- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- ssh user session logs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-05-2004 08:56 PM
тАО04-05-2004 08:56 PM
ssh user session logs
Is it possible to capture ssh[HP-UX Secure Shell] session information[log of the commands entered during the ssh user login session].
Regds,
Ismail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-05-2004 09:07 PM
тАО04-05-2004 09:07 PM
Re: ssh user session logs
You will have to enable accounting, take a look at next thread.
http://forums1.itrc.hp.com/service/forums/questionanswer.do?admit=716493758+1081242352218+28353475&threadId=88105
Hope this helps,
Robert-Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-05-2004 09:12 PM
тАО04-05-2004 09:12 PM
Re: ssh user session logs
It is per default informational.
e.g.
$ grep LogLevel /etc/ssh/sshd_config
#LogLevel INFO
try debug, and send the leading ssd a SIGHUP
e.g.
# kill -HUP $(cat /var/run/sshd.pid)
Maybe this could produce what you're expecting.
But I cannot tell since I'm not running sshd in this mode.
Also read the manpage of sshd
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-05-2004 09:43 PM
тАО04-05-2004 09:43 PM
Re: ssh user session logs
The file is located at the ssh installation dir.on my installation it is under /usr/local/etc/openssh/sshd_config
#SyslogFacility AUTH
#LogLevel INFO
Uncomment the above lines which should enable logging.
THanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-05-2004 11:56 PM
тАО04-05-2004 11:56 PM
Re: ssh user session logs
Thanks a lot for your replies!
Dear Ralph,
I did change the logging level to debug.
But could you please let me know the location of the log file, which will contain this debug information.
I did check the man page but could not find the log location.
Thanks & Regards,
Ismail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-06-2004 06:31 PM
тАО04-06-2004 06:31 PM
Re: ssh user session logs
LOCAL4.INFO /var/log/sshd.log
(Remeber to use a TAB character and not spaces between the fields "INFO
Next create a blank file "touch logfile", then restart syslog.
If you then restart sshd, you should see a new entry in the log file. I always change ssh to log at a separate level e.g. LOCAL4 as it prevents other programs from dumping spurious entries in your logfile.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2004 04:21 PM
тАО04-07-2004 04:21 PM
Re: ssh user session logs
I tried using the 'debug' log level in ssh, & modified the syslog to direct the debug messages to a separate log file.
But the messages that appear in the log file are the ssh handshaking messages & other messages.
But what i require is the list of the commands entered by the users during their ssh session,
to monitor if the user have deleted any file
or have changed any settings.
I also tried to change the log level to LOCAL4,
after doing this change i was unable to start ssh it give me the following message
"10453: /opt/ssh/etc/sshd_config line 31: unsupported log level 'LOCAL4'
EXIT CODE: 255"
I also tried with the INFO log level, but even this level does not give me the list of the commands entered by the user.
Is there any log level which can me the log of the commands entered by the user.
or Does the Accounting(Acct) on HP-UX have the facility to log the commands entered by the user.If so it will be great if someone can let me know the steps to configure it.
Thanks a lot!
Regds,
Ismail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2004 08:25 PM
тАО04-07-2004 08:25 PM
Re: ssh user session logs
There are two points here. One there is a privacy issue here that may land you in legal hot water, and two, the log will be extremely verbose and grow very quickly. You will therefore, have to create a large separate and secure storage area for this log, and also regularly manage it's size.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2004 08:52 PM
тАО04-07-2004 08:52 PM
Re: ssh user session logs
AFAIR restricted shell can do such things.
-Tomek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2004 08:54 PM
тАО04-07-2004 08:54 PM
Re: ssh user session logs
sorry for not responding to you.
(I haven't marked the email notification field)
I see you already did as Andrew adviced you by configuring your syslogd.
It is indeed advisable to separate output of your daemons from the global syslog.log especially when you run them in the very verbose DEBUG level (but don't forget any applications that linger logging in debug mode, they'll pretty soon fill up your filesystems)
The sshd falls under the log facility daemon.
But as you noticed, it seems that the various SSH loglevels only care for the connection, authentification, and authorization phases (which is natural since this usually causes users and admins the most headache, if any)
If you really want to monitor what your users are doing, once they are logged in, I'd stick with T.G.'s suggestion and look for some auditing software plugin.
I'm afraid that I cannot help you with that because on our servers we don't really have the need for that (lucky us).
We don't have to host for real Unix users since all of the application users are database users that are managed by the DB engines, and don't require to have a Unix home and shell.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2004 10:25 PM
тАО04-07-2004 10:25 PM
Re: ssh user session logs
Thanks a lot for all of your efforts.
I do agree with TG & Ralph, that it might be possible to capture the user activity by customizing the shell.
I will do some investigation regarding the the shell.
Thanks a lot!
Regds,
Ismail.
"No problem can stand the assault of sustained thinking"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-08-2004 12:54 AM
тАО04-08-2004 12:54 AM
Re: ssh user session logs
export HISTFILE=$HOME/.sh_history
This is the simplest logging method. It won't tell you what was typed when using vi or other interactive commands. For that, you would need to use the script command to log every keystroke. Just add it to the user's .profile at the end.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2004 07:02 AM
тАО04-09-2004 07:02 AM
Re: ssh user session logs
if you need access to all the characters typed and/or shown using "ssh", then you'll have to write, install, and use what is called a "STREAMS module". That module of yours has to be linked into your kernel, and then it has to be "pushed" onto the stream used by the ssh-session.
The module itself would then log everything going "upstream" (from keyboard to the shell) or "downstream" (output to the screen) and would have to make that accessible using "ioctl(2)".
Read the documentation about "STREAMS" for more details.
BTW, we are talking about implementing "spyware", aren't we?
You might violate local laws doing this!
FWIW,
Wodisch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-11-2004 11:59 AM
тАО04-11-2004 11:59 AM
Re: ssh user session logs
Dear Wodisch,
Your note makes sense.
I will investigate into this.
The session logs are required because we have different 'root' & other admin users logging to our system from different countries.
Thanks a lot!
Regds,
Ismail.