- \n
- Monitor, block, and record SSH sessions in Linux, including full SSH session recording with indexed metadata<\/li>\n\n\n\n
- Receive alerts about suspicious user activity on Linux endpoints<\/li>\n\n\n\n
- Export recorded Linux sessions for investigation purposes<\/li>\n\n\n\n
- Generate reports on remote SSH connections to your endpoints<\/li>\n<\/ul>\n\n\n\n
Why monitor SSH sessions?<\/h2>\n\n\n\n
SSH is a secure way to remotely access critical endpoints and servers. However, unauthorized users can still gain access through vulnerabilities or stolen credentials. By monitoring SSH sessions, you can detect suspicious user activity, such as attempts to access unauthorized files or run malicious commands.<\/p>\n\n\n\n
Enhance visibility<\/h3>\n\n\n\n
By monitoring SSH sessions, you can gain a clear view of remote users\u2019 activity. User activity monitoring software for Linux lets you see who accesses critical systems and what they do, enabling you to detect anomalies and suspicious user behavior in real time. User session recordings<\/a> also provide you with compelling evidence for incident investigation<\/a>.<\/p>\n\n\n\n
Manage cybersecurity risks<\/h3>\n\n\n\n
Better visibility can help you detect malicious user activity, such as unauthorized access attempts, data exfiltration, and system sabotage. Software for monitoring Linux SSH sessions allows you to detect cybersecurity threats and take measures to block them before they cause damage.<\/p>\n\n\n\n
Meet IT compliance requirements<\/h3>\n\n\n\n
Many cybersecurity standards, laws, and regulations<\/a> require organizations to audit access to sensitive systems. Recording SSH sessions and monitoring user activity in Linux provides an audit trail that can show when a critical workstation was accessed, who accessed it, and what activities they performed. When you audit SSH sessions on Linux endpoints, the detailed audit logs can help you prove your organization’s compliance with industry regulations and internal security policies.<\/p>\n\n\n\n
Promptly respond to insider threats<\/h3>\n\n\n\n
By monitoring user activity, your security team can quickly investigate incidents by analyzing logs. This gives them a better understanding of the scope and root cause of a breach, enabling targeted decisions and rapid response. Additionally, certain Linux user activity tracking software solutions can automatically detect and respond to threats<\/a> before they become a problem.<\/p>\n\n\n\n
For a detailed explanation of risks posed by remote users, refer to our articles on managing insider risks in hybrid<\/a> and remote work<\/a> environments.<\/p>\n\n\n\n\t\t
\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\t\n\nGet a Syteca online demo! <\/p>\n\n\n\n
See how Syteca helps you manage remote access security risks.<\/p>\n\n\n\n\t\t
\n\t\t\t\n\t\t\t\n\n\t\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\tAccess the Demo Portal \n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t<\/a>\n\t\t\t\n\n\t\t\t \n\t\t<\/div>\n\t\n \n\t\t\t\n\t\t<\/div>\n\t\n\n\n\t\t\n\t\t\t\n\t\t\t\n\n![\"\"\/](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2025\/07\/28215652\/cta-2-1.png\")
<\/figure>\n\n \n\t\t\t\n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n\n\nUsing Syteca to monitor remote SSH sessions and local Linux sessions<\/h2>\n\n\n\n
Syteca<\/a> is a modern privileged access management<\/a> (PAM) platform with built-in identity threat detection and response<\/a> (ITDR) capabilities that can help you protect access and then provide visibility into how it is used. Syteca brings privileged access management to Linux environments alongside Windows, macOS, and UNIX.<\/p>\n\n\n\n
Syteca enables you to monitor and record remote SSH sessions and user activity on local Linux endpoints, providing you with indexed recordings and the following searchable metadata:<\/p>\n\n\n\n
- \n
- Session details, such as hostname, user name, IP address, and session duration<\/li>\n\n\n\n
- User actions, such as keystroke input, including parameters specified and commands executed<\/li>\n\n\n\n
- Commands carried out in executed scripts<\/li>\n\n\n\n
- System function calls<\/li>\n\n\n\n
- System responses from the terminal, such as command outputs<\/li>\n<\/ul>\n\n\n\n
In addition to user activity tracking<\/a>, Syteca provides the following capabilities to ensure a holistic approach to managing cybersecurity risks:<\/p>\n\n\n\n\t\t
\n\t\t\t\n\t\t\t\n\nSyteca’s key capabilities<\/p>\n\n\n\n\t\t
\n\t\t\t\n\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\nPrivileged access management (PAM)<\/p>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n\t\t
\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\n- \n
- Discover unmanaged privileged user and service accounts<\/a><\/li>\n\n\n\n
- Provide just-in-time access to endpoints<\/a><\/li>\n\n\n\n
- Manage workforce passwords<\/a><\/li>\n\n\n\n
- Verify user identities with 2FA<\/a><\/li>\n<\/ul>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n \n\t\t\t\n\t\t<\/div>\n\t\n\n\n\t\t
\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\nIdentity threat detection and response (ITDR)<\/p>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n\t\t
\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\n- \n
- Monitor user activity as it happens in real time<\/a><\/li>\n\n\n\n
- Record sensitive sessions<\/a><\/li>\n\n\n\n
- Receive alerts on suspicious actions<\/a><\/li>\n\n\n\n
- Automate threat response<\/a><\/li>\n<\/ul>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n \n\t\t\t\n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n
Syteca is flexible, providing a variety of deployment options<\/a> and supporting the following platforms:<\/p>\n\n\n\n\t\t
\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\nPlatforms supported by Syteca<\/p>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n\t\t
\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\nDesktops and servers<\/p>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n\t\t
\n\t\t\t\n\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\t\n\n- \n
- Infrastructure servers<\/li>\n\n\n\n
- Terminal servers<\/li>\n\n\n\n
- Jump servers<\/li>\n\n\n\n
- Physical and virtual desktops<\/li>\n<\/ul>\n\n \n\t\t\t\n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n \n\t\t\t\n\t\t<\/div>\n\t\n\n\n\t\t\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\n
Operating systems<\/p>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n\t\t
\n\t\t\t\n\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\t\n\n- \n
- Windows<\/li>\n\n\n\n
- Linux<\/li>\n\n\n\n
- macOS<\/li>\n\n\n\n
- UNIX<\/li>\n\n\n\n
- X Window System<\/li>\n\n\n\n
- Citrix<\/li>\n\n\n\n
- Wayland (Syteca exclusive)<\/li>\n\n\n\n
- X11<\/li>\n<\/ul>\n\n \n\t\t\t\n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n \n\t\t\t\n\t\t<\/div>\n\t\n\n\n\t\t\n\t\t\t\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\n
Virtual environments<\/p>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n\t\t
\n\t\t\t\n\n\t\t\t\n\n\t\t\n\t\t\t\n\t\t\t\n\n- \n
- VMware Horizon<\/li>\n\n\n\n
- Microsoft Hyper-V<\/li>\n\n\n\n
- Citrix<\/li>\n\n\n\n
- Amazon WorkSpaces<\/li>\n\n\n\n
- AWS (Amazon Web Services)<\/li>\n\n\n\n
- Windows Virtual Desktops<\/li>\n<\/ul>\n\n \n\t\t\t\n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n \n\t\t\t\n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n \n\t\t<\/div>\n\t\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n
Let\u2019s see how to record local Linux sessions and monitor remote SSH sessions with Syteca. <\/p>\n\n\n\n
Note: Further instructions will only work for IT environments that have deployed Syteca.<\/em><\/p>\n\n\n\n\t\t
\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\nLearn more about<\/p>\n\n\n\n
Syteca\u2019s Identity Threat Detection and Response Capabilities<\/a><\/p>\n\n\n\t\t\t \n\t\t<\/div>\n\t\n\n\n
Monitoring, viewing, and blocking SSH sessions<\/h2>\n\n\n\n
By default, Syteca monitors user activity on all endpoints that have had the Syteca software agent installed. Whether a user initiates a Linux session remotely via SSH\/telnet or logs in locally, Syteca records all user actions performed on the monitored workstation. This makes it straightforward to record SSH sessions on Linux endpoints without native Linux tools or complex configuration.<\/p>\n\n\n\n
All sessions in Syteca are displayed on the Activity Monitoring<\/strong> page, in the Endpoint Sessions<\/strong> tab. Let\u2019s suppose that a user starts an SSH session. Here\u2019s how to check user activity logs in Linux:<\/p>\n\n\n\n
First, filter the sessions by the operating system. Click the More Criteria<\/strong> button and select Operating System<\/strong> in the drop-down list.<\/p>\n\n\n\n
Then click the Operating System<\/strong> button on the left and select your Linux OS.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020507\/1-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x595.png\")
<\/figure>\n\n\n\nYou can then search for a session by specific commands. For example, let\u2019s find Linux sessions in which some files were deleted.<\/p>\n\n\n\n
Just type in the corresponding command in the search box on the right and press Enter. You can also search within sessions by other user actions, such as typed keystrokes.<\/p>\n\n\n\n
Once you\u2019ve found the session you need, double-click it to open it.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020528\/2-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x674.png\")
<\/figure>\n\n\n\nIn the Session Player, you can view the screen recording and metadata from the beginning of the session.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020550\/3-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x612.png\")
<\/figure>\n\n\n\nYou can configure the video player to display only executed commands and search for a command in a specific session or the entire database. To do this, choose your settings in the dropdown menu by clicking the Search <\/strong>button.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020620\/4-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x447.png\")
<\/figure>\n\n\n\nIf a session is still in progress, you can view what the user is doing in real time by clicking the Live <\/strong>button. The Block User<\/strong> button in the upper right allows you to block the user manually if they pose a threat.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2023\/06\/07042519\/screenshot-9-monitoring-rdp-sessions.png\")
<\/figure>\n\n\n\nConfiguring alerts on suspicious user activity<\/h2>\n\n\n\n
For critical endpoints, you can configure the alerting system<\/a> to get instant notifications whenever suspicious user activity occurs. To set this up, open the Alerts <\/strong>page.<\/p>\n\n\n\n
As an example, we\u2019ll set up an alert for detecting a user attempting to obtain root privileges on Linux. This is one of the pre-defined alerts available in Syteca.<\/p>\n\n\n\n
You can search for an alert by inputting its name in the search box. Once you find an alert, click on the Edit <\/strong>icon to configure it.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020650\/5-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x348.png\")
<\/figure>\n\n\n\nThe alert rules are already predefined, so you only need to assign the endpoint and specify the additional actions that will be performed if the alert is triggered.<\/p>\n\n\n\n
In the Assigned Endpoints<\/strong> section, click Add <\/strong>and then select the endpoints for which you want to enable the alert.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020711\/6-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x500.png\")
<\/figure>\n\n\n\nIn the Actions <\/strong>section, specify who will be notified via email if the alert is triggered.<\/p>\n\n\n\n
You can also decide which response action Syteca will automatically take when an alert is triggered. Possible response actions include:<\/p>\n\n\n\n
- \n
- Display a warning message to a user<\/li>\n\n\n\n
- Block the user<\/li>\n\n\n\n
- Kill a process<\/li>\n<\/ul>\n\n\n\n
Once you\u2019ve configured the alert, click Finish<\/strong>.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020739\/7-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x540.png\")
<\/figure>\n\n\n\nThe person you\u2019ve designated will now receive an email if a user on the specified endpoint attempts to obtain root privileges..<\/p>\n\n\n\n
With Syteca, you can create your own custom alerts or enable predefined ones. You can choose to receive alerts when users try to upload files to the cloud, install an application, type a specific word, and more.<\/p>\n\n\n\n
To view the list of all triggered alert events, open the Alerts <\/strong>tab on the Activity Monitoring<\/strong> page. You can open a suspicious session by clicking the Play <\/strong>button \u2014 session playback starts at a selected alert event.<\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020802\/8-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x501.png\")
<\/figure>\n\n\n\n\t\t\n\t\t\t\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\n\t <\/div>\n\n\t \n\n\t \n\n\t \n\t \t\t\t<\/div>\n\t \t\t<\/div>\n\t \t<\/div>\n\t <\/div>\n\t\n\t\t\t\n\nLearn more about<\/p>\n\n\n\n
- Record sensitive sessions<\/a><\/li>\n\n\n\n
- Provide just-in-time access to endpoints<\/a><\/li>\n\n\n\n
- Discover unmanaged privileged user and service accounts<\/a><\/li>\n\n\n\n
![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020829\/9-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x474.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020851\/10-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x632.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020910\/11-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x393.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17021112\/16-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x341.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17021127\/17-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x418.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17021141\/18-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x277.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17021155\/19-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x433.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020937\/12-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x523.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17020953\/13-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x361.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17021028\/14-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x426.png\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/syteca_site_uploads.storage.googleapis.com\/wp-content\/uploads\/2024\/05\/17021045\/15-How-to-Record-SSH-Sessions-and-Monitor-User-Activity-in-Linux-with-Syteca-1024x465.png\")
<\/figure>\n\n\n\n