How to enable RSCD agent keystroke logging

About keystroke logging

Keystroke logging lets you capture keystrokes sent to an RSCD agent after the nexec command is launched. Prior to keystroke logging, someone could enter a command like this:

nexec -i -e bash

which would launch bash on the remote system. Subsequent commands would not be captured by the RSCD agent logs, until the nexec command completed or was exited (bash in the example above). Therefore, someone could launch a shell on the remote target and execute commands, and the agent logs would not capture the commands.

With keystroke logging enabled, you can capture any commands that happen after the nexec command is launched. In this way, all commands sent to a target over NSH are captured in either the NSH logs or the keystroke logs.

It is important to note that keystroke logging on the agent does not capture NSH commands. Only log commands issued through nexec are captured in the keystroke logs. For example:

NSH then cd //server, ls \-al will NOT be logged
NEXEC server "ls \-al" WILL be logged

Normal NSH commands are captured in the agent log. Keystroke logging is only for nexec commands.

Enabling keystroke logging

During Installation

To enable keystroke logging, chose yes for the following option during installation:

Do you wish to use keystroke logs for nexec commands (y/n)?

Post-Installation

To activate keystroke logging after installation, remove comments from the following lines in the log4crc.txt file and then restart the agent.


<\!-- appender name="/opt/bmc/BladeLogic/8.1/NSH/log/keystroke.log" type="encrypt" rollsize="10000000" rolltimeinsec="2419200" rollmaxfiles="10" layout="rawtime" certfile="/usr/lib/rsc/certificate.pem" privatekeyfile="/usr/lib/rsc/certificate.pem"/-->

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*