Getting audit logs via promtail


I have setup promtail to fetch the system-journal logs. With that, I am able to get the access logs(i.e who tried to access which server).

Now I want to know if it is possible to get the audit logs of an ssh session, meaning if I login into the server and execute a set of commands, it should be captured under that ssh session.


I would suggest to start by logging your sessions activity to files.

There are multiple approaches:

Ex : logging - How can I create session logs of individual SSH sessions? - Super User

Then it would be as easy as pointing your promtail to the files.

Hope it helps.

Good Luck