Make sure tlog can be used in a jump-server setup

[spbnick]

As tlog-rec cannot be used safely and reliably to record superuser sessions another approach needs to be employed. One of those is using a "jump-server", where the user would first login to a special "jump" server where tlog-rec would be running, and from there (automatically?) login to the target server.

In this case some of the logged data might need to be altered, such as hostname, or the user name. Consider the whole setup, how it would work, and implement the extra flexibility, if necessary.

[spbnick]

A use case:

As an administrator I would like to correlate that session that was recorded on a jump host with the logs recorded on the target host so that I can see what was going on the target system.

[johny321]

Any update maybe on this feature?

Also few of my comments regarding jump-server tlog use case scenario. Im using tlog-rec-session on 'jump-server' for a week, session recording is fine (ofc host and user could be altered in tlog data for easier search) but still you know hosts and commands executed (using tlog-play) for all the sessions and users at jump-host but the issue is that you cant really search by command which user executed on which host due to format of out_txt/in_txt and way its stored. Noticed that feature request: https://github.com/Scribery/tlog/issues/260 was closed, but simply his use case was a bit different. Using emulation thats done by tlog-play and try to extract proper command directly to logs will make everything easier, you can search for sessions, command executed by users, timeframe and then play each one to see who broke things for example :) auditd needs to be installed on all hosts, but tlog does not, allowing just commands to be logged as he suggested would make a perfect solution for jump-host without any need for extra configuration at each host.

[justin-stephenson]

Hi @johny321

No work has been done yet on this, I suppose a configuration option can be added to enable "jump-server mode" which allows overriding the default recorded hostname/username.

Regarding https://github.com/Scribery/tlog/issues/260 - tlog is not designed for this use case, as tlog records entire terminal I/O(including binary input, output, and terminal window size changes) there is no simple way to isolate individual commands. Note that you can use cockpit-session-recording 'Search' input box, providing commands to find and filter out specific recordings and play them back in the WebUI, this may partially help with your needs.

[johny321]

Thanks for response. Yes that would be great with this extra configurable option.

cockpit-session-recording, looks like its using grep of journalctl which is not available at latest CentOS 7 release so the only filter options which are working at my setup are Since/Until.

Sep 02 08:41:42 test-server cockpit-bridge[9403]: journalctl: unrecognized option '--grep=test123'

Also I saw its not yet? possible to use elasticsearch as source for Session Recording via cockpit, so for now I am gonna stick with Kibana / tlog-play / curl queries to elastic and hope that some features will be added later on :)