strange characters in the SSH logs recordings
Invisible control characters in the SSH logs recorded
The ssh session recording feature logs every single key press hence non-printable key-strokes such as the backspace key, CTRL keys, Function keys etc shows up as these strange characters.
qui[BS][BS][BS]cd /roo[BS][BS][BS]root
cd .ssh
ls -la
nano au[CTRL+I]
[CTRL+X]exit
For example, [BS] would be a backspace. Note that when the ssh session recording mode is in the 'Input', it records the STDIN file descriptor ( Keyboard input ) would have the invisible control characters in it. When the ssh session recording is in the "Output" mode it would record the STDOUT file descriptor( Screen Output) and will not have the invisible control characters in it . The ssh session recording mode "Both" would record both the STDIN and STDOUT. Switch the ssh session recording mode to 'Both' under Settings->General->Security->SSH Session logging.
On the server, the ssh sessions logs are stored in the directory /var/log/ezlogin. The "Input" session recorded are stored in the directory "/var/log/ezlogin/input" and the "Output" SSH sessions recorded are stored in the directory "/var/log/ezlogin/output". For pipelining the logs to SIEM softwares, we would recommend using the "Output" ssh logs recorded stored in the directory "/var/log/ezlogin/output".
Note: The database only stores the metadata of the files that store the ssh logs recorded. The below example shows the ssh session logs stored in the database.
$gateway mysql $(awk '/^db_name/ {print $2}' /usr/local/etc/ezlogin/ez.conf)
MariaDB [ezlogin_mpayl]> select * from gjbpe_sshlogs;
