Monitoring Active SSH/RDP Sessions

Hi there!

I got an interesting task and I’d like to share it and ask for your option/ideas.

My goal is to monitor the active ssh and/or rdp active sessions and show a list of currently active users on the dashboard.

I found out that I’ll need to be able to catch 3 different types of logs:



systemd-logind[6003]: New session 1494 of user A.


systemd-logind[6003]: Removed session 1494.

Timeout (VPN kick)

systemd-logind[6003]: Removed session 1494.

I added some custom extractors to get the session IDs (stored in session_id_login, session_id_logout).

And now I’m looking for a way to create a correlation on this, I’m not sure if it’s possible to this in Graylog. I checked how to write custom pipelines but maybe there is an easier solution than that. Maybe it’s somehow possible to write an advanced search query that will only return session_id_login for which there are no session_id_logout in the logs in the past 24 hours.

The idea would be:

if there is a log with session_id_login -> add to the dashboard, if there is a log with session_id_logout -> remove the session_id_login which ( session_id_login = session_id_logout) from the dashboard).

Do you think that such advanced correlation will be possible in Graylog?

Thanks a lot!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.