Using snoopy logger to monitor system activity

Snoopy is designed to aid a sysadmin by providing a log of commands executed. Snoopy logger is completely transparent to the user and applications. It is linked into programs to provide a wrapper around calls to execve(). Logging is done via syslog.

Snoopy logger logs users or just root activities – You either log all, or just root. Once you have set this it can’t be changed without recompiling it.

Install Snoopy

It’s quite easy with apt-get:

apt-get install snoopy

This command sets up snoopy automatically by adding a new line in /etc/ld.so.preload. You can de-active snoopy by commenting out that line accordingly.

cat /etc/ld.so.preload
/lib/snoopy.so

Once the installation finished, restart programs that you want to log, e.g.

/etc/init.d/apache2 restart
/etc/init.d/unicorn restart

All executed commands will be logged in /var/log/auth.log. Here is an example output:

Oct 21 22:39:01 deb snoopy[5809]: [uid:0 sid:5807 tty: cwd:/root filename:/usr/bin/which]: which php5
Oct 21 22:39:01 deb snoopy[5810]: [uid:0 sid:5807 tty: cwd:/root filename:/usr/bin/php5]: php5 -c /etc/php5/cgi/php.ini -d error_reporting='~E_ALL' -r print ini_get("session.gc_maxlifetime");
Oct 21 22:39:01 deb snoopy[5812]: [uid:0 sid:5807 tty: cwd:/root filename:/usr/bin/find]: find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +24 ! -execdir fuser -s {} ; -delete
Oct 21 22:39:01 deb snoopy[5819]: [uid:1000 sid:5818 tty: cwd:/var/spool/postfix filename:/usr/bin/procmail]: procmail -a
Oct 21 22:39:26 deb snoopy[5824]: [uid:0 sid:4233 tty:/dev/pts/1 cwd:/root/snoopy-1.9.0 filename:/sbin/modprobe]: /sbin/modprobe ip_tables

Monitor selected programs
As per the README.md states:

If you wish to monitor only certain applications you can do so through
the LD_PRELOAD environmental variable – simply set it to the full path
to snoopy.so shared library before starting the application.

Example:

export LD_PRELOAD=/lib/snoopy.so    # default path
lynx http://linux.com/
unset LD_PRELOAD

I tried this on my Debian Wheezy, but it doesn’t work. Further checks are still on the way.

When you enabled snoopy logger, it generates a lot of log records. Here by knx mentions a way on how to filter log entries created by snoopy.
On a Debian, we can create this file with the line below:

cat /etc/logcheck/ignore.d.server/snoopy
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snoopy.*

If you faced any issues on using snoopy, please don’t hesitate to leave a comment below.

Share Button

Leave a comment

Your email address will not be published. Required fields are marked *