{"id":364,"date":"2016-03-09T13:59:00","date_gmt":"2016-03-09T13:59:00","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/2016\/03\/09\/snoopy-elk-exhibit-sudo-commands-in-kibana-dashboard\/"},"modified":"2019-09-18T13:33:17","modified_gmt":"2019-09-18T08:03:17","slug":"snoopy-elk-exhibit-sudo-commands-in-kibana-dashboard","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2016\/03\/09\/snoopy-elk-exhibit-sudo-commands-in-kibana-dashboard\/","title":{"rendered":"Snoopy + ELK : Exhibit sudo commands in Kibana Dashboard"},"content":{"rendered":"<div dir=\"ltr\" style=\"text-align:left;\"><span id=\"docs-internal-guid-f190d4d4-5b03-acd2-b02f-849803b9c89a\"><\/span><\/p>\n<h2 style=\"line-height:1.8;margin-bottom:6pt;margin-left:-8.25pt;margin-top:20pt;text-align:justify;\">Logging User Commands: Snoopy Logger<\/h2>\n<h2 style=\"line-height:1.8;margin-bottom:6pt;margin-left:-8.25pt;margin-top:18pt;text-align:justify;\"><span id=\"docs-internal-guid-f190d4d4-5b03-acd2-b02f-849803b9c89a\">About Snoopy Logger<\/span><\/h2>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-8.25pt;margin-top:0;text-align:justify;\">Snoopy logs all the commands that are ran by any user to a log file. This is helpful for auditing and keep an eye on user activities.<\/div>\n<h3 style=\"line-height:1.8;margin-bottom:4pt;margin-left:-8.25pt;margin-top:16pt;text-align:justify;\">Automated Installation<\/h3>\n<div dir=\"ltr\" style=\"line-height:1.38;margin-bottom:0;margin-left:-6.75pt;margin-top:0;\">For Automated Installation\/Configuration of Snoopy we have created a Puppet module and Ansible Role.<\/div>\n<div dir=\"ltr\" style=\"line-height:1.38;margin-bottom:0;margin-left:-6.75pt;margin-top:0;\">Puppet Module: <a style=\"text-decoration:none;\" href=\"https:\/\/forge.puppetlabs.com\/opstree\/snoopy\" target=\"_blank\" rel=\"noopener\">https:\/\/forge.puppetlabs.com\/opstree\/snoopy<\/a><\/div>\n<div dir=\"ltr\" style=\"line-height:1.38;margin-bottom:0;margin-left:-6.75pt;margin-top:0;\">Ansible Role: <a style=\"text-decoration:none;\" href=\"https:\/\/galaxy.ansible.com\/OpsTree\/Snoopy\/\" target=\"_blank\" rel=\"noopener\">https:\/\/galaxy.ansible.com\/OpsTree\/Snoopy\/<\/a><\/div>\n<h3 style=\"line-height:1.8;margin-bottom:4pt;margin-left:-8.25pt;margin-top:16pt;text-align:justify;\">Manual Installation<\/h3>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-8.25pt;margin-top:0;text-align:justify;\">To install the latest STABLE version of Snoopy, use these commands:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;text-align:justify;margin:0 -29.25pt 12pt -8.25pt;\">rm -f snoopy-install.sh<br class=\"kix-line-break\">wget -O snoopy-install.sh https:\/\/github.com\/a2o\/snoopy\/raw\/install\/doc\/install\/bin\/snoopy-install.sh<br class=\"kix-line-break\">chmod 755 snoopy-install.sh<br class=\"kix-line-break\">.\/snoopy-install.sh stable<\/div>\n<h3 style=\"line-height:1.8;margin-bottom:4pt;margin-left:-8.25pt;margin-top:16pt;text-align:justify;\">Output<\/h3>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">This is what typical Snoopy output looks like:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">2015-02-11T19:05:10+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:\/dev\/pts\/2 cwd:\/root filename:\/usr\/bin\/cat]: cat \/etc\/fstab.BAK<br class=\"kix-line-break\">2015-02-11T19:05:15+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:\/dev\/pts\/2 cwd:\/root filename:\/usr\/bin\/rm]: rm -f \/etc\/fstab.BAK<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-8.25pt;margin-top:0;text-align:justify;\">These are default output locations on various Linux distributions:<\/p>\n<\/div>\n<ul style=\"margin-bottom:0;margin-top:0;\">\n<li style=\"font-family:Arial;font-size:14.6667px;list-style-type:disc;vertical-align:baseline;\">\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-top:0;text-align:justify;\"><span style=\"font-size:14.6667px;vertical-align:baseline;white-space:pre-wrap;\">CentOS: \/var\/log\/secure<\/span><\/div>\n<\/li>\n<li style=\"font-family:Arial;font-size:14.6667px;list-style-type:disc;vertical-align:baseline;\">\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-top:0;text-align:justify;\"><span style=\"font-size:14.6667px;vertical-align:baseline;white-space:pre-wrap;\">Debian: \/var\/log\/auth.log<\/span><\/div>\n<\/li>\n<li style=\"font-family:Arial;font-size:14.6667px;list-style-type:disc;vertical-align:baseline;\">\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-top:0;text-align:justify;\"><span style=\"font-size:14.6667px;vertical-align:baseline;white-space:pre-wrap;\">Ubuntu: \/var\/log\/auth.log<\/span><\/div>\n<\/li>\n<li style=\"font-family:Arial;font-size:14.6667px;list-style-type:disc;vertical-align:baseline;\">\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-top:0;text-align:justify;\"><span style=\"font-size:14.6667px;vertical-align:baseline;white-space:pre-wrap;\">others: \/var\/log\/messages (potentially, not necessarily)<\/p>\n<p><\/span><\/div>\n<\/li>\n<\/ul>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-8.25pt;margin-top:0;text-align:justify;\">For actual output destination check your syslog configuration.<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-8.25pt;margin-top:0;text-align:justify;\">Snoopy provides a configuration file \u201c\/etc\/snoopy.ini\u201d where you can configure snoopy to generate logs. By default snoopy logs only uid, but doesn\u2019t logs username in logs, so we have to change configuration to get username in logs.You may also specify the log path where you want to generate the snoopy logs.<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:10pt;margin-left:-8.25pt;margin-top:0;text-align:justify;\">For getting username in logs edit \u201c\/etc\/snoopy.ini\u201d and under [snoopy] section add the following line:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-8.25pt;margin-top:0;text-align:justify;\">message_format = &#8220;[username:%{username} uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}&#8221;<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">The output of logs is &nbsp;shown below:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Feb 25 07:47:27 vagrant-ubuntu-trusty-64 snoopy[3163]: [username:root uid:0 sid:1828 tty:\/dev\/pts\/0 cwd:\/root filename:\/usr\/bin\/vim]: vim \/etc\/snoopy.ini<\/div>\n<h3 style=\"line-height:1.38;margin-bottom:4pt;margin-left:-6.75pt;margin-top:16pt;\">Enable\/Disable Snoopy<\/h3>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;\">To enable snoopy, issue the following command:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.74;margin-bottom:12pt;margin-left:-6.75pt;margin-top:0;\">snoopy-enable<\/div>\n<div dir=\"ltr\" style=\"line-height:1.38;margin-bottom:0;margin-left:-6.75pt;margin-top:0;\">To disable snoopy, issue the following command:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.74;margin-bottom:12pt;margin-left:-6.75pt;margin-top:0;\">snoopy-disable<\/div>\n<h1 style=\"line-height:1.8;margin-bottom:6pt;margin-left:-8.25pt;margin-top:20pt;text-align:justify;\">Using ELK to parse logs<\/h1>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Now that we have logs with suitable information we will write a grok pattern in logstash to parse these logs and generate required fields.<\/div>\n<div dir=\"ltr\" style=\"margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">\n<div style=\"line-height:1.2;\">A sample grok pattern will be like this:<\/div>\n<p><span style=\"font-size:14.6667px;line-height:17.6px;\"><br class=\"kix-line-break\"><\/span>filter {<\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;if [type] == &#8220;snoopy&#8221; {<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;&nbsp;&nbsp;grok {<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;match =&gt; { &#8220;message&#8221; =&gt; &#8220;%{SYSLOGTIMESTAMP:date} %{HOSTNAME:hostname} %{WORD:logger}\\[%{INT}\\]\\: \\[%{WORD}\\:%{USERNAME:username} %{DATA} %{DATA} %{DATA} %{WORD}\\:%{DATA:cwd} %{DATA}\\]\\: %{GREEDYDATA:exe_command}&#8221; }<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;&nbsp;&nbsp;}<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;if &#8220;_grokparsefailure&#8221; in [tags] {<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;&nbsp;&nbsp;drop { }<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;}<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">&nbsp;}<\/div>\n<div dir=\"ltr\" style=\"line-height:1.2;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">}<\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Here we are generating these fields:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">date: Timestamp at which log is generated<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">hostname: Name of host<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">logger: Name of logger which is generating logs in our case \u201csnoopy\u201d.<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">username: Name of user issuing the command<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">cwd: Absolute path of directory from where the command is executed<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">exe_command: Command that is executed by user with complete options<\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Place the above grok pattern in filter section of logstash configuration file which is at \u201c\/etc\/logstash\/conf.d\/logstash.conf\u201d. Also include logs from \u201c\/var\/log\/auth.log\u201d to be shipped to logstash server from logstash agent at the client.<\/div>\n<h1 style=\"line-height:1.8;margin-bottom:6pt;margin-left:-6.75pt;margin-top:20pt;text-align:justify;\">Creating Dashboard in Kibana<\/h1>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">After that you can see these logs in kibana in \u201cDiscover\u201d tab as shown in screenshot:<\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\"><img loading=\"lazy\" decoding=\"async\" style=\"border:none;transform:rotate(0rad);\" src=\"https:\/\/lh6.googleusercontent.com\/6JD7LyIC9OIOxheH8dykPGT3hRWtC32dXNWwexfPixA33DIaLHBx__5ZjLXe0ivmFIHq8wZM8fEuECkhr34XQ07dKthTMqIksNV1lKPdyS8aFTx6Vmql0t-EJIH7DwFPnvxh1SC7\" alt=\"elkdiscover.png\" width=\"570\" height=\"300\"><\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">In the left sidebar you can see all the fields via which you can filter including the fields we set in our grok pattern.Now in the search bar you can search according to specific field and its value. For example to search logs for vagrant user and all sudo commands executed by it, you will write the following query in search bar:<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">username:vagrant AND exe_command:sudo*<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Then from the left sidebar add the fields you want to see, for example add \u201cusername\u201d, \u201cexe_command\u201d and \u201ccwd\u201d, which will result to a table as shown below:<\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\"><img loading=\"lazy\" decoding=\"async\" style=\"border:none;transform:rotate(0rad);\" src=\"https:\/\/lh3.googleusercontent.com\/UDL90YQ1Qx8oDGrxXnGm5BvAED4mTY1I97ZuxkkrvUgFQVCwIgSdEq5pVkpwjM6bqHOTwcNf4AIGALPNheOqmpGU3FzSy7gp74GI2qCWnNmGXiQu1YHjucppfyhEflebkoQXMKYn\" alt=\"elktableselectedfields.png\" width=\"570\" height=\"288\"><\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Now save this search from the icon that is just adjacent to left bar with a suitable name. Then go to \u201cDashboard\u201d menu and click on \u201cplus\u201d icon to add a dashboard. A screen will appear as shown:<\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\"><img loading=\"lazy\" decoding=\"async\" style=\"border:none;transform:rotate(0rad);\" src=\"https:\/\/lh3.googleusercontent.com\/gBF8BvgdeHlltph2MV9hEuZcLrO4yJEKxkgYu5VGTRdo1fnpeFfcHxxUjeP1YXQtJxuuSLc2GoVkCnXiCAPx1a3_Gfe6X2dxJ4-dNodLCqeKhdpbnvWEpyROvf24gYxAt4BT9qbY\" alt=\"adddashboard.png\" width=\"570\" height=\"139\"><\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Click on \u201cSearches\u201d tab and find your saved search and click over it. A resulting screen will appear which will be added to your dashboard as shown below:<\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\"><img loading=\"lazy\" decoding=\"async\" style=\"border:none;transform:rotate(0rad);\" src=\"https:\/\/lh6.googleusercontent.com\/J5xbP5UP4icw62wwyvfFqGcOLbVigBaTEQjus3hcfJrF4DBMxOtUv0Q4wmX0YzeSTF5MoY-OoZkP0xSgxC4VYgtnChd7QLCpqw52LEB8PM7rSB1mbnSvv2vBuXH4pmF9eBRdGJGH\" alt=\"dashboardadded.png\" width=\"570\" height=\"259\"><\/p>\n<\/div>\n<div dir=\"ltr\" style=\"line-height:1.8;margin-bottom:0;margin-left:-6.75pt;margin-top:0;text-align:justify;\">Here you can view tabular data for the sudo commands executed by vagrant user. Similarly you can add more searches by clicking on \u201cplus icon\u201d and add it to the same dashboard.Now save this dashboard by clicking on the \u201csave\u201d icon adjacent to search bar with a suitable name.After that you can easily load this dashboard by clicking on \u201cload\u201d icon adjacent to search bar.<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Logging User Commands: Snoopy Logger About Snoopy Logger Snoopy logs all the commands that are ran by any user to a log file. This is helpful for auditing and keep an eye on user activities. Automated Installation For Automated Installation\/Configuration of Snoopy we have created a Puppet module and Ansible Role. Puppet Module: https:\/\/forge.puppetlabs.com\/opstree\/snoopy Ansible &hellip; <a href=\"https:\/\/opstree.com\/blog\/2016\/03\/09\/snoopy-elk-exhibit-sudo-commands-in-kibana-dashboard\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Snoopy + ELK : Exhibit sudo commands in Kibana Dashboard&#8221;<\/span><\/a><\/p>\n","protected":false},"author":171775670,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[768739308,676319247,52970,768739296,28382,1097394],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-5S","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/364"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/171775670"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=364"}],"version-history":[{"count":4,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/364\/revisions"}],"predecessor-version":[{"id":1333,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/364\/revisions\/1333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}