snoopy: 记录命令操作日志

一，官方代码站:

https://github.com/a2o/snoopy/

 

二，用yum安装:

1，安装

[root@blog ~]# yum install snoopy

2, 查看安装的文件:

[root@blog ~]# rpm -ql snoopy
/etc/snoopy.ini
/usr/lib/.build-id
/usr/lib/.build-id/36
/usr/lib/.build-id/36/c561a6e91844cc25d07b2732353ff62165a742
/usr/lib/.build-id/88
/usr/lib/.build-id/88/3e301f01c5c316f4da50712d13bf13fdefe028
/usr/lib64/libsnoopy.so
/usr/lib64/libsnoopy.so.0
/usr/lib64/libsnoopy.so.0.0.0
/usr/sbin/snoopyctl
/usr/share/doc/snoopy
/usr/share/doc/snoopy/ChangeLog
/usr/share/doc/snoopy/FAQ.md
/usr/share/doc/snoopy/FILTER_exclude_spawns_of.md
/usr/share/doc/snoopy/README.md
/usr/share/licenses/snoopy
/usr/share/licenses/snoopy/COPYING

三，命令的用法

1,查看版本

[root@blog ~]# snoopyctl version
Snoopy CLI tool version: 2.5.1
Snoopy library version:  2.5.1 (path: /usr/lib64/libsnoopy.so)

2,查看帮助

[root@blog ~]# snoopyctl help
Snoopy CLI management tool usage:
    snoopyctl ACTION [ARGS]

Available actions:
    conf           Show configuration
    disable        Remove libsnoopy.so from /etc/ld.so.preload
    enable         Add libsnoopy.so to /etc/ld.so.preload
    status         Detect whether Snoopy is already enabled and loaded

    version        Show Snoopy version
    about          Show general information
    help           Show this help

3,打印配置:

[root@blog ~]# snoopyctl conf
; Options from config file (or defaults): /etc/snoopy.ini
[snoopy]
error_logging = no
filter_chain =
message_format = [uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}
output = devlog
syslog_facility = AUTHPRIV
syslog_ident = snoopy
syslog_level = INFO

 4,打印状态

[root@blog ~]# snoopyctl status
/etc/ld.so.preload:            NOT OK - Snoopy is not enabled.
LD_PRELOAD environment var:    NOT OK - Not set.
Current process (shared libs): NOT OK - Unable to find libsnoopy.so.
Current process (execve addr): NOT OK - execve() symbol not overloaded, Snoopy is not loaded.

5,使生效:

[root@blog ~]# snoopyctl enable
[DIAG] ld.so.preload path: '(null)'
[DIAG] Snoopy library path: '/usr/lib64/libsnoopy.so'
SUCCESS: Snoopy has been enabled.

再次查看状态:

[root@blog ~]# snoopyctl status
/etc/ld.so.preload:            OK - Snoopy is enabled.
LD_PRELOAD environment var:    NOT OK - Not set.
Current process (shared libs): OK - libsnoopy.so is loaded in front of libc.so.6.
Current process (execve addr): OK - execve() symbol address changed, looks like Snoopy is loaded.

四，配置文件:

[root@blog ~]# snoopyctl conf
; Options from config file (or defaults): /etc/snoopy.ini
[snoopy]
error_logging = no
filter_chain = exclude_uid:1
message_format = [%{datetime:%Y-%m-%d %H:%M:%S} %{ipaddr} %{eusername} uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}
output = file:/var/log/snoopy.log
syslog_facility = AUTHPRIV
syslog_ident = snoopy
syslog_level = INFO

五，日志内容的例子

[2024-08-16 14:26:27 11.139.161.93 root uid:0 sid:732999 tty:/dev/pts/0 cwd:/root filename:/bin/vi]: vi /etc/snoopy.ini
[2024-08-16 14:26:27 11.139.161.93 root uid:0 sid:732999 tty:/dev/pts/0 cwd:/root filename:/usr/bin/vim]: /usr/bin/vim /etc/snoopy.ini