Terminal Logs :- Monitor User’s Terminal Activity Using ” tlog ” in Linux

Guys, may be there are lots of reason to monitor user terminal activity like what command user is executing or running may be its  for privacy reason. It may be compliance reason or just for good in practice for System Administrator.

Sometime just you want to what users are doing using terminal. So it will help to build trust on users. For all this you can use tlog. it is a terminal I/O logger which comes in *NIX and other distributions.

In this article I will explain some basic tlog configuration. As you now we can monitor who logged in or failed during ssh login. But it is very default to monitor every terminal activity of unprivileged user. May be user can delete the terminal history.

So here we can use tlog Linux utility tools to monitor all user’s terminal activity. tlog also keep logs in JSON format as well so that we can parsed or even we can use it latter.

Let’s start First we need to install tlog utility:

Install tlog utility on Linux

Run the below command to install tlog utility on system.

# yum install tlog -y

Next, create a group and add the user in this group, in my example I am creating a suspicious-users group and I will add the users here. We can also log individual user as well.

# groupadd suspicious-users

Now modify the the below configuration file to add the group.

/etc/sssd/conf.d/sssd-session-recording.conf. Make sure that this file is owned by root:root, and users/others cannot read or write the file for security reason.

# vim /etc/sssd/conf.d/sssd-session-recording.conf

[session_recording]
scope = some g
roups = suspicious-users

After updating this file restart sssd.

Now let’s log user sessions.

Suppose Jack user looks suspicious than add this user in suspicious-users group.

# groupadd -g suspicious-users -a Jack

Whenever user logged in it will prompt that you are being watched. You can modified or remove this bu using the notice directive in /etc/tlog/tlog-rec-session.conf . So here we can notify user that your terminal session are being monitored and use command carefully.

You can use Cookpit for GUI it is best tool to view the logs. If you’re not using Cockpit, viewing the logs gets a little more complicated, as the data you’re looking for is in the system journal. In this case, I found it easiest to just switch tlog over to recording to a file. You could also log to syslog, which would have a similar effect and perhaps be easier to maintain. For the sake of simplicity, I’m just going to write directly to a file. I should warn you that moving tlog logs out of the system journal and into a file breaks the Cockpit integration.

First, create a place to store the files, and make sure it’s writable by the tlog user. I added a directory in /var/log called tlog and set the ownership to tlog:tlog.

Next, in /etc/tlog/tlog-rec-session.conf, tell tlog where to store its logs. You’ll find stanzas in the file for different configurations. One is labeled File writer parameters. This parameter allows you to define the path for the output file. The configuration for my path looked like this:

    // File writer parameters
    "file": {
            // The "file" writer log file path.
            "path" : "/var/log/tlog/tlog.log"
    },

Now tell tlog to use the file writer instead of the default, which is the journal. At the bottom of the config file, you’ll find a line just before the closing } that contains a //”writer”: “journal” setting. Change that setting to file, like so:

        // The type of "log writer" to use for logging. The writer needs
        // to be configured using its dedicated parameters.
        "writer" : "file"
}

The next time your target user logs in, the file /var/log/tlog/tlog.log should be created, and sessions logged there. You’ll want to set up log rotation on this, and if you have an external logger, you should send this file there. This data is only useful if it’s available when you need it. If an attacker finds it and deletes it, it won’t do you any good.

If you would like to see your php or Apache web server log in real time. You will need to use tail command which print last part of file in real time including all incoming logs to a standard output device like screen.

If you want to monitory your Apache or PHP logs in Real time this below steps will help you.

Real Time Log Monitoring for Apache or PHP

Tail is useful to :

1. To show log files in real time.
2. Debug and troubleshoot servers problem.
3. Troubleshoot security issue.
4. Also monitor spammers, IP Address, Scripts etc..

Tail basic command syntax:

tail fileName
tail /path/to/log/file
tail [options] /path/to/log/file

For example: If your log file name is /var/log/httpd/access.log, type below command:

# tail -f /var/log/httpd/access.log

If your php fpm error log file name is /var/log/php-fpm/error.log, type below command:

# tail -f /var/log/php-fpm/error.log

You will get some output like below:

"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "
"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "< HTTP/1.1 200 OK
"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "< Content-Type: application/json
"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "< Date: Wed, 15 Nov 2017 06:43:42 GMT
"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "< Server: nginx
"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "< Content-Length: 117
"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "< Connection: keep-alive
"15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "<
[15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "* Connection #0 to host v2.crocodoc.com left intact"
[15-Nov-2017 00:38:47] WARNING: [pool php-fpm] child 1099 said into stderr: "* Closing connection #0"

By default tail print last 10 line of a file.

You will get a scrolling view of the /var/log/php-fpm/error.log for all incoming entries on screen. To stop simply hit CTRL+C. Please make sure you have access to view log file on the server.