There are several ways to log connections made by a specific user for any service on a Linux system. Here are a few options:
auditd:
The auditd daemon is a Linux system service that allows you to audit system events, such as user logins and system call events. To log connections made by a specific user for any service using auditd, you can use the -w option to specify the path to the file or directory that you want to monitor, and the -p option to specify the permissions that you want to monitor. For example:
auditctl -w /etc/ssh/sshd_config -p wa
This command will log any changes made to the /etc/ssh/sshd_config file by any user. You can use similar commands to log connections made by a specific user for other services, such as FTP or HTTP.
pam_tty_audit:
The pam_tty_audit module is a Linux Pluggable Authentication Module (PAM) that allows you to log connections made by a specific user for any service that uses PAM for authentication. To use pam_tty_audit, you will need to add the module to the appropriate configuration file for the service that you want to monitor. For example, to log connections made by a specific user for the ssh service, you can add the following line to the /etc/pam.d/ssh file:
session required pam_tty_audit.so
This will cause pam_tty_audit to log the user's login and logout events for the ssh service.
syslog:
The syslog daemon is a Linux system service that allows you to log system events, including user logins and logouts. To log connections made by a specific user for any service using syslog, you will need to configure the service to send log messages to the syslog daemon. For example, to log connections made by a specific user for the ssh service, you can add the following line to the /etc/ssh/sshd_config file:
LogLevel VERBOSE
ssh service to log verbose log messages, including user login and logout events.Regardless of which method you choose, it is important to ensure that the log messages are being properly written to a secure and centralized location .