CommandLog_Command

2 min

The CommandLog_Command contains the Kron PAM proxy command logs. Commands used via SSH/Telnet, SFTP, and SQL Proxy are stored in the database and sent to the Syslog server, if they are defined. The packets are sent to the server in the following format:
sessionId
Specific ID of the log in the PAM Database
username
The username used to log in to PAM and execute the command 
Host
Kron PAM Host IP
tenantId
Tenant, the command log was captured.
sessionStartTime
When the session started 
sessionEndTime
When the session finished
globalUserName
GlobalUserName that used for authentication
clientIp
Source IP of the device that executed the command
commandTime
Exact time the command was executed
command
Executed command
allowed
If the executed command is allowed by the administrator or not
If allowed=true: authorized, the command can be executed
If allowed=false: unauthorized, the command can’t be executed
instanceName
Which instance executed the command
deviceGroups
Group name of the device on which the command is executed
context
Indicates the terminal session context in which the command was executed. 
Example:
The test user executes the date command, configured as White Key on Kron PAM:
{sessionId='c033da3ee9c2e6798d6bd3cd', userName='test', host='10.10.10.10', tenantId='krontech', sessionStartTime=2025-04-24 12:33:51.499, sessionEndTime=2025-04-24 12:34:26.153, globalUserName='root', clientIp='10.0.1.1', commandTime=2025-04-24 12:34:26.141, command='date', allowed=true, instanceName='localhost.localdomain', deviceGroups=null, context='[root@xxx: ~]'}
The test user executes the logout command, configured as Black Key on Kron PAM:
{sessionId='c033da3ee9c2e6798d6bd3cd', userName='test', host='10.10.10.10', tenantId='krontech', sessionStartTime=2025-04-24 12:33:51.499, sessionEndTime=2025-04-24 12:34:26.153, globalUserName='root', clientIp='10.0.1.1', commandTime=2025-04-24 12:34:26.141, command='logout', allowed=false, instanceName='localhost.localdomain', deviceGroups=null, context='[root@xxx: ~]'}
﻿

sessionId	Specific ID of the log in the PAM Database
username	The username used to log in to PAM and execute the command
Host	Kron PAM Host IP
tenantId	Tenant, the command log was captured.
sessionStartTime	When the session started
sessionEndTime	When the session finished
globalUserName	GlobalUserName that used for authentication
clientIp	Source IP of the device that executed the command
commandTime	Exact time the command was executed
command	Executed command
allowed	If the executed command is allowed by the administrator or not If allowed=true: authorized, the command can be executed If allowed=false: unauthorized, the command can’t be executed
instanceName	Which instance executed the command
deviceGroups	Group name of the device on which the command is executed
context	Indicates the terminal session context in which the command was executed.

Session Log

CommandLog_Keylog