Chapter 13. Configuring a system for session recording using the tlog RHEL System Roles
tlog RHEL System Role, you can configure a system for terminal session recording on RHEL using Red Hat Ansible Automation Platform.
13.1. The tlog System Role
You can configure a RHEL system for terminal session recording on RHEL using the
tlog RHEL System Role. The
tlog package and its associated web console session player provide you with the ability to record and play back user terminal sessions.
You can configure the recording to take place per user or user group via the
SSSD service. All terminal input and output is captured and stored in a text-based format in the system journal.
- For more details on session recording in RHEL, see Recording Sessions
13.2. Components and parameters of the tlog System Roles
The Session Recording solution is composed of the following components:
- The tlog utility
- System Security Services Daemon (SSSD)
- Optional: The web console interface
The parameters used for the tlog RHEL System Roles are:
tlog_use_sssd (default: yes)
Configure session recording with SSSD, the preferred way of managing recorded users or groups
tlog_scope_sssd (default: none)
Configure SSSD recording scope - all / some / none
tlog_users_sssd (default: )
YAML list of users to be recorded
tlog_groups_sssd (default: )
YAML list of groups to be recorded
For details about the parameters used in
tlogand additional information about the tlog System Role, see the
13.3. Deploying the tlog RHEL System Role
Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to log recording data to the systemd journal.
You have set SSH keys for access from the control node to the target system where the
tlogSystem Role will be configured.
- You have one control node, which is a system from which the Ansible Engine configures the other systems.
- You have Red Hat Ansible Engine installed on the control node, from which you want to run the playbook.
You have the
rhel-system-rolespackage installed on the control node from which you want to run the playbook.
You have at least one system that you want to configure the
tlogSystem Role. You do not have to have Red Hat Ansible Automation Platform installed on the systems on which you want to deploy the
Create a new
playbook.ymlfile with the following content:
--- - name: Deploy session recording hosts: all vars: tlog_scope_sssd: some tlog_users_sssd: - recordeduser roles: - rhel-system-roles.tlog
somespecifies you want to record only certain users and groups, not
recordeduserspecifies the user you want to record a session from. Note that this does not add the user for you. You must set the user by yourself.
Optionally, verify the playbook syntax.
# ansible-playbook --syntax-check playbook.yml
Run the playbook on your inventory file:
# ansible-playbook -i IP_Address /path/to/file/playbook.yml -v
As a result, the playbook installs the
tlog role on the system you specified. It also creates an SSSD configuration drop file that can be used by the users and groups that you define. SSSD parses and reads these users and groups to overlay
tlog session as the shell user. Additionally, if the
cockpit package is installed on the system, the playbook also installs the
cockpit-session-recording package, which is a
Cockpit module that allows you to view and play recordings in the web console interface.
To verify that the SSSD configuration drop file is created in the system, perform the following steps:
Navigate to the folder where the SSSD configuration drop file is created:
# cd /etc/sssd/conf.d
Check the file content:
# cat /etc/sssd/conf.d/sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
13.4. Recording a session using the deployed tlog system role in the CLI
Once you have deployed the
tlog System Role in the system you have specified, you are able to record a user terminal session using the command-line interface (CLI).
You have deployed the
tlogSystem Role in the target system.
The SSSD configuration drop file was created in the
Create a user and assign a password for this user:
# useradd recordeduser # passwd recordeduser
Relog to the system as the user you just created:
# ssh recordeduser@localhost
- Type "yes" when the system prompts you to type yes or no to authenticate.
Insert the recordeduser’s password.
The system prompts a message to inform that your session is being recorded.
ATTENTION! Your session is being recorded!
Once you have finished recording the session, type:
The system logs out from the user and closes the connection with the localhost.
As a result, the user session is recorded, stored and you can play it using a journal.
To view your recorded session in the journal, do the following steps:
Run the command below:
# journalctl -o verbose -r
Search for the
MESSAGEfield of the
tlog-recrecorded journal entry.
13.5. Watching a recorded session using the CLI
You can play a user session recording from a journal using the command-line interface (CLI).
- You have recorded a user session. See Section 13.4, “Recording a session using the deployed tlog system role in the CLI”
On the CLI terminal, play the user session recording:
# journalctl -o verbose -r
Search for the
You can see details such as:
- The username for the user session recording
out_txtfield, a raw output encode of the recorded session
- The identifier number TLOG_REC=ID_number
- Copy the identifier number TLOG_REC=ID_number.
Playback the recording using the identifier number TLOG_REC=ID_number.
# tlog-play -r journal -M TLOG_REC=ID_number
As a result, you can see the user session recording terminal output being played back.