How to Monitor and Log SSH User Activities with Centralized Log Servers

Introduction

In today's interconnected IT environments, Secure Shell (SSH) is an essential tool for system administrators to securely manage remote servers. However, with the power to access critical systems comes the responsibility to monitor and log user activities. Understanding who is accessing your servers, when, and what actions they are taking is crucial for maintaining security and compliance. This article will provide a comprehensive overview of how to monitor and log SSH user activities using centralized log servers, ensuring you have the insights needed to protect your infrastructure.

What Is SSH Logging?

SSH logging refers to the process of recording and monitoring activities that occur during SSH sessions. This includes capturing login attempts, commands executed, and user actions on servers accessed via SSH. By centralizing these logs, system administrators can efficiently manage and analyze user activities, detect unauthorized access, and maintain compliance with various regulations.

How It Works

Centralized SSH logging works by collecting logs from multiple servers into a single location, allowing for easier management and analysis. Think of it like a library where each book represents a server's log. Instead of searching through individual books (servers), you can access a single catalog (centralized log server) to find all the information you need. This architecture typically involves the use of logging agents, a central log server, and visualization tools to analyze the data.

Prerequisites

Before you begin monitoring and logging SSH user activities, ensure you have the following:

Access to the servers you want to monitor
Administrative privileges on those servers
A centralized log server (e.g., ELK Stack, Wazuh, or Graylog)
Basic understanding of SSH and Linux command line
Required packages installed (e.g., auditd, syslog, Wazuh agent, Graylog)

Installation & Setup

1. Setting Up Auditd with Syslog or ELK Stack

To monitor SSH events using Auditd, follow these steps:

# Install Auditd
sudo apt-get install auditd

# Enable Auditd service
sudo systemctl enable auditd
sudo systemctl start auditd

2. Installing Wazuh for SSH Monitoring

To deploy Wazuh for monitoring SSH activities:

# Install Wazuh agent
sudo apt-get install wazuh-agent

# Enable Wazuh agent service
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

3. Setting Up Graylog for Centralized Logging

To collect and analyze SSH logs using Graylog:

# Install Graylog server (follow official documentation for specific OS)
sudo apt-get install graylog-server

# Start Graylog server
sudo systemctl start graylog-server

Step-by-Step Guide

Install Auditd: Begin by installing auditd on your servers.
```
sudo apt-get install auditd
```

Configure Auditd: Set up rules to monitor SSH login events.

echo '-w /var/log/auth.log -p wa -k ssh-logins' | sudo tee -a /etc/audit/audit.rules

Restart Auditd: Apply the new configuration.
```
sudo systemctl restart auditd
```
Install Wazuh Agent: Deploy the Wazuh agent on your servers.
```
sudo apt-get install wazuh-agent
```
Configure Wazuh: Edit the Wazuh configuration file to point to your Wazuh manager.
```
sudo nano /etc/wazuh-agent/ossec.conf
```

Start Wazuh Agent: Enable and start the Wazuh agent service.

sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Install Graylog: Follow the installation instructions specific to your OS.
```
sudo apt-get install graylog-server
```
Configure Graylog Inputs: Set up inputs for collecting SSH logs from your servers.

Real-World Examples

Example 1: Monitoring SSH Logins with Auditd

You can use Auditd to track all SSH login attempts. After setting up the rules, you can view logs using:

sudo ausearch -k ssh-logins

Example 2: Using Wazuh for Alerting

Configure Wazuh to alert you on repeated failed login attempts:

<group name="sshd">
  <rule id="100001" level="5">
    <decoded_as>sshd</decoded_as>
    <description>Failed SSH login</description>
  </rule>
</group>

Example 3: Analyzing Logs with Graylog

In Graylog, you can create a search query to filter logs for specific users:

user: "username" AND source: "SSH"

Best Practices

Regularly review and rotate log files to prevent disk space issues.
Implement alerting for suspicious activities, such as multiple failed login attempts.
Use strong authentication methods, such as SSH keys, instead of passwords.
Limit SSH access to specific IP addresses whenever possible.
Ensure that logging configurations are consistent across all servers.
Regularly update your logging tools and agents to the latest versions.
Conduct periodic audits of SSH logs to ensure compliance with security policies.

Common Issues & Fixes

Issue	Cause	Fix
Logs not being collected	Misconfiguration of logging agents	Verify configuration files and restart services
High disk usage from logs	Logs not being rotated	Set up log rotation policies
Alerts not triggering	Incorrect alert configuration	Review alert rules and test them
Missing logs	Firewall blocking log transmission	Check firewall rules and allow necessary ports

Key Takeaways

Centralized SSH logging is essential for security, compliance, and auditing.
Tools like Auditd, Wazuh, and Graylog can simplify the monitoring process.
Regularly review and analyze logs to detect unauthorized access and troubleshoot issues.
Implement best practices to enhance the security of your SSH sessions.
Stay updated with the latest tools and techniques to maintain effective logging practices.