Linux repositories inspector


February 2009


A keystroke logging utility for privileged user escalation


sslogger - execute a command or interactive shell, and record the output


sslogger [-h] [-c command]


sslogger is session keystroke logging utility and allows permitted users to execute commands, or open interactive shells. When used in interactive session mode, sslogger records keystrokes in a special file. A tty is required for interactive sessions.
Two modes of logging are available, local logging and remote logging. Remote logging is performed through a secure TLS session. See the sslogger.conf manpage for details. A remote slogd server must configured for remote logging.
The local default keystroke log files are written to /var/log/slog/<hostname>-<user1>-<user2>.<date>.log. The sreplay command is included to review session log files created via sslogger, creating an audit trail of all actions performed by users. The keep_local_logs config setting can be set to remove the local log after successful transfer to the remote slogd server.
sslogger also provides the ability to run in command mode in which a command can be executed. This allows sslogger to be used within a script in non-interactive script. When running this mode, stdin is closed.
When used in combination with slog and sudo, privileged user escalation can be controlled and audited by creating standard sudo rules.
By default, sslogger will change to the users home directory before executing a shell or command. Use the -h flag to remain in the current working directory.
All commands and interactive sessions write an entry to the local syslog.


sslogger accepts the following command line options:
-c command and args
Execute "command and args" instead if interactive shell. Provides ability run sslogger within a script. non-interactive mode
-h Stay in current working directory, do not cd to USER home dir
-f Flush buffer on every newline
-q Suppress printing of SS logger start/finish information
-l Log output of all commands
-d Debug
The sreplay command can be used to sreplay recorded sessions
sreplay <filename>
Replays interactive session identified by filename


In interactive mode, always exits 0.
When run in a non-interactive mode, slog returns the value of the command being run.


Configuration file see man ssloggers.conf(5)
Sudo Configuration file - see man sudoers(5) for details
Default directory in which sessions are logged


Sample sudoers entry to allow user user1 to run any command, or interactive shell as users: root,user2
user1 ALL=(root,user2) NOPASSWD:/usr/bin/sslogger
/etc/sudoers entry to allow user1 to only run "ls" as user2
user1 ALL=(testy2) NOPASSWD:/usr/bin/sslogger -c ls, /usr/bin/sslogger -c ls *
Sample sudoers entry to allow users in unix group wheel to run any sslogger command as root
%wheel ALL=(root) NOPASSWD:/usr/bin/sslogger
Sample sudoers entry using sudoers groups for user1 and user2
#Group Privileged access
User_Alias SSERS = user1,user2
Cmnd_Alias SL = /usr/bin/sslogger
SSERS ALL = (root,user3) NOPASSWD: SL
# user1 and user2 can now get an interactive root shell for root and user3
# while logging all keystrokes
Configuration file /etc/sslogger.conf:
see man ssloggers.conf(5) for details
# Log output of all commands, even non interactive (1 is true). Default 0
# Minimum Comment length in chars
#an entry of 0 will skip reason for asking for a shell
# Maximum Comment Length in chars written to syslog
#Comment Length in the session log file is currently unlimited
# To allow normal users replay access to log files they create, Set below to 1
# slogd server name or ip.
# If commented out or empty remote log collection is disabled
#slogd service port
#slogd auth type. Must match slogd server tls_authtype
# Current options are "x509" or "anon".
# Setting to x509 requires x509 tls certs
# to be generated and pushed to all clients. See the mkSlogCerts command
# When using a slogd server, and a sslogger session is over, and logs are
# properly transferred to slogd server, delete the local log file.
# Setting to 1 will enable keeping of all local log file.
# Policy for when a connection to a slogd server is unavailable or unexpectedly terminated
# If set to 1, ssloger will terminate if connection is broken to slogd server
# and will die if it cannot connect to the remote slogd server at startup
# If set to 0, local logging will be used when we can not contact remote server
# or when a network connection to the slogd server is broken
#To allow user2 to replay all session files, add user2 to the sslogger group


Note: the following examples assume suitable sudoers(5) entries.
$ sslogger
- Obtains an interactive shell, and log all keystrokes
$ sslogger -c ls -l /root
- Runs command, logs output if log_all_cmds=1 in sslogger.conf
$ slog -u user2
- Obtains an interactive shell as another user.
$ slog -u user2 -h
- Obtains an interactive shell as user2 whilst remaining in the current working directory.
$ sreplay <filename>
- Replays an interactive session log (may require user to be added to sloggers group, see (CONFIGURATION FILES)


If you feel you have found a bug in sslogger, please submit a bug report at


Limited free support is available via the sslogger-users mailing list, see to subscribe or search the archives.


Edward Brand <>


sslogger.conf(5) slog(8) sreplay(8) slogd(8) sudo(8), suders(8), su(2)


⇧ Top