strange characters in the SSH logs recordings
Invisible control characters in the SSH logs recorded
Synopsis: This article describes how the SSH session recording logs every key press of the Ezeelogin gateway users which appear as strange characters in the logs and explains the different modes in SSH session logging.
The ssh session recording feature logs every single key press hence non-printable key-strokes such as the backspace key, CTRL keys, Function keys etc shows up as these strange characters.
qui[BS][BS][BS]cd /roo[BS][BS][BS]root --------> [BS] would be a backspace
cd .ssh
ls -la
nano au[CTRL+I]
[CTRL+X]exit
When the ssh session recording mode is in the 'Input' mode, it records the STDIN file descriptor ( Keyboard input ), which includes invisible control characters in it. When the ssh session recording is in the 'Output' mode it would record the STDOUT file descriptor( Screen Output) and will not have the invisible control characters in it . The ssh session recording mode "Both" would record both the STDIN and STDOUT. Switch the ssh session recording mode to Settings->General->Security->SSH Session logging.
On the Ezeelogin gateway server, the ssh sessions logs are stored in the directory /var/log/ezlogin. The 'Input' session recorded are stored in the directory '/var/log/ezlogin/input' and the 'Output' SSH sessions recorded are stored in the directory '/var/log/ezlogin/output'. For pipelining the logs to SIEM softwares, we would recommend using the 'Output' ssh logs stored in the directory '/var/log/ezlogin/output'.
Note: The database only stores the metadata of the files that store the ssh logs recorded. The below example shows the ssh session logs stored in the database.
root@ezlogingateway:~# mysql $(awk '/^db_name/ {print $2}' /usr/local/etc/ezlogin/ez.conf)
MariaDB [ezlogin_mpayl]> select * from gjbpe_sshlogs;
+----+---------+-----------+-------------------+----------+--------+--------+--------+------------------------------------------------------------------------------------------+----------+------------+-------------+---------------------+---------------------+----------+
| id | user_id | server_id | serveractivity_id | ssh_user | type | status | reason | file | comments | encryption | mexecid | created | mtime | finished |
+----+---------+-----------+-------------------+----------+--------+--------+--------+------------------------------------------------------------------------------------------+----------+------------+-------------+---------------------+---------------------+----------+
| 1 | 1 | 1 | 1 | root | full | end | NULL | /var/log/ezlogin/full/admin/root~Production Server~Tue_May_28_12:14:35_2024 | NULL | 0 | | 2024-05-28 12:14:37 | 2024-05-28 17:44:43 | 1 |
| 2 | 3 | 1 | 3 | jini | full | end | NULL | /var/log/ezlogin/full/John/jini~Production Server~Tue_May_28_12:34:00_2024 | NULL | 0 | | 2024-05-28 12:34:01 | 2024-05-28 18:04:06 | 1 |
| 3 | 3 | 1 | 4 | jini | full | end | NULL | /var/log/ezlogin/full/John/jini~Production Server~Tue_May_28_12:38:01_2024 | NULL | 0 | | 2024-05-28 12:38:04 | 2024-05-28 18:08:51 | 1 |
| 4 | 3 | 1 | 5 | jini | full | begin | NULL | /var/log/ezlogin/full/John/jini~Production Server~Tue_May_28_12:39:04_2024 | NULL | 0 | | 2024-05-28 12:39:05 | 2024-05-28 18:09:05 | 0 |
| 5 | 3 | 1 | 6 | jini | full | end | NULL | /var/log/ezlogin/full/John/jini~Production Server~Tue_May_28_12:41:32_2024 | NULL | 0 | | 2024-05-28 12:41:33 | 2024-05-28 18:11:36 | 1 |
Related Articles
How to decrypt the encrypted SSH logs in Ezeelogin?
SSH session logs recorded are blank or unable to view
View the SSH logs history that was recorded for an SSH gateway user
Encryption type used for securing users ssh logs in ezeelogin