--log-output=off making broken audit log

[adm9000-3]

I want to record session without output, just like 'history' command in Linux. 'history on steroids'.

But when i am doing that: tlog-rec --log-input=on --log-output=off --log-window=off --writer=file --file-path=/var/log/sessions/session.log

I receiving broken audit-log (tlog-play wont play him).

Command below doing nothing: [root@centos8~]# tlog-play --reader=file --file-path=/var/log/sessions/session.log

[root@centos8:~]#

Question: how to write only stdin of session?

[spbnick]

@adm9000-3, your input should be recorded. The problem is that tlog-play cannot play back input, as it cannot interpret it, nor send it somewhere to interpret. It only plays back output. You can try recording to journal and playing back with Cockpit, which has a player UI with support for input playback.

However, note that input recording and playback will likely be useless as history, as cursor movement and edit keys would mess it up.

[adm9000-3]

Thank you for fast answer. Yes, audit log is writing when i am typing command with '--log-output=off'

Another question: is there existing filter to clear output and leave only commands? Too many character sequences not only UNIX standart like \r but \u0003 etc...

Thank you very much.

cat /var/log/sessions/session.log | jq . { "ver": "2.2", "host": "centos8", "rec": "a556bbb33a95420ba2768b5bbaa19bb5-5b5-3a668ff", "user": "root", "term": "xterm", "session": 61, "id": 1, "pos": 0, "timing": "<1+1839<1+106<1+194<1+229<1+1464<1+3906<1+1521<1", "in_txt": "\rtop\rc\u0003\r", "in_bin": [], "out_txt": "", "out_bin": [] } { "ver": "2.2", "host": "centos8", "rec": "a556bbb33a95420ba2768b5bbaa19bb5-5b5-3a668ff", "user": "root", "term": "xterm", "session": 61, "id": 2, "pos": 10110, "timing": "<1+159<1+130<1+139<1+170<1+111<1+249<1+401<1+50<1+218<1+211<1+90<1+149<1+111<1+1150<1+171<1+178<1+71<1+1520<1+1949<1+432<1+269<1+180<1+120<1+499<1", "in_txt": "ps aux | grep tlog\r\rexit\r", "in_bin": [], "out_txt": "", "out_bin": [] }

[spbnick]

@adm9000-3, unfortunately not. Correctly extracting complete commands from user input would essentially require implementing shell command editing and interpretation functionality, and it would be a similar complexity task for extracting commands from output.

Instead, check out process execution logging that auditd can do. Tlog recordings can serve as an illustration for that, but it's very difficult to extract this kind of information from terminal recordings.

[adm9000-3]

The main idea of all my actions to make 'ssh bastion server' where to users connects first then connects to another servers and all their sessions are writing. But i am only want to log only stdin (idealy with timestamp) because stdout may utilize too many space (for example i 'cat' 1 GB logfile and i have audit log at least 1 GB). It is not admissible.

There is a tons project stdin + stdout but no one 'only stdin'.

Thank you for answer :)

[spbnick]

To deal with the output being too much, you can use rate limiting in tlog, and either throttle the throughput, or drop the bursty I/O (command editing is normally slow and is easy to separate from command output by speed).

You can still log stdin only with tlog, the only problem is how to view it. You can try using Cockpit on your bastion server, as I already said, or try sending the logs to ElasticSearch, and e.g. viewing/searching them with Kibana.

Another alternative is to enable TTY input logging in auditd and not use tlog at all.

[adm9000-3]

I want to log all user commands does not matter what server the user is currently on, thats why i searching a way to use Tlog or another similar utility.

Auditd requires an installation on all servers (100+ in production and often changes) and it is not really convenient but I will think...

[spbnick]

@adm9000-3, you can use auditd to log user input on the bastion host, same as tlog. It would just go into the bastion host's audit.log file, in the audit log format, instead of into tlog's writer (file/journal/ElasticSearch), in JSON. Not sure if that would be better for you, but audit tools might have something to help you analyze that.

[adm9000-3]

Trying auditd with standard options:

-a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve

I am logging all commands on the host but when i ssh`ing to another one auditd lose an opportunity to log. Maybe I didn 't understand you correctly and auditd can 't log remote sessions? Or i just have to read documentation? Thank you very much.

[spbnick]

Yes, process execution logging needs to be enabled on the host where processes execute, of course. Regarding the bastion host, I was talking about enabling TTY input logging in auditd, to do a thing similar to what tlog does, only with different tools, which might do more for you.