Snoopy logs all the commands that are ran by any user to a log file. This is helpful for auditing and keep an eye on user activities.

For Automated Installation/Configuration of Snoopy we have created a Puppet module and Ansible Role.

Puppet Module: https://forge.puppetlabs.com/opstree/snoopy

Ansible Role: https://galaxy.ansible.com/OpsTree/Snoopy/

To install the latest STABLE version of Snoopy, use these commands:

rm -f snoopy-install.sh
wget -O snoopy-install.sh https://github.com/a2o/snoopy/raw/install/doc/install/bin/snoopy-install.sh
chmod 755 snoopy-install.sh
./snoopy-install.sh stable

This is what typical Snoopy output looks like:

2015-02-11T19:05:10+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/cat]: cat /etc/fstab.BAK
2015-02-11T19:05:15+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/rm]: rm -f /etc/fstab.BAK

These are default output locations on various Linux distributions:

For actual output destination check your syslog configuration.

Snoopy provides a configuration file “/etc/snoopy.ini” where you can configure snoopy to generate logs. By default snoopy logs only uid, but doesn’t logs username in logs, so we have to change configuration to get username in logs.You may also specify the log path where you want to generate the snoopy logs.

For getting username in logs edit “/etc/snoopy.ini” and under [snoopy] section add the following line:

message_format = “[username:%{username} uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}”

The output of logs is  shown below:

Feb 25 07:47:27 vagrant-ubuntu-trusty-64 snoopy[3163]: [username:root uid:0 sid:1828 tty:/dev/pts/0 cwd:/root filename:/usr/bin/vim]: vim /etc/snoopy.ini

To enable snoopy, issue the following command:

snoopy-enable

To disable snoopy, issue the following command:

snoopy-disable

Now that we have logs with suitable information we will write a grok pattern in logstash to parse these logs and generate required fields.

filter {

 if [type] == “snoopy” {

   grok {

     match => { “message” => “%{SYSLOGTIMESTAMP:date} %{HOSTNAME:hostname} %{WORD:logger}\[%{INT}\]\: \[%{WORD}\:%{USERNAME:username} %{DATA} %{DATA} %{DATA} %{WORD}\:%{DATA:cwd} %{DATA}\]\: %{GREEDYDATA:exe_command}” }

   }

 if “_grokparsefailure” in [tags] {

   drop { }

 }

 }

}

Here we are generating these fields:

date: Timestamp at which log is generated

hostname: Name of host

logger: Name of logger which is generating logs in our case “snoopy”.

username: Name of user issuing the command

cwd: Absolute path of directory from where the command is executed

exe_command: Command that is executed by user with complete options

Place the above grok pattern in filter section of logstash configuration file which is at “/etc/logstash/conf.d/logstash.conf”. Also include logs from “/var/log/auth.log” to be shipped to logstash server from logstash agent at the client.

After that you can see these logs in kibana in “Discover” tab as shown in screenshot:

In the left sidebar you can see all the fields via which you can filter including the fields we set in our grok pattern.Now in the search bar you can search according to specific field and its value. For example to search logs for vagrant user and all sudo commands executed by it, you will write the following query in search bar:

username:vagrant AND exe_command:sudo*

Then from the left sidebar add the fields you want to see, for example add “username”, “exe_command” and “cwd”, which will result to a table as shown below:

Now save this search from the icon that is just adjacent to left bar with a suitable name. Then go to “Dashboard” menu and click on “plus” icon to add a dashboard. A screen will appear as shown:

Click on “Searches” tab and find your saved search and click over it. A resulting screen will appear which will be added to your dashboard as shown below:

Here you can view tabular data for the sudo commands executed by vagrant user. Similarly you can add more searches by clicking on “plus icon” and add it to the same dashboard.Now save this dashboard by clicking on the “save” icon adjacent to search bar with a suitable name.After that you can easily load this dashboard by clicking on “load” icon adjacent to search bar.