A module for managing Tlog




728 latest version

5.0 quality score

Version information

  • 0.2.1 (latest)
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Sep 3rd 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
  • Puppet >= 5.0.0 < 7.0.0
  • CentOS

Start using this module


simp/tlog — version 0.2.1 Sep 3rd 2020

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents


This module manages the installation and configuration of tlog for active terminal session recording.

By default, the logs will be recorded to journald with systems running systemd and syslog otherwise.

See for full API details.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.


You can simply include the tlog class to have the software installed.

To enable automatic session recording, include the tlog::rec_session class. You MUST then add all users and/or groups that you want to monitor to the tlog::rec_session::shell_hook_users Array.

Note: Groups should be prefixed with a percent sign (%).

When this is enabled, it will automatically hook into login and interactive shells based on scripts placed into /etc/profile.d.

Example: Auditing the 'root' user and 'administrators' group

  - 'root'
  - '%administrators'

NOTE: If you want to be 100% certain that all sessions are logged, you should not rely on this hook but should, instead, set /usr/bin/tlog-rec-session as the user's primary shell. This is not feasible in many situations so these hooks have been provided for the 90% case.


The tlog project is still evolving so there may be breaking changes that occur in the future. We highly encourage all users to file feature requests and bug reports with the upstream project.

TLOG does not record all sessions

iWhen root is set to use the tlog hook, if a user is logged into a system using a graphical display such as gnome and attempts to su to root from more than one terminal window in the same session, the second su will not be recorded.

This occurs because, in order to prevent looping, if the session id is the same for both shells, tlog does not start a second recording session. A ticket has been entered for this issue.

The above error does not affect ssh logins.

tlog-play from file

To playback tlog from a file, the file must only contain json entries from a single session. The default SIMP implementation of tlog records all sessions with some additional non-json formatted information in a file, causing playback of the raw log file to fail. To generate a usable tlog file for playback, grep and awk can be utilized to filter and format entries for a tlog session. Identify the file containing the raw tlog data. Performing a grep for tlog-rec-session in the logs directory can help locate log files. After identifying the raw log file, examine the contents of the file to identify the rec, a host-unique recording id, for the session to be replayed. The rec can then be used with grep to generate a new file containing only logs from that session in json format:

grep <rec> <raw log file> | awk -F"tlog-rec-session: " '{print $2}' > /tmp/tlog_for_playback


Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

NOTE: You will need to make sure that the nodesets can install the tlog packages from a repository (or install them via beaker) for the tests to run successfully.

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.