spbnick
commented
4 years ago This is because tlog records raw input. This is what it sees: input characters interleaved with editing keystrokes and control characters. This is also the reason why tlog doesn't try to extract commands from the input stream. To do that it would have to essentially reimplement editing and command parsing functionality of the shell. ElasticSearch won't help with that either, but it gives you somewhat nicer search facilities. Consider one of the worst, but frequent cases: a user is recalling a command from history, edits it, and executes it. How would you detect what command was executed from the input alone?
To really get what's being executed you would need to use auditd process execution logging.
Hello, i am trying to record session and put it in elasticsearch but commands dont logging properly. In many cases they are just deviding by chunks and some commands contain only part of symbols.
For example i am typing ls -l /var/log, tail -50 /var/log/secure, exit, exit and many symbols dont register. I have default settings. Payload 2k, limit rate/burst = pass. It is feature of logging or it a bug?
timestamp: Mar 31, 2020 @ 13:43:27.884 ver: 2.2 host: centos8 rec: a556bbb33a95420bfdfd4sdxaa19bb5-4c3a-4281eab user: alex term: xterm session: 170 id: 7 pos: 170,354 timing: <1+88<1+123<1+166<1+81<1+90<1+240<1+62<1+212<1+84<1+181<1+113<1+188<1+50<1+210<1+360<1+860<1+181<1+188<1+201<1+113<1+210<1+397<1+99<1+431<1+431<1+241<1+197<1+111<1+181<1+98<1+201<1+59<1+202<1+299<1+170<1+130<1+409<1+1109<1+622<1+379<1 in_txt: ls -l /var log tail -50 /var log se ex in_bin: out_txt: out_bin: _id: xvowMFFEB6_auHzd7XbhK _type: tlog _index: tlog-rsyslog _score: -