Snoopy logger

Snoopy logger is a powerful utility which makes the admin work more easy by providing a log of commands executed via shell. It logs each and every users shell command executions to “/var/log/secure”. We can later check the log and recognize the user and the command it executed from the uid.

I am pasting a portion of snoopy log below:

Sep 10 05:38:20 serverXXX snoopy[206015]: [uid:0 sid:187552 tty:/dev/pts/2 cwd:/root filename:/usr/bin/tail]: tail -f /var/log/secure
Sep 10 05:38:21 serverXXX snoopy[206016]: [uid:99 sid:185700 tty: cwd:/home/user123/public_html/ filename:/opt/suphp/sbin/suphp]: /opt/suphp/sbin/suphp
Sep 10 05:38:21 serverXXX snoopy[206016]: [uid:1002 sid:185700 tty: cwd:/home/user123/public_html/ filename:/usr/bin/php]: /usr/bin/php /home/markwesl/public_html/
Sep 10 05:38:21 serverXXX snoopy[206017]: [uid:99 sid:185700 tty: cwd:/home/user456/public_html/current filename:/opt/suphp/sbin/suphp]: /opt/suphp/sbin/suphp
Sep 10 05:38:22 serverXXX snoopy[206024]: [uid:1006 sid:185700 tty: cwd:/home/user999/public_html/ filename:/usr/bin/php]: /usr/bin/php /home/senseb/public_html/

You can find the user using uid using the following command or from the /etc/passwd file.

root@serverxxx [~]# getent passwd 99
root@serverxxx [~]# getent passwd 1002
root@serverxxx [~]# getent passwd 1006

Snoopy Installation Steps
* cd /usr/src
* wget
* tar xvf snoopy-1.8.0.tar.gz
* cd snoopy-1.8.0
# Check configuration options:
./configure –help

# Then continue with normal build procedure:
./configure [OPTIONS]
make install

# Then you can actually enable snoopy:
make enable

Snoopy “/usr/local/lib/” is placed in /etc/ To remove snoopy later, simply edit /etc/ and remove the
reference to and delete /usr/local/lib/ For more information, you can read the “README” file in the source directory.