{
    "pid": 2249607,
    "tty": "\/dev\/pts\/1",
    "ppid": 2243148,
    "user": "root",
    "shell": "\/bin\/bash",
    "command": "git commit -m \"Fix login monitoring to identify WHO logged in, not just the IP\n\nCRITICAL FIX: Login events now show the actual USERNAME\/EMAIL\n\nBefore (useless):\n{\n  'event_type': 'azuracast_web_user_login',\n  'user_ip': '173.63.205.69',\n  'message': 'User web action from 173.63.205.69: user_login'\n}\n\nAfter (useful):\n{\n  'event_type': 'azuracast_web_user_login',\n  'user_email': 'admin@example.com',\n  'user_ip': '173.63.205.69',\n  'message': 'admin@example.com from 173.63.205.69: user_login'\n}\n\nHow it works:\n1. When a login is detected (POST \/login with 302 redirect)\n2. Query the user_login_tokens table for sessions from that IP\n3. Match the IP + timestamp to identify the user who just logged in\n4. Include their email, name, and role in the event\n\nAlso enhanced:\n- Admin actions now show WHO made them (not just IP)\n- Session tracking includes user roles and 2FA status\n- New dedicated 'azuracast_user_login_success' event with full details\n\nThis makes the monitoring actually useful for identifying who is doing what.\"",
    "user_ip": "113.192.54.62",
    "exit_code": 0,
    "server_ip": "139.84.163.174",
    "timestamp": "2025-11-19T09:31:46.996Z",
    "event_type": "command",
    "received_at": "2025-11-19T09:31:47.367641",
    "server_name": "abduldjserver",
    "honeypot_name": "abduldjserver",
    "parent_command": "claude",
    "ssh_connection": "113.192.54.62 58775 139.84.163.174 22",
    "server_location": "vultr",
    "honeypot_location": "vultr",
    "working_directory": "\/home\/linuxuser\/grutu"
}