Monitor SSH-traffic per user

ssh monitoring bandwidth

Solution 1:

It took some awk-magic, this is what my colleague and I where able to put together.

#!/bin/bash

main() {
  if [ -e $1 ] ; then
    MONTH=$(date | awk '{ print $2 }')
  elif [ $1 -ge 1 -a $1 -le 12 ] ; then
    month $1
  else
    exit 1
  fi

  echo
  echo "Usage statistics for month $MONTH"
  echo

  USERS=(`awk '/^'$MONTH'.*session opened for local user.*$/ { print $(NF-2) } ' /var/log/auth.log* | sort | uniq`)
  for i in "${USERS[@]}"
  do :
    echo "################################"
    echo "Usage for user: $i"
    READ=0
    WRITTEN=0
    #processes for this user  
    PROCS=(`awk '/^'$MONTH'.*session opened for local user '$i'.*$/ { gsub("\\[|]|sftp-server|:","", $(NF-8)); print $(NF-8) } ' /var/log/auth.log* | sort | uniq`)
    for j in "${PROCS[@]}"
    do :

      TEMP_READ=$(awk '/^'$MONTH'.*\['$j'\].*\ read\ [0-9]+\ written\ [0-9]+$/ { sum+=$(NF-2)}END{ print sum}' /var/log/auth.log*)
      READ=$(($TEMP_READ+$READ))
      TEMP_WRITTEN=$(awk '/^'$MONTH'.*\['$j'\].*\ read\ [0-9]+\ written\ [0-9]+$/ { sum+=$(NF)}END{ print sum}' /var/log/auth.log*)
      WRITTEN=$(($TEMP_WRITTEN+$WRITTEN))
    done
    echo "Read     $(($READ/(1024*1024))) MiB"
    echo "Written  $(($WRITTEN/(1024*1024))) MiB"
    echo "################################"
    echo
  done
}

month() {
case "$1" in
  1)  MONTH='Jan'
    ;;
  2)  MONTH='Feb'
    ;;
  3)  MONTH='Mar'
    ;;
  4)  MONTH='Apr'
    ;;
  5)  MONTH='May'
    ;;
  6)  MONTH='Jun'
    ;;
  7)  MONTH='Jul'
    ;;
  8)  MONTH='Aug'
    ;;
  9)  MONTH='Sep'
    ;;
  10)  MONTH='Oct'
    ;;
  11)  MONTH='Nov'
    ;;
  12)  MONTH='Dec'
    ;;
  *) echo 'Crash and Burn!'
     exit 1
   ;;
esac
}

main $1
exit 0

In sshd_config I put this:

 Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE

Warning: This script hogs memory! If you have large logfiles, it could take up to 10 min for the script to finish (tested on EC2 Micro).

Solution 2:

You could track user logons by IP (available in the log files), and then use nearly any traffic monitoring solution (Netflow and IPtraf come to mind) to keep track of the port 22 traffic by that IP.

Unfortunately, historical usage for the previous few months is not available unless you already had something to this effect set up.

Related

How to check fsck results, ran at boot, on remote machine?
What is Runlevel 'S' on Debian/Ubuntu for
What are typical NFS read/write rates
Large VPN network (~600 servers) with OpenVPN
How do I optimize MySQL's memory usage?
How do I re-enable an sudo lecture, once it's been seen
Linux - CentOS6 - semanage - command not found
Server 2008 stuck in reboot loop "Configuring Updates: Stage 3 of 3"
"No package pv available." on CentOS 6.2 Minimal
Change CUPS default printer error policy
OS X WiFi settings via terminal?
Ubuntu server, gpt partition table, mdadm, grub boot fail