How to Monitor and Log SSH User Activities with Centralized Log Servers

In today's interconnected IT environments, Secure Shell (SSH) is a critical tool for administrators to manage remote servers securely. However, with great power comes great responsibility. Keeping track of who is accessing your servers, when, and what they are doing is crucial for security and compliance. This is where SSH log servers come into play. In this blog post, we'll explore various tools and techniques to centralize SSH logging, providing you with a comprehensive overview of user activities.

Why Monitor SSH Activities?

Monitoring SSH activities is vital for several reasons:

• Security: Detect unauthorized access or malicious activities in real time.

• Compliance: Many regulations require detailed logging of user activities.

• Auditing: Track who did what and when on your servers.

• Troubleshooting: Diagnose issues by reviewing past SSH sessions.

Centralized SSH Logging Solutions

1. Auditd with Syslog or ELK Stack

Auditd is the Linux Auditing System, a powerful tool to monitor and log various system activities, including SSH logins. By integrating Auditd with Syslog or an ELK (Elasticsearch, Logstash, Kibana) stack, you can centralize and visualize these logs for easier analysis.

• Setup Auditd: Configure Auditd to monitor SSH events.

• Forward Logs: Use Syslog to forward logs to a central server or ELK for storage and analysis.

• Visualize with Kibana: Create dashboards to track login attempts, user sessions, and other SSH activities.

2. Wazuh for SSH Monitoring

Wazuh is an open-source security monitoring platform that can track SSH activities across your infrastructure. It provides an intuitive interface to view user logins, failed attempts, and other SSH-related events.

• Install Wazuh Agent: Deploy Wazuh agents on your servers to monitor SSH logs.

• Centralize Logs: Use the Wazuh Manager to aggregate logs.

• Alerting: Configure alerts for suspicious activities like repeated failed logins.

3. Graylog for Centralized Logging

Graylog is a robust log management solution that can aggregate logs from multiple SSH servers, allowing you to search, analyze, and visualize user activities.

• Collect Logs: Use Graylog to collect SSH logs from your servers.

• Search and Analyze: Use Graylog's search capabilities to filter and analyze SSH logs.

• Dashboards: Create custom dashboards to monitor login patterns, user activities, and potential security breaches.

4. Osquery for SSH Activity Queries

Osquery turns your infrastructure into a SQL-based database, allowing you to write queries to monitor SSH activities across multiple hosts. You can centralize these queries to an Osquery fleet server for broader analysis.

• Deploy Osquery: Install Osquery on your servers.

• Write Queries: Create SQL-like queries to monitor SSH login events.

• Centralize Results: Send query results to a centralized server for analysis.

5. OpenSSH Logging with Syslog

If you prefer to use built-in tools, OpenSSH provides detailed logging that can be centralized using Syslog. These logs can then be aggregated and analyzed with tools like ELK or Graylog.

• Configure OpenSSH: Ensure your SSH server is logging necessary events.

• Forward Logs: Use Syslog to send these logs to a central server.

• Analyze: Use your log management tool of choice to analyze these logs.

6. GoAccess for Real-Time Log Analysis

GoAccess is a real-time web log analyzer that can also be used to monitor SSH logs. It provides a visual dashboard that can be accessed from any browser.

• Install GoAccess: Set up GoAccess to analyze your SSH logs.

• Real-Time Dashboard: Access the GoAccess dashboard to view real-time SSH activities.

7. Centralized Log Server (e.g., Rsyslog or Logstash)

A centralized log server using tools like Rsyslog or Logstash can collect and store logs from multiple SSH servers. These logs can then be visualized using tools like Grafana or Kibana.

• Set Up Log Server: Deploy Rsyslog or Logstash on a central server.

• Collect Logs: Configure your SSH servers to forward logs to this server.

• Visualization: Use Grafana or Kibana to create dashboards and alerts.

8. Session Recording Tools

For a more detailed view of user activities, you can use session recording tools like ttyrec, Asciinema, or TermRecord. These tools record entire SSH sessions, which can be stored on a central server for playback and analysis.

• Record Sessions: Use tools like ttyrec to record SSH sessions.

• Store Recordings: Centralize these recordings on a secure server.

• Playback and Audit: Review session recordings to audit user activities.

Conclusion

Centralized SSH logging is an essential practice for maintaining the security and integrity of your IT environment. Whether you choose to use Auditd, Wazuh, Graylog, or any other solution, the key is to ensure that you have a system in place that can monitor, log, and alert you to critical SSH activities. By doing so, you'll not only enhance your security posture but also ensure compliance and gain valuable insights into how your systems are being accessed.

Ready to get started? Choose the solution that best fits your environment and begin centralizing your SSH logs today. Stay secure, stay informed!