Skip to main content

Key-Activity-Monitoring Commands

The key-activity-monitoring commands can be used for reviewing key-activity logs gathered by Key Manager.

count-key-activity

Syntax:

ssh-mgr-client count-key-activity [options] [-F <filter>] [-vvv] [-U <url>]

Returns the number of key-activity events that match the given filter criteria. For filtering, you can use the same attributes that are available for the list-key-activity command (see list-key-activity).

The default command returns the amount of key activity events logged in the Key Manager system:

$ ssh-mgr-client count-key-activity
125730

Example for returning the number of key activity events where the login attempt came from a specific IP address:

$ ssh-mgr-client count-key-activity -F "from_ip=10.10.5.121"
3

list-key-activity

Syntax:

ssh-mgr-client list-key-activity [options] [-F <filter>] [-vvv] [-U <url>] [-o <format>] \
[-C <columns>] [-H] [-O <sort-order>] [-S <start-from>] [-M <max-results>] [-E <delim>] [-B]

The default command lists all the key activity in the managed environment:

$ ssh-mgr-client list-key-activity

The following columns can be used for filtering (-F) and output formatting (-C):

classification

Classification of the destination target server. Only usable for filtering (-F).

data

Ancillary Authentication Data as extracted from the event stream.

extended_key_id

Unique internal PrivX Key Manager id for authorized key used select activities based on username, user-directory, and publickey related to given key. Only usable for filtering (-F).

fingerprint_babble

Fingerprint of key in Bubble Babble format

fingerprint_id

The unique ID of the fingerprint

fingerprint_openssh

Fingerprint of key in OpenSSH format

fingerprint_sha256

Fingerprint of key in SHA256 format

fingerprint_ssh1

Fingerprint of key in SSH1 format

from_hostname

Hostname from which the login came. Only usable for output formatting (-C).

from_ip

IP adress from which the login came

host_id

Id of the destination target server

hostgroup

Name of host group that the key activity concerns. Only usable for filtering (-F).

hostgroupid

Id of host group that the key activity concerns. Only usable for filtering (-F).

hostname

Hostname of the destination target server

id

Internal PrivX Key Manager id for key activity

key_id

Unique internal PrivX Key Manager id (list for output) for authorized key

login_count

Number of logins from the IP address

login_date

Date when the key was last used logging into the host

method

User Authentication Method

time_since_last_login

Time since last login

username

Destination username

verdict

User Authentication Result

As an example, to display all the key activity where the destination host is example.server.com:

$ ssh-mgr-client list-key-activity -F "hostname=example.server.com"

As another example, performing the previous, while displaying the time stamp and the destination user name:

$ ssh-mgr-client list-key-activity -F \
"hostname=example.server.com" -C "login_date,username"

show-key-activity

Syntax:

ssh-mgr-client [-v] show-key-activity  -i <id> [options] \
[-vvv] [-U <url>] [-o <format>] [-C <columns>]

Displays the key-activity event with the given ID.

For output formatting (-C), you can use the same attributes that are available for the list-key-activity command (see list-key-activity).

Example:

$ ssh-mgr-client show-key-activity -i 3