Is it possible to view all ssh logs of a deleted user ?
Accessing logs after user deletion in Ezeelogin
Overview: This article explains how admin privileged users can still access and retrieve logs in Ezeelogin after a user has been deleted. This can be done by using alternative search parameters in the web panel or by directly accessing raw log files on the SSH jump host, as long as SSH log encryption was not enabled when the logs were recorded.
When a user is deleted from Ezeelogin, their logs are preserved for audit and security purposes. Although the username may no longer be directly searchable in the web panel, you can still access these logs by searching with alternative parameters like the server hostname and date range.
Alternatively, you can find the raw logs on your SSH Jumphost box
root@gateway:~# /var/log/ezlogin/full/{username}/
You can read the logs as plain text provided the SSH log encryption was not enabled at the time the SSH log was recorded.
FAQ
1. Why are SSH log files (Users → SSH Logs in the Ezeelogin GUI) still present after deletion from the web interface?
Deleting log entries from the Ezeelogin web interface only removes the metadata from the database. The actual log files stored on the filesystem under /var/log/ezlogin/ are not deleted.
To restore the metadata for these logs back into the web interface, use the following command:
root@gateway: /usr/local/ezlogin/eztool.php -reimport_logs
This command re-imports the log metadata from the log files that still exist on disk.
2. Is there any impact if the logs in /var/log/ezlogin/ are deleted?
No, the logs in /var/log/ezlogin/ can be safely deleted without affecting system functionality. However, once deleted, these logs cannot be recovered.