Log commands executed over ssh

ssh bash logging shell

27,058

Solution 1

i did a test using this option in my server suse lab and it work, but maybe there is better way.

ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"

Solution 2

Instead of focusing on SSH, take a step back and consider using auditd. I'm assuming that what you really want is to track the users, not tracking what is done from SSH as opposed to with other types of login.

man auditctl should give you a starting point.

Solution 3

I have found a way to do this. There is a perl script written by John M. Simpson(https://www.jms1.net/).

All you have to do is add

command="#{path to log-session}"

before each key in your ~/.ssh/authorized_keys

It works only if you have a password-less ssh, but this does solve my purpose to an extent.

http://www.jms1.net/log-session

Solution 4

Would Snoopy help you out with this? “Log every executed command to syslog (a.k.a. Snoopy Logger).”

https://github.com/a2o/snoopy

Solution 5

In my case I had the exact same requirement. The only caveat with this method is that I'm not sure how to make it work if you don't make use of ssh keys. I made a short bash script to log the command before executing it:

#!/bin/bash
echo "$(date -Is) ${SSH_ORIGINAL_COMMAND}" >> ~/sshcommands.log
sh "${SSH_ORIGINAL_COMMAND}"

I saved this command to ~/bin/log-commands then made it executable (chmod +x ~/bin/log-commands).

In the authorized_keys file, I added the command= parameter to the line belonging to the SSH key I wanted to have logs for, so it would be forced to run the log-commands script:

command="/home/tricky/bin/log-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ......6J0C1 [email protected]

If someone is aware of the logging but doesn't want you to see the commands, they can simply go into an interactive session. As you mentioned, you already tried snoopy, which will do that for you. Popular alternatives I haven't tried are rootsh, sudosh, and log-user-session.

View more solutions

27,058

Prashanth

Updated on September 18, 2022

Comments

Prashanth over 1 year
I would like to log all commands executed over SSH.

Say,
```
ssh [email protected] COMMAND
```
I want to log "COMMAND" on server.com

I did search extensively but could not find anything.

There is one more similar question but i don't think there is a solution over there.

How to log "remote execution over SSH"

I can get a live view with
```
pstree -p | grep ssh
```
I did try Snoopy, auditd, and sudosh but could not log those commands over ssh.

There is a http://freecode.com/projects/shwatchr. but i am not able to download the script to test.

is there any other way to get this done?

Thanks.........
Michael McGarrah about 6 years

This does log the command sent but does not execute it on the remote system.
guettli over 4 years

Nice hint, but for me too abstract. How to use auditctl to log ssh commands?