While researching for ways to record & replay a ssh terminal session, I came across a tool called tlog.
`Tlog` is a terminal I/O recording and playback package & I have come across other different ways to accomplish this. But the way tlog differs from these utilities lies in the fact that log is essentially designed to be used a centralized user activity logging mechanism.
The makers have mentioned in the README file that presently tlog is not a production ready software & should be considered as a development preview only.
Under default settings tlog sends its recorded sessions to a centralized recording facility (syslog). Its recordings can also be re-directed to ElasticSearch. The recordings are in JSON format.
`Tlog` is naturally split into two tools: `tlog-rec` and `tlog-play` - for recording and playback respectively. `Tlog-rec` is intended to be the user's login shell. It puts itself between the actual user's shell and the terminal upon user login, logging everything that passes through. At the moment,
`tlog-play` can playback recordings from ElasticSearch or from a file written by `tlog-rec` with `file` writer selected.
Testing
You can test that session recording and playback work in general by recordinginto and playing back from a file.
To record into a file execute tlog-rec on the command line as such:
tlog-rec --writer=file --file-path=tlog.log
After exiting the recorded session you can play it back with tlog-play:
tlog-play --reader=file --file-path=tlog.log
Recommended usage:
Change the shell of the user to be recorded to `tlog-rec`:
sudo chsh -s /usr/bin/tlog-rec <user>
Login as the user on a text terminal. The recorded terminal data will be
delivered to syslog with facility "authpriv" and priority "info", and may
appear in `/var/log/auth.log` on Debian-based systems, or in `/var/log/secure`
on Fedora and derived systems.
Demo:
I first tried with the recommended usage & created a user called test & changed the shell.
[root@centops log]# getent passwd test
test:x:501:501::/home/test:/usr/bin/tlog-rec
I then logged in to the server as test user & ran a couple of commands & exited.
The session output did get saved to /var/log/secure file on my centos 6 server but not in a very readable format:
Sep 21 10:30:40 centops tlog: {"host":"centops","user":"test","session":7,"id":1,"pos":0,"timing":"=120x45+14>45+1642<1+2>1+93<1+1>1+129<1+2>1+64<1+2>1+247<1+3>1+588<1+1>2+5>318+956<1+2>1+186<1+3>1+227<1+2>1+189<1+3>1+153<1+2>1+157<1+3>1+402<1+2>73+1302<1+2>1+187<1+2>1+219<1+4>1+431<1+1>1+157<1+2>1+248<1+2>1+280<1+1>45+1366<1+1>8","in_txt":"df -h\rwhomai\rwhoami\r\u0004","in_bin":[],"out_txt":"\u001b]0;test@centops:~\u0007\u001b[?1034h[test@centops ~]$ df -h\r\nFilesystem Size Used Avail Use% Mounted on\r\n/dev/sda2 18G 9.4G 7.2G 57% /\r\ntmpfs 491M 68K 491M 1% /dev/shm\r\n/dev/sda1 283M 34M 234M 13% /boot\r\n/dev/mapper/vg01-lv00\r\n 2.0G 352M 1.5G 19% /R_D\r\n\u001b]0;test@centops:~\u0007[test@centops ~]$ whomai\r\n-bash: whomai: command not found\r\n\u001b]0;test@centops:~\u0007[test@centops ~]$ whoami\r\ntest\r\n\u001b]0;test@centops:~\u0007[test@centops ~]$ logout\r\n","out_bin":[]}
Sep 21 10:30:40 centops su: pam_unix(su-l:session): session closed for user test
It seems that the timing & character information along with session output is being re-directed together to a single file.
To replay the session via tlog-play I needed to extract the session log from the /var/log/secure file, remove the time stamp & put it in a new file & then play the recording:
Here's the log extracted & put into a file:
[root@centops ~]# cat t.log
{"host":"centops","user":"test","session":7,"id":1,"pos":0,"timing":"=120x45+14>45+1642<1+2>1+93<1+1>1+129<1+2>1+64<1+2>1+247<1+3>1+588<1+1>2+5>318+956<1+2>1+186<1+3>1+227<1+2>1+189<1+3>1+153<1+2>1+157<1+3>1+402<1+2>73+1302<1+2>1+187<1+2>1+219<1+4>1+431<1+1>1+157<1+2>1+248<1+2>1+280<1+1>45+1366<1+1>8","in_txt":"df -h\rwhomai\rwhoami\r\u0004","in_bin":[],"out_txt":"\u001b]0;test@centops:~\u0007\u001b[?1034h[test@centops ~]$ df -h\r\nFilesystem Size Used Avail Use% Mounted on\r\n/dev/sda2 18G 9.4G 7.2G 57% /\r\ntmpfs 491M 68K 491M 1% /dev/shm\r\n/dev/sda1 283M 34M 234M 13% /boot\r\n/dev/mapper/vg01-lv00\r\n 2.0G 352M 1.5G 19% /R_D\r\n\u001b]0;test@centops:~\u0007[test@centops ~]$ whomai\r\n-bash: whomai: command not found\r\n\u001b]0;test@centops:~\u0007[test@centops ~]$ whoami\r\ntest\r\n\u001b]0;test@centops:~\u0007[test@centops ~]$ logout\r\n","out_bin":[]}
Here's a quick demo of the playback:
No comments:
Post a Comment