User Tools

Site Tools


To record all session using tlog

To set up a comprehensive session recording and shipping of logs using PAM and rsyslog on a Linux system, you will need to follow several steps. Below is a general guideline for achieving this:


To record and store session logs using tlog, you can follow these steps:

Install Tlog:

Make sure tlog is installed on your system. You can typically install it using your system's package manager. For example, on Debian-based systems:

sudo apt-get install tlog

Create a Directory for Tlog Logs:

Create a directory to store the Tlog session logs. This should be a secure location with appropriate permissions.

sudo mkdir /var/log/tlog
sudo chown root:adm /var/log/tlog
sudo chmod 750 /var/log/tlog

Create or edit the Tlog configuration file. The configuration file for tlog is often located at /etc/tlog/tlog-rec-session.conf. Customize it to meet your requirements. Below is a simple example:

# /etc/tlog/tlog-rec-session.conf
tty_path = /var/log/tlog/%{user}/%Y-%m-%d/%{session}.%{tty}.log

This configuration will store session logs in /var/log/tlog directory in separate folders for each user.

Restart Services:

Restart the sshd service to apply the PAM changes:

sudo systemctl restart sshd

Test the Configuration:

Log in to the system via SSH or locally and execute some commands. The session logs should now be recorded in the /var/log/tlog directory.

Set Up Log Rotation

To prevent log files from growing indefinitely, set up log rotation for the Tlog logs in /etc/logrotate.d/tlog:

/var/log/tlog/*/*.log {
    rotate 4

Monitor and Secure the Logs:

Regularly monitor and secure the log files and directories to ensure they cannot be tampered with by unauthorized users.

Please note that the exact file paths and configuration options may vary depending on your Linux distribution and Tlog version. Always consult the documentation and configuration files specific to your system for the most accurate instructions.

Install and Configure Auditd

Install the auditd package on your Linux system if it's not already installed. Configure Auditd to record login sessions. Create or edit file and add rules similar to the following:

-a always,exit -F arch=b64 -S execve -C uid!=euid -k session
-a always,exit -F arch=b32 -S execve -C uid!=euid -k session

These rules ensure that all executed commands are logged.

Install and Configure auditd logging to rsyslog:

Edit and set the following parameter to forward logs to rsyslog:

write_logs = yes

Install and Configure rsyslog:

configure it to receive logs from auditd. Add or modify lines like this:

$ModLoad imuxsock
$ModLoad imjournal
$ModLoad imklog
$ModLoad imfile
$InputFilePollInterval 10
$WorkDirectory /var/lib/rsyslog
# Send audit logs to a secure location
:programname, startswith, "auditd" -/var/log/audit/audit.log
# You can also forward logs to a remote syslog server if needed
*.* @remote-syslog-server:514

This configuration sends audit logs to /var/log/audit/audit.log. Adjust the path to your desired secure location.

PAM Configuration

Edit PAM configuration files such as /etc/pam.d/sshd for SSH or /etc/pam.d/login for local logins. Add or modify PAM rules to include session recording. You can use the module if available on your system or another suitable module depending on your requirements. Here's an example of a PAM configuration for SSH sessions:

# /etc/pam.d/sshd
session required

Ensure that session recording is placed in a directory like /var/log/tlog and configure it to use a secure location.

Restart Services:

Restart the auditd and rsyslog services to apply the changes:

sudo systemctl restart auditd
sudo systemctl restart rsyslog

Test the Configuration:

Log in to the system via SSH or locally and execute some commands. Check the /var/log/audit/audit.log file and the /var/log/tlog directory for recorded sessions. Please note that this is a basic setup, and the actual configuration may vary based on your specific requirements and the Linux distribution you are using. Additionally, ensure that your system's security policies and compliance requirements are met with this configuration.

tlog.txt · Last modified: 2023/09/15 20:59 by k2patel