1

Good day to you.

I know there's some variations of my question here, but they are a bit different I assure you.

We use terminal servers that our admins connect to and then establish ssh connections to other servers. We needed to audit their actions, that's why I used modified ssh daemon that logs sessions into script-format files. I've been using that patch http://www.kdvelectronics.eu/ssh-logging/ssh-logging.html . It has some drawbacks though. First, that patch wasn't updated for some time, I've managed to modify it to work for ssh-4.7, but openssh seriously changed in 5th version. Second, almost everybody uses GNU Screen and its control characters make session logs somewhat difficult to understand.

Then I've tried ttyrpld, but it needs kernel module and after some time it just stopped logging.

After that, pam_tty_audit, although it's easy to install and use, that project doesn't really solve my problem.

What I really need, something that logs only user input, can't be overridden and doesn't require rocket science knowledge to install and support.

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
Dima Medvedev
  • 346
  • 1
  • 7

2 Answers2

2

I'm sure you've seen it, but this question has a lot of suggestions for session logging - screen logging being possibly the best suggestion for your case. It may be necessary to slightly alter business practices to meet logging requirements, as no terminal logging software seems to exactly match (often diverse) demands.

Community
  • 1
Andy
  • 5,230
  • 1
  • 24
  • 34
0

Check out SSHLog https://github.com/sshlog/agent/

I'm a contributor for the open source project.

In this case, you'll want to configure it to record every user's terminal session. For example:

events:
  - event: stream_terminal
    triggers: ['connection_established', 'connection_close', 'terminal_update']
    filters:
      ignore_existing_logins: True
    actions:
      - action: log_all_sessions
        plugin: sessionlog_action
        log_directory: '/var/log/sshlog/sessions/'
        timestamp_frequency_seconds: 6

That would give you a log file for every SSH session. It would look something like this:

[[ sshlog connection_established user: jdoe at 2023-04-11T21:07:58.986000Z ]]

[[ sshlog time: 2023-04-11T21:07:59.394366Z ]]
jdoe@serverb: ~jdoe@serverb:~$ 
[[ sshlog time: 2023-04-11T21:09:26.189697Z ]]
jdoe@serverb: ~jdoe@serverb:~$ 
jdoe@serverb: ~jdoe@serverb:~$ 
jdoe@serverb: ~jdoe@serverb:~$ ls
 Desktop  Downloads   Documents
jdoe@serverb: ~jdoe@serverb:~$ 
[[ sshlog connection_close user: jdoe at 2023-04-11T21:09:49.219000Z ]]
Derrick Johnson
  • 141
  • 5