1. Overview
  2. Navigating the dashboard
  3. SSH Session Monitoring

SSH Session Monitoring

SSHwatch now includes a dedicated Sessions tab that allows you to monitor SSH login sessions across all your servers. Unlike the Logs tab which tracks individual events, the Sessions tab provides a comprehensive view of complete SSH sessions, including login time, logout time, and session duration.

Accessing Session Data

The Sessions tab is located in the main navigation menu of your SSHwatch dashboard, alongside the Logs, Security Assessment, Response Actions, and IP Blocklist tabs.

Key Features

Session Timeline View

Each row in the Sessions tab represents a complete SSH session with the following information:

  • Login Time: When the user logged into the server (YYYY-MM-DD HH:MM)
  • Logout Time: When the user logged out (YYYY-MM-DD HH:MM)
  • Duration: How long the session lasted (in days, hours, minutes, and seconds)
  • Server: The hostname of the server where the session occurred
  • Username: The SSH username used for the session
  • IP Address: The client IP address that connected to your server

Filtering Capabilities

You can filter session data using the controls at the top of the Sessions tab:

  • Search Box: Search across server names, usernames, and IP addresses
  • Server Filter: Filter sessions by a specific server
  • User Filter: Filter sessions by a specific username
  • Clear Button: Reset all filters with a single click

Data Export

Enterprise plan users can export session data to CSV format for further analysis or record-keeping. Simply click the CSV button in the top-right corner of the Sessions tab to download the current filtered view of your session data.

Session vs. Logs: Understanding the Difference

While both the Logs and Sessions tabs track SSH activity, they serve different purposes:

  • Logs Tab: Records individual events such as login attempts (both successful and failed), providing detailed security ratings and risk scores for each event.
  • Sessions Tab: Focuses on tracking complete SSH sessions from login to logout, allowing you to monitor user activity and session durations.

Plan Limitations

  • Free Plan: Limited to viewing the 1,000 most recent sessions
  • Pro Plan: Full access to all session data
  • Enterprise Plan: Full access to all session data plus CSV export capability

Monitoring Best Practices

  1. Regular Review: Check the Sessions tab periodically to identify unusual session patterns, such as excessively long sessions or connections at unusual hours.
  2. Combined Analysis: Use the Sessions tab in conjunction with the Logs tab for comprehensive security monitoring. The Logs tab will help identify potential threats, while the Sessions tab provides context about user behavior patterns.
  3. Filtering for Investigation: When investigating suspicious activity, use the filtering options to focus on specific servers, users, or time ranges.
Was this article helpful?