Name

Scope

Present

cs4Label

Algorithm score label

message

always

Description: fixed to Score given by algorithm

Example: Score given by algorithm

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|127084214|CommandChannelEvent|0|app=SSH cs1=svc-sZZoAcZZz9CbtCzTKWXgao-my_connection-0 cs1Label=Session ID cs2=exit cs2Label=Command dst=10.170.255.206 duser=root dvc=10.30.24.20 src=10.30.0.24 start=1556287687858 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 127084214

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: CommandChannelEvent

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Command

message

always

Description: the full command detected

Example: exit

Field

Name

Scope

Present

cs2Label

Command label

message

always

Description: fixed to Command

Example: Command

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|911383355|WindowTitleChannelEvent|0|app=RDP cs1=svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-44-4 cs1Label=Session ID cs2=Shortcut Tools Application Tools Administrative Tools cs2Label=Window title dst=10.170.255.206 duser=Administrator dvc=10.30.24.20 src=10.30.0.24 start=1558006237095 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 911383355

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: WindowTitleChannelEvent

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

cs2

Window title

message

always

Description: the window title detected in graphical protocol

Example: firefox

Field

Name

Scope

Present

cs2Label

Window title label

message

always

Description: fixed to Window title

Example: Window title

FileTransfer

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

CEF:0|OneIdentity|SPS|5.11.0|1127618380|FileTransfer|0|act=UPLOAD app=SSH cs1=svc-2L83Phh9J6GKLWTc881awk-my_connection-308 cs1Label=Session ID dst=10.170.255.206 duser=root dvc=10.30.24.20 filePath=/cpuinfo fname=cpuinfo src=10.30.0.24 start=1558023621127 suser=gwtestauto

The message contains the following fields.

Field

Name

Scope

Present

index 0

CEF version

product

always

Description:

Example: CEF:0

Field

Name

Scope

Present

index 1

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

index 2

Device product

product

always

Description: fixed to SPS

Example: SPS

Field

Name

Scope

Present

index 3

Device version

product version

always

Description: version of SPS

Example: 5.11.0

Field

Name

Scope

Present

index 4

Signature ID

message

always

Description: numeric identifier of message type

Example: 1127618380

Field

Name

Scope

Present

index 5

Name

message

always

Description: the type of the message

Example: FileTransfer

Field

Name

Scope

Present

index 6

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

index 7

CEF extensions

product

always

Description: contains the payload in key-value form

Example: app=SSH cs1=svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0 cs1Label=Session ID dhost=server.acme.com dpt=22 ...

Field

Name

Scope

Present

start

Start time

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

dvc

Device address

device

always

Description: IP address of SPS

Example: 10.30.24.20

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

cs1

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

cs1Label

Session ID label

product

always

Description: fixed to Session ID

Example: Session ID

Field

Name

Scope

Present

dst

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

duser

Destination username

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

src

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

suser

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

act

Operation

message

always

Description: the operation on the file such as UPLOAD/DOWNLOAD. It may contain the suffix 'WARNING', if the operation failed

Example: UPLOAD

Field

Name

Scope

Present

fname

Filename

message

always

Description: the file name

Example: foobar.txt

Field

Name

Scope

Present

filePath

Full file path

message

always

Description: the name of the file including its path on the server (in case of RDP protocol, this field is empty, in this case the full path of the file is in the filename field)

Example: /tmp/foobar.txt

JSON messages

SessionClosed due to content policy violation

Description of the message: Emitted when content policy with termination action enabled is violated

Example message:

{"verdict":"TERMINATED","timestamp":"1568640063579","severity":"0","session_id":"svc-9S9nqpGqdns6GAJxULWjHp-my_connection-53","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"45946","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta","auth_method":"password","gateway_username":"gwtestauto"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

auth_method

Authentication method

session

always

Description: the type of authentication used in gateway authentication

Example: password

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: TERMINATED

ChannelAlert triggered

Description of the message: Emitted when channel alert triggered by content policy

Example message:

{"event_type_id":"1244069864","event_name":"ChannelAlert","session_id":"svc-eyKp4M2pDBpbwHW4nCSe36-my_connection-14","severity":"0","timestamp":"1567509110329","server_username":"root", "gateway_username":"gwtestauto","server_name":"server.acme.com","server_address":"10.170.255.206","server_port":"22","client_name":"client.acme.com","client_address":"10.30.0.24","client_port":"56988","protocol":"SSH","connection_policy":"my_connection","base_type_name":"content_alert","alerting_type":"adp.event.command","matched_regexp":"sudo","matched_content":"sudo","rule_name":"PatternMatcherRule"}

The message contains the following fields.

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1244069864

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ChannelAlert

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: content_alert

Example: content_alert

Field

Name

Scope

Present

alerting_type

Event type

message

sometimes

Description: the type of the event triggering the alert e.g. Command, Full screen content

Example: Command

Field

Name

Scope

Present

matched_regexp

Matched regexp

message

sometimes

Description: the regexp matching the content that triggered the alert

Example: sudo

Field

Name

Scope

Present

matched_content

Matched content

message

sometimes

Description: the screen content violating channel policy

Example: $ sudo

Field

Name

Scope

Present

rule_name

Reason

message

sometimes

Description: the rule triggering alert

Example: PatternMatcherRule

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

{"timestamp":"1557913242888","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"107115592","event_name":"ServerConnect","connection_policy":"my_connection","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

{"timestamp":"1557913242888","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"107115592","event_name":"ServerConnect","connection_policy":"my_connection","server_username":"root","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 107115592

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

{"timestamp":"1557913243423","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-43","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1865245228","event_name":"ServerAuthenticationSuccess","connection_policy":"my_connection","client_port":"59190","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1865245228

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationSuccess

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

{"timestamp":"1557913134598","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-33","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1262825953","event_name":"ServerAuthenticationFailure","connection_policy":"my_connection","client_port":"56692","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1262825953

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationFailure

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: contains the non authenticated server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the non authenticated server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

{"timestamp":"1557913110027","severity":"0","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-31","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1843867026","event_name":"GatewayAuthenticationFailure","connection_policy":"my_connection","client_port":"56020","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1843867026

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: GatewayAuthenticationFailure

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

message

always

Description: the non authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

gateway_username

Gateway user domain

session

sometimes

Description: the non authenticated gateway user domain if known

Example: acme.com

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

{"timestamp":"1557912701233","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-6","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"46958","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta","auth_method":"password","verdict":"ACCEPT"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

auth_method

Authentication method

session

always

Description: the type of authentication used in gateway authentication

Example: password

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: ACCEPT

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

{"timestamp":"1557912725391","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-9","protocol":"SSH","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"47444","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta","verdict":"AUTH_FAIL"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

{"timestamp":"1557912748990","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-11","verdict":"AUTH_FAIL","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"449510124","event_name":"SessionClosed","connection_policy":"my_connection","client_port":"47840","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 449510124

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

{"timestamp":"1558007294417","severity":"0","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-50-4","protocol":"RDP","gateway_username":"gwtestauto","event_type_id":"998298775","event_name":"RdpEmbeddedInTsg","connection_policy":"my_connection","client_port":"51270","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"meta"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: meta

Example: meta

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 998298775

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: RdpEmbeddedInTsg

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

gateway_username

Gateway username

session

always

Description: the authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

{"timestamp":"1558009822701","severity":"7","session_id":"svc-62a6XGcPzaFvLYDhVYDYXj-my_connection-0","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"1991765353","event_name":"SessionScored","connection_policy":"my_connection","client_port":"35620","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"score","algorithm_score":"18","algorithm_name":"keystroke","aggregated_score":"70"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: score

Example: score

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1991765353

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionScored

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

aggregated_score

Aggregated score

message

always

Description: the average score from all enabled analytics algorithms

Example: 50

Field

Name

Scope

Present

algorithm_name

Algorithm name

message

always

Description: the name of the algorithm that changed value

Example: keystroke

Field

Name

Scope

Present

algorithm_score

Algorithm score

message

always

Description: the new score value of the algorithm that changed value

Example: 60

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"timestamp":"1557912701166","severity":"0","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-6","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","event_type_id":"127084214","event_name":"CommandChannelEvent","connection_policy":"my_connection","command":"exit","client_port":"46958","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: content

Example: content

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 127084214

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: CommandChannelEvent

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

command

Command

message

always

Description: the full command detected

Example: exit

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"window_title":"Shortcut Tools Application Tools Administrative Tools","timestamp":"1558007305516","severity":"0","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-50-4","server_username":"Administrator","server_port":"3389","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"RDP","gateway_username":"gwtestauto","event_type_id":"911383355","event_name":"WindowTitleChannelEvent","connection_policy":"my_connection","client_port":"51270","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: content

Example: content

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 911383355

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: WindowTitleChannelEvent

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

window_title

Window title

message

always

Description: the window title detected in graphical protocol

Example: firefox

FileTransfer

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"timestamp":"1558023671115","severity":"0","session_id":"svc-2L83Phh9J6GKLWTc881awk-my_connection-316","server_username":"root","server_port":"22","server_name":"server.acme.com","server_address":"10.170.255.206","protocol":"SSH","gateway_username":"gwtestauto","filepath":"","filename":"cpuinfo","file_operation":"UPLOAD","event_type_id":"1127618380","event_name":"FileTransfer","connection_policy":"my_connection","client_port":"44292","client_name":"client.acme.com","client_address":"10.30.0.24","base_type_name":"content"}

The message contains the following fields.

Field

Name

Scope

Present

base_type_name

Basic type

message

always

Description: basic message type: content

Example: content

Field

Name

Scope

Present

event_type_id

Signature ID

message

always

Description: numeric identifier of message type

Example: 1127618380

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: FileTransfer

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

severity

Severity

message

always

Description: number between 0-10 inclusive, equal to aggregated analytics score divided by 10 or 0 if analytics is disabled

Example: 0

Field

Name

Scope

Present

timestamp

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

server_username

Server user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

server_domain

Server user domain if known

session

sometimes

Description: the server domain, if known

Example: acme.com

Field

Name

Scope

Present

gateway_username

Gateway username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

gateway_domain

Gateway user domain

session

sometimes

Description: the authenticated gateway user domain if there was a successful gateway authentication and known

Example: acme.com

Field

Name

Scope

Present

server_name

Server name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

server_address

Server address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

server_port

Server port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

client_name

Client name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

client_address

Client address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

client_port

Client port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

protocol

Application protocol

session

always

Description: SPS supported protocol

Example: SSH

Field

Name

Scope

Present

connection_policy

Connection policy name

session

always

Description: SPS connection policy name

Example: my_connection

Field

Name

Scope

Present

file_operation

Operation

message

always

Description: the operation on the file such as UPLOAD/DOWNLOAD. It may contain the suffix 'WARNING', if the operation failed

Example: UPLOAD

Field

Name

Scope

Present

filename

Filename

message

always

Description: the file name

Example: foobar.txt

Field

Name

Scope

Present

filepath

File path

message

always

Description: the path to the file on the server

Example: /tmp

JSON_CIM messages

SessionClosed due to content policy violation

Description of the message: Emitted when content policy with termination action enabled is violated

Example message:

{"verdict":"TERMINATED","vendor":"OneIdentity","user":"root","transport":"tcp","src_user":"gwtestauto","src_port":"57542","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-w6rJcFNZ3c6Bqqu2pAoeoS-my_connection-1","product":"SPS-5.11.0","event_name":"SessionClosed","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","_time":"1568984418014"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: TERMINATED

ChannelAlert triggered

Description of the message: Emitted when channel alert triggered by content policy

Example message:

{"vendor":"OneIdentity","user":"root","transport":"tcp","subject":"PatternMatcherRule","src_user":"gwtestauto","src_port":"57542","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-w6rJcFNZ3c6Bqqu2pAoeoS-my_connection-1","product":"SPS-5.11.0","matched_regexp":"free","event_name":"ChannelAlert","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","alerting_type":"Full screen content","_time":"1568984413910"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

matched_regexp

Matched regexp

message

sometimes

Description: the regexp matching the content that triggered the alert

Example: sudo

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ChannelAlert

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

alerting_type

Event type

message

sometimes

Description: the type of the event triggering the alert e.g. Command, Full screen content

Example: Command

Field

Name

Scope

Present

subject

Reason

message

sometimes

Description: the rule triggering alert

Example: PatternMatcherRule

ServerConnect on initial contact

Description of the message: Emitted when SPS connects to the serverfor the first time in the session

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"58140","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-39","product":"SPS-5.11.0","event_name":"ServerConnect","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"added","_time":"1557913195000"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

action

Action

message

always

Description: the taken by the device according to CIM model

Example: added

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

ServerConnect for secondary channels

Description of the message: Emitted when SPS connects to the serverfor opening further channels. The difference from initial connection is that the server user name is known and authenticated this time.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"58140","src_ip":"10.30.0.24","src":"client.acme.com","user":"root","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-39","product":"SPS-5.11.0","event_name":"ServerConnect","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"added","_time":"1557913195000"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerConnect

Field

Name

Scope

Present

action

Action

message

always

Description: the taken by the device according to CIM model

Example: added

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

ServerAuthenticationSuccess

Description of the message: Emitted after the server authentication successfully happened

Example message:

{"vendor":"OneIdentity","user":"root","transport":"tcp","src_user":"gwtestauto","src_port":"57982","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-38","product":"SPS-5.11.0","event_name":"ServerAuthenticationSuccess","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"success","_time":"1557913189329"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationSuccess

Field

Name

Scope

Present

action

Action

message

always

Description: marks a successful authentication

Example: success

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

ServerAuthenticationFailure

Description of the message: Emitted after the server authentication failed

Example message:

{"vendor":"OneIdentity","user":"root","transport":"tcp","src_user":"gwtestauto","src_port":"58140","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-iiCfsG48oJG5smpuocBLAN-my_connection-39","product":"SPS-5.11.0","event_name":"ServerAuthenticationFailure","dvc":"sps1.acme.com","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","action":"failure","_time":"1557913197211"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: ServerAuthenticationFailure

Field

Name

Scope

Present

action

Action

message

always

Description: marks a failed authentication

Example: failure

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: contains the non authenticated server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

GatewayAuthenticationFailure

Description of the message: Emitted after a failed gateway authentication. Note that the gateway username here is not authenticated and will not be retained in further messages to avoid confusion with an authenticated gateway user.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"49070","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-15","product":"SPS-5.11.0","event_name":"GatewayAuthenticationFailure","dvc":"sps1.acme.com","dest_port":"","dest_ip":"","dest":"","app":"ssh","action":"failure","_time":"1557912792360"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: GatewayAuthenticationFailure

Field

Name

Scope

Present

action

Action

message

always

Description: marks a failed authentication

Example: failure

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

message

always

Description: the non authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

SessionClosed of successfully authenticated session

Description of the message: Emitted when the session ends and server authentication and any gateway authentication was successful. There may be further messages related to the session after this message due to post processing of session data!

Example message:

{"vendor":"OneIdentity","user":"root","transport":"tcp","src_user":"gwtestauto","src_port":"48302","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-12","product":"SPS-5.11.0","event_name":"SessionClosed","dvc":"sps1.acme.com","verdict":"ACCEPT","dest_port":"22","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","_time":"1557912765545"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

session

always

Description: the server username

Example: root

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: ACCEPT

SessionClosed after a failed gateway authentication

Description of the message: Emitted when the session ends because gateway authentication failed.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"","src_port":"49070","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-15","product":"SPS-5.11.0","event_name":"SessionClosed","dvc":"sps1.acme.com","dest_port":"","dest_ip":"","dest":"","app":"ssh","_time":"1557912792398","verdict":"AUTH_FAIL"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

SessionClosed after a failed server authentication

Description of the message: Emitted when the session ends because server authentication failed.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"49426","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-17","product":"SPS-5.11.0","event_name":"SessionClosed","dvc":"sps1.acme.com","dest_port":"22","verdict":"AUTH_FAIL","dest_ip":"10.170.255.206","dest":"server.acme.com","app":"ssh","_time":"1557912813792"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionClosed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: the IP address of the server

Example: 10.170.255.206

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: the server hostname or IP address if hostname is not known

Example: server.acme.com

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: the port number on the server

Example: 22

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

sometimes

Description: the authenticated gateway username if there was a successful gateway authentication

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

Field

Name

Scope

Present

verdict

Verdict

session

always

Description: describes how the session ended, e.g. ACCEPT, AUTH_FAIL, DENY, FAIL, TERMINATED

Example: AUTH_FAIL

RdpEmbeddedInTsg

Description of the message: Emitted when the gateway user is acquired in a Terminal Service Gateway authentication scenario.

Example message:

{"vendor":"OneIdentity","user":"","transport":"tcp","src_user":"gwtestauto","src_port":"51204","src_ip":"10.30.0.24","src":"client.acme.com","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-47-4","product":"SPS-5.11.0","event_name":"RdpEmbeddedInTsg","dvc":"sps1.acme.com","dest_port":"","dest_ip":"","dest":"","app":"rdp","action":"allowed","_time":"1558006936608"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: RdpEmbeddedInTsg

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

app

Application protocol

session

always

Description: SPS supported protocol

Example: ssh

Field

Name

Scope

Present

dest_ip

Destination address

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest

Destination host name

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

user

Name of the user

message

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

dest_port

Destination port

session

always

Description: empty, not known in this message type

Example:

Field

Name

Scope

Present

src_ip

Source address

session

always

Description: the IP address of the client

Example: 10.30.0.24

Field

Name

Scope

Present

src

Source host name

session

always

Description: the client hostname or IP address if hostname is not known

Example: client.acme.com

Field

Name

Scope

Present

src_user

Source username

session

always

Description: the authenticated gateway username

Example: gwtestauto

Field

Name

Scope

Present

src_port

Source port

session

always

Description: the port number on the client

Example: 38014

Field

Name

Scope

Present

transport

Transport

session

always

Description: the layer 3 protocol

Example: tcp

SessionScored

Description of the message: Score messages represent scoring events when SPS has calculated an initial or changed score for the session.

Example message:

{"vendor":"OneIdentity","signature":"keystroke","session_id":"svc-416YVFZMy7rT8RA7T7yeAs-my_connection-0","product":"SPS-5.11.0","event_name":"SessionScored","dvc":"sps1.acme.com","algorithm_score":"18","algorithm_name":"keystroke","aggregated_score":"70","action":"allowed","_time":"1558010880806"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: SessionScored

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

aggregated_score

Aggregated score

message

always

Description: the average score from all enabled analytics algorithms

Example: 50

Field

Name

Scope

Present

algorithm_name

Algorithm name

message

always

Description: the name of the algorithm that changed value

Example: keystroke

Field

Name

Scope

Present

signature

Signature

message

always

Description: the algorithm name as CIM intrusion detection signature

Example: hostlogin

Field

Name

Scope

Present

algorithm_score

Algorithm score

message

always

Description: the new score value of the algorithm that changed value

Example: 60

CommandChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"vendor":"OneIdentity","session_id":"svc-mBbMWzauBWHQN9TpoZz8mD-my_connection-12","product":"SPS-5.11.0","event_name":"CommandChannelEvent","dvc":"sps1.acme.com","command":"exit","action":"allowed","_time":"1557912765461"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: CommandChannelEvent

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

command

Command

message

always

Description: the full command detected

Example: exit

WindowTitleChannelEvent

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"window_title":"Shortcut Tools Application Tools Administrative Tools","vendor":"OneIdentity","session_id":"svc-oUDm7arcL8zNb3t2CVwSQr-my_connection-47-4","product":"SPS-5.11.0","event_name":"WindowTitleChannelEvent","dvc":"sps1.acme.com","action":"allowed","_time":"1558007001482"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: WindowTitleChannelEvent

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

window_title

Window title

message

always

Description: the window title detected in graphical protocol

Example: firefox

FileTransfer

Description of the message: Emitted when a command is detected in the session channel text.

Example message:

{"vendor":"OneIdentity","session_id":"svc-2L83Phh9J6GKLWTc881awk-my_connection-324","product":"SPS-5.11.0","file_path":"/cpuinfo","file_operation":"UPLOAD","file_name":"cpuinfo","event_name":"FileTransfer","dvc":"sps1.acme.com","action":"allowed","_time":"1558023721326"}

The message contains the following fields.

Field

Name

Scope

Present

vendor

Device vendor

product

always

Description: fixed to OneIdentity

Example: OneIdentity

Field

Name

Scope

Present

product

Product version

product

always

Description: short product name with version

Example: SPS-5.11.0

Field

Name

Scope

Present

dvc

Device fqdn

device

always

Description: the hostname of SPS

Example: sps1.acme.com

Field

Name

Scope

Present

session_id

Session ID

session

always

Description: the unique identifier of the session

Example: svc-hjdBxA2UWkTadH3juDVwrT-my_connection-0

Field

Name

Scope

Present

event_name

Event name

message

always

Description: the type of the message

Example: FileTransfer

Field

Name

Scope

Present

action

Action

message

always

Description: the action taken by the device according to CIM model

Example: allowed

Field

Name

Scope

Present

_time

Timestamp

message

always

Description: the UNIX time stamp when the event occurred

Example: 1554470652340

Field

Name

Scope

Present

file_operation

Operation

message

always

Description: the operation on the file such as UPLOAD/DOWNLOAD. It may contain the suffix 'WARNING', if the operation failed

Example: UPLOAD

Field

Name

Scope

Present

file_name

Filename

message

always

Description: the file name

Example: foobar.txt

Field

Name

Scope

Present

file_path

Full file path

message

always

Description: the name of the file including its path on the server (in case of RDP protocol, this field is empty, in this case the full path of the file is in the filename field)

Example: /tmp/foobar.txt

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating