On Thu, Dec 03, 2020 at 01:55:06PM -0700, Bob Proulx wrote: > Heikki Orsila wrote: > > Bob Proulx wrote: > > > I am scanning the /var/log/auth.log file for this information. That's > > > where the information is logged. > > > > Do you have this tool available somewhere? > > My use is ad-hoc scanning with awk, grep, sed, perl. So not really a > general purpose tool. But the format is simple and not too difficult. > > Here is example. This might not be completely correct but it has been > sufficient for my needs. YMMV. > > Dec 2 18:58:55 havoc sshd[24031]: Accepted publickey for teaclub from 63.224.80.128 port 44854 ssh2: RSA SHA256:Nab5H8iLOWfU704AhqiYQkiX8T5ADv2a83uCw/vQLL0 > Dec 2 18:58:55 havoc sshd[24031]: pam_unix(sshd:session): session opened for user teaclub by (uid=0) > > The sshd is recording the process that is now parenting that process > tree. In this case it is 24031. Then that same process is logged > through PAM starting a session. Then later that session is closed. > > Dec 2 20:18:26 havoc sshd[24031]: pam_unix(sshd:session): session closed for user teaclub > > In my case I am tracking only public key logins. I have a perl script > which reads the log file line by line. It looks for lines that match > the /Accepted publickey for/ pattern. It extracts the sshd pid. It > then reads line looking for that sshd pid looking for the session > open. And then later for the session close. (Note that after the > session is closed the pid may be reused.) The session open and close > information logged there provides the information I needed. Thanks, Bob! It seems you have implemented the option 1 in the original question. - Heikki _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
