tlog icon indicating copy to clipboard operation
tlog copied to clipboard

Published 20 hours ago verified publisher icon Scribery

RFE: tlog-play improvements

Open myllynen opened this issue 5 years ago • 4 comments

When using tlog on systems where journal is not an option (not available or not in use for some reason), logging to a separate file allows to separate recorded sessions from other logging. However, tlog-play doesn't seem to grok the file. To improve user experience without journal it would be nice to have:

  1. tlog-play support for separate log files (perhaps support for parsing tlog messages from /var/log/messages would be in theory possible as well but I think that would lower priority than support for separate log files)
  2. tlog-play support at least for listing users with recorded sessions (from a log file or from journal), tlog-play listing sessions for each user (including start and end time), and listing sessions between a certain timeframe
  3. tlog-play support for dumping instantly any given session, instead of any sort of "fast-forward" playback or such

Thanks.

myllynen avatar Nov 20 '20 15:11 myllynen

Hi, thanks for your feedback. tlog-play does support playing back recordings written to a file(with --writer=file), and recently the following option was added to specify which recording to playback, when multiple recordings exist in the same log file.

       -m, --file-match=STRING
              Playback explicit recording id specified in STRING.

              STRING is the recording id of the recording the "file" reader should seek to for playback.

justin-stephenson avatar Nov 23 '20 13:11 justin-stephenson

Thanks for pointing out -m, I had tested only the RHEL 8 version so didn't know about it, mea culpa. So yes, it's certainly helpful.

I think I earlier had some "short" session at the beginning of the log file as now that I've recreated the log I can play the first session but after that I get an error (so if there's a "short" session at the beginning you'll basically see a prompt and an error):

root@localhost:~# tlog-play -i tlog.log
[...]
testuser@rhel-8-server:~$ whoami
testuser
testuser@rhel-8-server:~$ ls
testuser@rhel-8-server:~$ logout

Message ID is out of order
Failed reading the source at line 10

Thanks.

myllynen avatar Nov 23 '20 19:11 myllynen

I now created an imaginary screenshot with tlog-play examples how things might look eventually in an ideal world. Not sure will there be a chance for anyone to ever implement these but just listing some ideas here from user perspective of what could be helpful. I'm using file as an example here but this could hopefully work with reader backend.

# tlog-play -r file --check --verbose tlog.log
tlog.log is a valid tlog log file.
# tlog-play -r file --check --verbose partial.log
tlog.log is a corrupt tlog log file.
# tlog-play -r file --check --verbose httpd.log
httpd.log is not a tlog log file.
# tlog-play -r file --list-sessions --verbose tlog.log
USER    HOST        SESSION    START                  END                    RECORDING
user1   localhost   <sid1>     2020-10-10 10:10:10    2020-10-10 11:11:11    <rid1>
user2   localhost   <sid2>     2020-10-10 12:12:12    2020-10-10 13:13:13    <rid2>
user1   localhost   <sid3>     2020-10-10 14:14:14    2020-10-10 15:15:15    <rid3>
# tlog-play -r file --list-sessions --host remote.example.com --verbose tlog.log
USER    HOST        SESSION    START                  END                    RECORDING
# tlog-play -r file --list-sessions --user user1 --verbose tlog.log
USER    HOST        SESSION    START                  END                    RECORDING
user1   localhost   <sid1>     2020-10-10 10:10:10    2020-10-10 11:11:11    <rid1>
user1   localhost   <sid3>     2020-10-10 14:14:14    2020-10-10 15:15:15    <rid3>
# tlog-play -r file --list-sessions --user user1 --start-time "2020-10-10 13:13:13" --verbose tlog.log
USER    HOST        SESSION    START                  END                    RECORDING
user1   localhost   <sid3>     2020-10-10 14:14:14    2020-10-10 15:15:15    <rid3>
# tlog-play -r file --list-sessions --user user1 --end-time "2020-10-10 13:13:13" --verbose tlog.log
USER    HOST        SESSION    START                  END                    RECORDING
user1   localhost   <sid1>     2020-10-10 10:10:10    2020-10-10 11:11:11    <rid1>
# tlog-play -r file --verbose tlog.tlog
Playing user1 session <sid1> at localhost starting on 2020-10-10 10:10:10.
$ whoami
user1
exit
# tlog-play -r file --file-match <sid2> --verbose tlog.tlog
Playing user2 session <sid2> at localhost starting on 2020-10-10 12:12:12.
$ whoami
user2
exit
# tlog-play -r file --file-match -1 --verbose tlog.tlog
Playing user1 session <sid3> at localhost starting on 2020-10-10 14:14:14.
$ echo $USER
user1
exit
# tlog-play -r file --file-match <sid2> --instant --verbose tlog.tlog
Dumping user2 session <sid2> at localhost starting on 2020-10-10 12:12:12.
$ whoami
user2
exit
#

Thanks.

myllynen avatar Nov 24 '20 14:11 myllynen