SSH command logs
SSH command logs record the commands that users run on infrastructure targets protected by Access for Infrastructure. Use these logs to audit user activity on your SSH servers.
To view SSH command logs, log in to Cloudflare One ↗ and go to Insights > Logs > SSH command logs.
To generate SSH command logs, you must:
- Set up Access for Infrastructure for your SSH servers.
- Enable SSH command logging by uploading an encryption public key.
SSH command logs displayed in the dashboard are encrypted using a public key you provide. To view the contents of the logs:
- In Cloudflare One ↗, go to Insights > Logs > SSH command logs.
- Filter the logs using the name of your SSH application.
- Select the SSH session for which you want to export command logs.
- In the side panel, scroll down to SSH logs and select Download.
- Decrypt the log using the SSH Logging CLI ↗.
| Field | Description |
|---|---|
| Session ID | Unique identifier for the SSH session. |
| User email | Email address of the user who initiated the SSH session. |
| Target ID | Identifier of the infrastructure target being accessed. |
| Client address | Source IP address of the SSH connection. |
| Server address | Destination IP address of the SSH server. |
| Session start datetime | Timestamp when the SSH session started. |
| Session finish datetime | Timestamp when the SSH session ended. |
| Program type | Type of SSH program (shell, exec, x11, direct-tcpip, or forwarded-tcpip). |
| Payload | Captured request/response data in asciicast v2 format, including commands for exec programs. |
| Error | SSH error message, if an error occurred. |
Enterprise users can export SSH command logs using Logpush. Logpush payloads are not encrypted with a customer-provided public key.
For a list of all available fields, refer to SSH Logs.