To actually use the shell – you need to run as root (default) or as a user which has access to the local socket. This application is not provided as a Docker container since it needs local socket access, but it can be wrapped in one of the slim Ubuntu or CentOS containers if needed. Alpine Linux will not work since the glib does not contain the needed encryption support.

By default, only root-level accounts can run the application locally. To allow other users – create a log reader group and give access to the /opt/gatoserverd/gatoserverd.sock file to it.

In some installations – it may be a good idea to create a unique user for reading logs and switch the login shell to the gatoshell. Doing this allows logs to be read without using the default root or admin account. This will require creating a group for log readers and granting access to /opt/gatoserverd/gatoserverd.sock.

You can also run gatoshell remotely by provisioning a certificate in your home directory. This is covered in a separate section below.

Ubuntu and other Debian-based Distributions

curl -1sLf '' | sudo -E bash

apt-get install gatoshell

CentOS and other RPM-based distributions

curl -1sLf '' | sudo -E bash

rpm -ivh gatoshell

client provisioning quickstart

Each system will require a certificate exchange with the server process. You can perform this following the interactive shell steps detailed in the documentation, or through the shell.

Each gatod system and remote client will need a copy of the server certificate. You can generate a copy of this from the shell with

gatoshell -e rootca > rootca.crt

Copy this file to the /etc/gatod/ directory for gatod, or to your ~/.gatoshell directory as the name prompted during setup. Clients also need a countersigned certificate from the server – for this it’s simplest to copy and paste the request from the client into the application. Copy the text by selecting with your mouse, and put into the clipboard of your system by clicking the left mouse button on Linux systems, and the right button on Microsoft Windows operating systems.

Run the licensing operation:

gatoshell -e license

It will prompt for a license request – paste it and a signed certificate will be printed. Save that text as /etc/gatod/gatod.crt for gatod, or for gatoshell remote access save as the prompted name.

running gatoshell

The packages land the binary in /usr/sbin since it is not for general use. As an authorized user – just run gatoshell from the terminal. Gatoshell is an interactive terminal that uses GatoScript as an interface. Shell commands can also be passed at the command line with the -e option.



Dumps out a list of supported commands and a brief help text on the current version

exit         exit the program
help         display help
info         Get server status  
license     create key to allow a client to access the main server  
lock         lock the server  
unlock       unlock the server
ping         ping server process  
q           query the log  
redact       Redact (overwrite securely) a single log item  
rootca       Get root CA certificate (save as gatoserverd.crt)  
mkpem       Generate a public/private key pair for encrypting data  
setpem       Load an encryption key just for this session (not persistent)  
shred       Shred the log - must be done interactively  


Resets the current terminal (if possible). Some pseudoterminals do not correctly implement these control codes (often freeware ssh clients for operating systems other than Linux).


Immediately exits the program with return code 0.


Queries the server for version and licensing info and prints on the screen. Blocked if log is locked.

Current Clients: 0
License Expires: 2022-09-23 10:31:47.750537451 +0000 UTC
Version: gatod copyright © 2021 caprica llc tx - all right reserved - 1.9999


Uploads a license file from to unlock more seats. The server has two free non-production seats included for free. Cut and paste the ASCII text to upload to the server.


This command will ‘freeze’ the system until rebooted or the prompted password is entered. This provides a method to lock a VPS from prying while you are disconnected, if the same password is active no one else has connected.

To lock the server:

Lock String: 
Locked server.

Any other queries without an unlock will fail.

gatoshell copyright © 2021 caprica llc tx - all right reserved - 1.9999
>>> q

Will prompt for an unlock password – if successfully entered the system is enabled.

gatoshell copyright © 2021 caprica llc tx - all right reserved - 1.9999
>>> q
>>> unlock
Unlock String:
>>> info
Max clients: 59
Current Clients: 0
License Expires: 2022-09-23 10:31:47.750537451 +0000 UTC

Ping will perform a connectivity check on the server (done implicit by login). Will return copyright string.


This command will query the log. There are several optional parameters you can add – by default it just shows the latest (tail) of the log.

  • live/i – will give a live stream of updates (tail -f)

  • limit=n – will limit the number of results, defaults 20

  • app=s – searches only for entries from this app

  • keyword=s – searches for this string or string fragments in the messages. Note that for records encrypted with public key locks, the server cannot search for keywords since it’s not able to read the records once written.

  • start=date – searches from this date/time

  • end=date – searches to this date time

RNO                                 TS        Node       X         IP          App                              Message   
1763 2021-09-23 19:21:35 -0500 CDT 00000 0         gatoserverd admin has unlocked the console.
1764 2021-09-23 19:21:37 -0500 CDT 00000 0         gatoserverd admin `info`                    

Redacts allows you to do controlled redactions of the log – for instance when a password or other critical information has leaked into the logging data. Request the record number, and it will be wiped and the change logged to the main log.

RNO   TS        Node       X         IP                                 App            Message   
13238 2021-09-23 19:30:52 -0500 CDT 00000 1         /usr/lib/gdm3/gdm-x-session[3169]: **encrypted**
13239 2021-09-23 19:30:52 -0500 CDT 00000 1         nginx GET /v2/login?uid=tacocat&password=tacocat
>>> redact 13239
>>> q limit=3
13238 2021-09-23 19:30:52 -0500 CDT 00000 1         /usr/lib/gdm3/gdm-x-session[3169]: **encrypted**
13239 2021-09-23 19:30:52 -0500 CDT 00000 0         nginx redacted by admin @ 2021-09-23 19:37:55.201491154 -0500 CDT m=+21.176939703
13240 2021-09-23 19:34:17 -0500 CDT 00000 0         gatoserverd                         admin redact `13239`                                                

This command will perform an seven pass overwrite of the logging database by writing random data to the records, deleting the database as well as losing all record of the original encryption keys before regenerating new ones. This may take an extremely long time depending on your database size and no logging can occur.

Generally – this is something you would want to do only when decommissioning a system.


This will print to the screen the certificate of the logging server, which is needed by the data collector services to connect.


This command loads the private key needed to decode shrouded data in the logs. The software allows you to encrypt or shroud some sensitive records to prevent some users from seeing them. Shrouded records appear as placeholder text if the correct key is not loaded. The key must be in the current directory and is not sent to the server.

Generally – you will want to use the password lock on the key, and in some cases you may want to delete the key and store offline until needed. If the key is encrypted – you will be prompted for the password to open it.


Will generate a key for encrypting some or all records in your logging table. Optionally you make add a password to this key (just hit enter for an empty password). After generating – the console will display a block that must be added to your server configuration file to encrypt the records. The shell cannot modify the server settings – only the system root user can change them.

Note: The key is encrypted with a custom algorithm and will not be readable. Regular PEM encryption is vulnerable to padding oracle attacks (RFC1423) and is not used.