Logging user activity in Linux
Often there is a need to monitor what is happening on a remote server, often you have to put the key logger \ activity logger to track user actions. After sampling the freeware software, almost nothing interesting was found, many limitations, many unstable implementations.
Stumbled upon an interesting project Snoopy Logger
Installation of this product is usually without any difficulties.
')
eg
you can specify only root logging
for this you need to edit the file snoopy.h before / configure
It was
has become
/etc/init.d/syslog restart (or rsyslog)
output in the logs can be searched by trace files.
If you do not want to parse porridge from system logs and Snoopy, you can do this:
Add to config
By the same principle, one can remove garbage from snoopy from system logs.
Logs are as follows
You can also redirect via syslog to another machine and dilute it into the necessary logs or web applications.
In general, everyone decides for himself how to use this utility.
In order to remove Snoopy afterwards, it is enough to clear the /etc/ld.so.preload file containing the reference to .so and delete the file /usr/local/lib/snoopy.so itself
The story In this mini article I did not consider the ethical side of using this kind of programs, leaving it to the discretion of the readers.
Stumbled upon an interesting project Snoopy Logger
Installation of this product is usually without any difficulties.
')
wget downloads.sourceforge.net/project/snoopylogger/snoopy-1.8.0.tar.gz
( , )
tar -zxf snoopy-1.8.0.tar.gz
cd snoopy-1.8.0/
./configure --help ( )eg
--with-syslog-facility=FACILITY
--with-syslog-level=LEVELyou can specify only root logging
for this you need to edit the file snoopy.h before / configure
It was
#define SNOOPY_ROOT_ONLY 0has become
#define SNOOPY_ROOT_ONLY 1./configure
make
make install
install -m 755 -d /usr/local/lib
install -m 755 snoopy.so /usr/local/lib/snoopy.so
Snoopy shared library installed in /usr/local/lib.
Run 'make enable' to actually enable snoopy logging.
make enable
./enable.sh /usr/local/lib
Snoopy enabled in /etc/ld.so.preload. Check syslog messages for output./etc/init.d/syslog restart (or rsyslog)
output in the logs can be searched by trace files.
/var/log/auth*
/var/log/messages
/var/log/secure
If you do not want to parse porridge from system logs and Snoopy, you can do this:
touch /var/log/snoopy.log
vim /etc/syslog.conf ( syslog)
Add to config
!snoopy
*.* /var/log/snoopy.log
By the same principle, one can remove garbage from snoopy from system logs.
Logs are as follows
Apr 6 06:46:26 asterisk snoopy[12664]: [uid:0 sid:12595 tty:/dev/pts/2 cwd:/home/develop filename:/usr/bin/nano]: nano /etc/asterisk/extensions.conf
Apr 6 07:56:19 asterisk snoopy[13267]: [uid:0 sid:13166 tty:/dev/pts/3 cwd:/root filename:/sbin/ifconfig]: ifconfig
Apr 6 07:56:26 asterisk snoopy[13268]: [uid:0 sid:13166 tty:/dev/pts/3 cwd:/root filename:/bin/touch]: touch /opt/1.txt
Apr 6 07:57:56 asterisk sudo: felvis : TTY=pts/3 ; PWD=/home/felvis ; USER=root ; COMMAND=/sbin/ifconfig eth0
Apr 6 07:57:56 asterisk snoopy[13277]: [uid:0 sid:13166 tty:/dev/pts/3 cwd:/home/felvis filename:/sbin/ifconfig]: /sbin/ifconfig eth0
You can also redirect via syslog to another machine and dilute it into the necessary logs or web applications.
In general, everyone decides for himself how to use this utility.
In order to remove Snoopy afterwards, it is enough to clear the /etc/ld.so.preload file containing the reference to .so and delete the file /usr/local/lib/snoopy.so itself
The story In this mini article I did not consider the ethical side of using this kind of programs, leaving it to the discretion of the readers.
Source: https://habr.com/ru/post/92020/
All Articles