{
    "pid": 2249607,
    "tty": "\/dev\/pts\/1",
    "ppid": 2243148,
    "user": "root",
    "shell": "\/bin\/bash",
    "command": "eval 'cd \/home\/linuxuser\/grutu && git add azuracast_user_actions_monitor.py && git commit -m \"Fix login monitoring to identify WHO logged in, not just the IP\n\nCRITICAL FIX: Login events now show the actual USERNAME\/EMAIL\n\nBefore (useless):\n{\n  '\"'\"'event_type'\"'\"': '\"'\"'azuracast_web_user_login'\"'\"',\n  '\"'\"'user_ip'\"'\"': '\"'\"'173.63.205.69'\"'\"',\n  '\"'\"'message'\"'\"': '\"'\"'User web action from 173.63.205.69: user_login'\"'\"'\n}\n\nAfter (useful):\n{\n  '\"'\"'event_type'\"'\"': '\"'\"'azuracast_web_user_login'\"'\"',\n  '\"'\"'user_email'\"'\"': '\"'\"'admin@example.com'\"'\"',\n  '\"'\"'user_ip'\"'\"': '\"'\"'173.63.205.69'\"'\"',\n  '\"'\"'message'\"'\"': '\"'\"'admin@example.com from 173.63.205.69: user_login'\"'\"'\n}\n\nHow it works:\n1. When a login is detected (POST \/login with 302 redirect)\n2. Query the user_login_tokens table for sessions from that IP\n3. Match the IP + timestamp to identify the user who just logged in\n4. Include their email, name, and role in the event\n\nAlso enhanced:\n- Admin actions now show WHO made them (not just IP)\n- Session tracking includes user roles and 2FA status\n- New dedicated '\"'\"'azuracast_user_login_success'\"'\"' event with full details\n\nThis makes the monitoring actually useful for identifying who is doing what.\"' < \/dev\/null",
    "user_ip": "113.192.54.62",
    "exit_code": 0,
    "server_ip": "139.84.163.174",
    "timestamp": "2025-11-19T09:31:45.631Z",
    "event_type": "command",
    "received_at": "2025-11-19T09:31:46.129728",
    "server_name": "abduldjserver",
    "honeypot_name": "abduldjserver",
    "parent_command": "claude",
    "ssh_connection": "113.192.54.62 58775 139.84.163.174 22",
    "server_location": "vultr",
    "honeypot_location": "vultr",
    "working_directory": "\/root"
}