sshlog / agent Goto Github PK
View Code? Open in Web Editor NEWSSH Session Monitoring Daemon
Home Page: http://www.sshlog.com
License: Other
SSH Session Monitoring Daemon
Home Page: http://www.sshlog.com
License: Other
Issue here is that if you sudo su, and run some commands after that, they are logged as the initial user before the sudo su command.
for example:
user1 executing sudo su
user1 executing: ls /root
I think it must be
user1 executing sudo su
root executing: ls /root
I am running ubuntu on an ec2 with only ssh allowed inbound, and when i run sshlog watch
I am not seeing any connection attempts, but many connection_close
events from ip addresses and high port numbers, like 30000-60000. What might be the reason for this?
Hi,
I was looking for a tool that would help me log an event when someone uses the server as a proxy to connect to other hosts. It is commonly known that this is a typical vector of hacker activity, so the ability to log such events would be helpful in increasing server security. Unfortunately, apart from examples, I did not find any other triggers that could be used, and I checked that “connection_established” does not log sessions in which someone uses the server as a proxy (jumphost). Any hints?
Hello everyone,
I've developed an AUR package for sshlog tailored for ArchLinux.
You can easily install it using an AUR helper such as yay -S sshlog-bin
. The package currently utilizes the Debian build package for arm and amd64, available here: sshlog-bin on AUR.
For manual installation on Arch Linux, follow these steps:
git clone https://aur.archlinux.org/sshlog-bin.git && cd sshlog-bin
makepkg -si
Additionally, I can create a git version that compiles the package if there is a need.
An issue I've encountered is that although joining the sshlog group, my user isn't able to use the daemon without sudo. I'm uncertain whether this is a packaging or software-related problem, so I haven't made any adjustments yet.
It's possible to make a simple adjustment to the package to automatically create the sshlog group if needed.
Best regards.
Hello,
please update the description.
Record all SSH session activity (commands and output) to log files for any connecting user
This application does not log past sudo calls, neither direct root logins.
Hi,
I wanted to raise a concern regarding the security implications of using eBPF with tracepoints in our C application. While this combination provides powerful capabilities for monitoring kernel behavior, there are some risks you need to consider, particularly in terms of security.
One significant issue is that under heavy kernel load, not all tracepoint functions may be executed. This could lead to missed tracepoint or unpredictable behavior in your application, especially if you rely on tracepoints for security-related purposes. Additionally, there's a risk associated with depending on kernel functions that may change or be removed in subsequent OS releases, potentially leading to inconsistencies or errors in our application.
As a result, I suggest we refrain from positioning your product as a security tool per se. While it can be valuable for monitoring and analysis purposes, it should not be considered the sole means of securing a system against threats.
I also recommend considering adding a warning in Readme to alert users to these potential security issues.
Ref1: https://www.brendangregg.com/blog/2023-04-28/ebpf-security-issues.html
Ref2: https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/
Description:
I encountered an issue while attempting to install the software on a Debian/Ubuntu system. During the installation process, I received the error message "gpg: no valid OpenPGP data found." This error seems to indicate that there is an issue with the OpenPGP data used in the installation process.
Steps to Reproduce:
Attempted installation on a Debian/Ubuntu system using the provided instructions.
Observed the error message "gpg: no valid OpenPGP data found."
Expected Behavior:
The installation should proceed without any errors, and the software should be successfully installed on the system.
Additional Information:
Operating System: Ubuntu 22.04.2 LTS
Kernel : 5.15.0-1042-azure
Architecture: x86-64
Installation method used: apt-get install
I have installed the package from apt and from the deb file you provided in the Releases menu of github repo.
The installation is smooth and successful. After that when I use sshlog sessions, I can only see two sessions which are not correct and both session's last activity shows the time when the sshlog service was actually started. If I open another ssh session in another terminal or close it it doesn't increase or decrease the number of sessions in sshlog sessions.
Apart from that, when I use sshlog watch, it gives me an empty output even though I run several commands in another terminal while this command is running. The log files in /var/log/sshlog are empty and never generate any output even though I have run several commands. I have kept the configuration files as default and following are my machine's specs
OS : Ubuntu 20.04.6 LTS
OpenSSH Version : 1:8.2p1-4ubuntu0.11
Gnupg version : 2.2.19-3ubuntu2.2
Curl version : 7.68.0-1ubuntu2.21
sshlog version : 1.0.0
Kernel version : 5.4.0-1101-aws
delete
Hi
do you handle log rotation of the logs generated at the moment?
How you handle that?
Thanks
Hi there! I encountered an issue, as soon as I install sshlog the CPU usage spikes to between 80% and 90%.
I copied and pasted the instructions for "Debian/Ubuntu Install (arm64 and x86_64)". Here are the details of the OS:
Operating System: Ubuntu 20.04.3 LTS
Kernel: Linux 5.4.0-135-generic
Architecture: x86-64
The instance is a 2 GB Memory / 1 Intel vCPU DigitalOcean droplet, tried it with 2 different servers but got the same results and had to uninstall it immediately.
Lovely program by the way, always wanted something like this.
cannot add the repo, 504 Gateway Time-out [IP: 18.165.242.74 80]
Is it possible to extract command cwd and have them in the event?
Hi matthill
I am getting below error. Could you please help to resolve this:
Error loading Python lib '/tmp/_MEIONNbeW/libpython3.8.so.1.0': dlopen: /lib64/libm.so.6: version `GLIBC_2.29' not found (required by /tmp/_MEIONNbeW/libpython3.8.so.1.0).
Hi, congratulations for sshlog 💯
I'm running sshlog in differents environments properly but I have a problem with sshlog when running inside a LXC container with PROXMOX. (Privileged or unprivileged, nesting or without nesting, with same error result)
I attach the logs below, It's a Debian 12. Thanks in advance and apologize me because it isn't a sshlog issue specific.
# sshlogd
Detected Plugin command_exit_code_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_name_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_name_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_output_contains_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_output_contains_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin ignore_existing_logins_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin require_tty_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin username_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin username_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin upload_file_path_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin upload_file_path_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin webhook_action with fields [{'name': 'webhook_url', 'required': True}, {'name': 'do_get_request', 'required': False}]
Detected Plugin syslog_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'program_name', 'required': False}, {'name': 'udp', 'required': False}, {'name': 'output_json', 'required': False}, {'name': 'facility', 'required': False}, {'name': 'severity', 'required': False}]
Detected Plugin email_action with fields [{'name': 'sender', 'required': True}, {'name': 'recipient', 'required': True}, {'name': 'subject', 'required': True}, {'name': 'body', 'required': True}, {'name': 'smtp_server', 'required': True}, {'name': 'smtp_port', 'required': True}, {'name': 'username', 'required': False}, {'name': 'password', 'required': False}]
Detected Plugin run_command_action with fields [{'name': 'command', 'required': True}, {'name': 'args', 'required': False}, {'name': 'timeout', 'required': False}]
Detected Plugin eventlogfile_action with fields [{'name': 'log_file_path', 'required': True}, {'name': 'output_json', 'required': False}, {'name': 'max_size_mb', 'required': False}, {'name': 'number_of_log_files', 'required': False}]
Detected Plugin slack_action with fields [{'name': 'slack_webhook_url', 'required': True}]
Detected Plugin statsd_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'statsd_prefix', 'required': False}]
Detected Plugin sessionlog_action with fields [{'name': 'log_directory', 'required': True}, {'name': 'timestamp_frequency_seconds', 'required': False}]
Reading config file /etc/sshlog/sshlog.yaml
Configuration file /etc/sshlog/sshlog.yaml does not exist. Skipping
Reading config file /etc/sshlog/conf.d/log_all_sessions.yaml
Reading config file /etc/sshlog/conf.d/log_events.yaml
Initializing event plugin stream_terminal
Initializing filter plugin ignore_existing_logins
Initializing action plugin log_all_sessions
Initialized action log_all_sessions with log directory /var/log/sshlog/sessions/
Initializing event plugin log_general_activity
Initializing filter plugin ignore_existing_logins
Initializing action plugin log_events
Initialized action log_events with log file path /var/log/sshlog/event.log
**libbpf: Failed to bump RLIMIT_MEMLOCK (err = -1), you might need to do it explicitly!**
libbpf: Error in bpf_object__probe_loading():Operation not permitted(1). Couldn't load trivial BPF program. Make sure your kernel supports BPF (CONFIG_BPF_SYSCALL=y) and/or that RLIMIT_MEMLOCK is set to big enough value.
libbpf: failed to load object 'sshtrace_bpf'
libbpf: failed to load BPF skeleton 'sshtrace_bpf': -1
Segmentation fault
~# uname -a
Linux vigor 5.15.74-1-pve #1 SMP PVE 5.15.74-1 x86_64 GNU/Linux
~# systemctl status sshlog
x sshlog.service - SSHLog Agent Service
Loaded: loaded (/lib/systemd/system/sshlog.service; enabled; preset: enabled)
Active: failed (Result: signal) since Fri 2023-11-10 15:01:12 UTC; 6min ago
Duration: 402ms
Process: 333 ExecStart=/usr/bin/sshlogd --logfile /var/log/sshlog/sshlogd.log (code=killed, signal=SEGV)
Main PID: 333 (code=killed, signal=SEGV)
CPU: 387ms
Nov 10 15:01:07 vigor systemd[1]: sshlog.service: Main process exited, code=killed, status=11/SEGV
Nov 10 15:01:07 vigor systemd[1]: sshlog.service: **Failed with result 'signal'.**
Installed sshlog according to instructions.
Try to start the daemon and it fails with SEGV (segmentation fault)
systemctl start sshlog
# systemctl status sshlog
× sshlog.service - SSHLog Agent Service
Loaded: loaded (/lib/systemd/system/sshlog.service; disabled; preset: disabled)
Active: failed (Result: signal) since Mon 2023-08-21 11:49:46 UTC; 2s ago
Duration: 1.494s
Process: 350961 ExecStart=/usr/bin/sshlogd --logfile /var/log/sshlog/sshlogd.log (code=killed, signal=SEGV)
Main PID: 350961 (code=killed, signal=SEGV)
CPU: 1.487s
Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Scheduled restart job, restart counter is at 5.
Aug 21 11:49:46 cerberus systemd[1]: Stopped sshlog.service - SSHLog Agent Service.
Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Consumed 1.487s CPU time.
Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Start request repeated too quickly.
Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Failed with result 'signal'.
Aug 21 11:49:46 cerberus systemd[1]: Failed to start sshlog.service - SSHLog Agent Service.
Checked the /var/log/sshlog/sshlogd.log
but no failures there.
2023-08-21 11:49:14,129 - plugin_manager.py:26 - INFO - Detected Plugin upload_file_path_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin upload_file_path_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin ignore_existing_logins_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin require_tty_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin username_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin username_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin command_exit_code_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_name_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_name_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_output_contains_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_output_contains_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin slack_action with fields [{'name': 'slack_webhook_url', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin webhook_action with fields [{'name': 'webhook_url', 'required': True}, {'name': 'do_get_request', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin email_action with fields [{'name': 'sender', 'required': True}, {'name': 'recipient', 'required': True}, {'name': 'subject', 'required': True}, {'name': 'body', 'required': True}, {'name': 'smtp_server', 'required': True}, {'name': 'smtp_port', 'required': True}, {'name': 'username', 'required': False}, {'name': 'password', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin run_command_action with fields [{'name': 'command', 'required': True}, {'name': 'args', 'required': False}, {'name': 'timeout', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin statsd_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'statsd_prefix', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin eventlogfile_action with fields [{'name': 'log_file_path', 'required': True}, {'name': 'output_json', 'required': False}, {'name': 'max_size_mb', 'required': False}, {'name': 'number_of_log_files', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin sessionlog_action with fields [{'name': 'log_directory', 'required': True}, {'name': 'timestamp_frequency_seconds', 'required': False}]
2023-08-21 11:49:14,133 - plugin_manager.py:26 - INFO - Detected Plugin syslog_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'program_name', 'required': False}, {'name': 'udp', 'required': False}, {'name': 'output_json', 'required': False}, {'name': 'facility', 'required': False}, {'name': 'severity', 'required': False}]
2023-08-21 11:49:14,133 - plugin_manager.py:37 - INFO - Reading config file /etc/sshlog/sshlog.yaml
2023-08-21 11:49:14,133 - plugin_manager.py:39 - WARNING - Configuration file /etc/sshlog/sshlog.yaml does not exist. Skipping
2023-08-21 11:49:14,133 - plugin_manager.py:37 - INFO - Reading config file /etc/sshlog/conf.d/log_events.yaml
2023-08-21 11:49:14,143 - plugin_manager.py:37 - INFO - Reading config file /etc/sshlog/conf.d/log_all_sessions.yaml
2023-08-21 11:49:14,151 - plugin_manager.py:162 - INFO - Initializing event plugin log_general_activity
2023-08-21 11:49:14,151 - plugin_manager.py:167 - INFO - Initializing filter plugin ignore_existing_logins
2023-08-21 11:49:14,151 - plugin_manager.py:175 - INFO - Initializing action plugin log_events
2023-08-21 11:49:14,151 - eventlogfile_action.py:19 - INFO - Initialized action log_events with log file path /var/log/sshlog/event.log
2023-08-21 11:49:14,153 - plugin_manager.py:162 - INFO - Initializing event plugin stream_terminal
2023-08-21 11:49:14,153 - plugin_manager.py:167 - INFO - Initializing filter plugin ignore_existing_logins
2023-08-21 11:49:14,153 - plugin_manager.py:175 - INFO - Initializing action plugin log_all_sessions
2023-08-21 11:49:14,153 - sessionlog_action.py:53 - INFO - Initialized action log_all_sessions with log directory /var/log/sshlog/sessions/
My configuration:
# uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
# ssh -V
OpenSSH_9.3p2 Debian-1, OpenSSL 3.0.9 30 May 2023
Hi
Is there a specific reason for the dash-space prefix in sshlog's log messages? It's an issue when JSON logs are fed into log collection/processing systems because they recognize the messages as invalid JSON because of that prefix. Could you remove it from the JSON log messages?
thx & best regards
ron
Hi
It might be helpful to have an option to choose to log IP next to the username that run the command, otherwise you have to make manual search for this by the session id to find the ip of the user
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.