ttyrpld is a kit to log any traffic and actions which go through any of your Kernel's tty devices. In common-term language, this is a Keylogger. It also contains a screen logger, since keyboard and screen are both considered to be one tty device, and thus logging screen updated is just as easy as for keystrokes.

This kit consists of a Kernel patch, a Kernel module, a user-space logging daemon and a [user-space] player.

The Kernel patch adds a few lines to provide the "RPL" (short for replay) extension hook, which (any) module can then get onto.

The Kernel module is responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon.

Having received the captured data, the logging daemon can store them in any format and/or facility, with or without compression, just as it likes, for this happens in user-space and thus you have all the fluffy libraries available. (That would not be the case from Kernel space.)

See the Technical Details page for more info.

If you need any help or assistance, just drop me a line at jengelh@linux01.gwdg.de.