Snoopy logger

Snoopy logger is a powerful utility which makes the admin work more easy by providing a log of commands executed via shell. It logs each and every users shell command executions to “/var/log/secure”. We can later check the log and recognize the user and the command it executed from the uid.

Snoopy Installation

These are default output locations on various Linux distributions:

CentOS: /var/log/secure
Debian: /var/log/auth.log
Ubuntu: /var/log/auth.log
others: /var/log/messages (potentially, not necessarily)


Most parts of Snoopy are/can be/should be configured at build time.

However, since version 2.0.0 Snoopy supports optional configuration file. Snoopy’s automated installation procedure enables configuration file support by default. Configuration file path is /etc/snoopy.ini.

For additional information please consult comments in etc/snoopy.ini and doc/

snoopy logs:

Mar 9 15:01:29 server1 snoopy[6290]: [uid:502 sid:6497 tty:(none) cwd:p
Mar 9 15:01:30 server1 snoopy[6292]: [uid:502 sid:6497 tty:(none) cwd:
Mar 9 15:01:30 server1 snoopy[6294]: [uid:502 sid:6497 tty:(none) cwd:
Mar 9 15:01:30 server1 snoopy[6296]: [uid:502 sid:6497 tty:(none) cwd:
Mar 9 15:01:30 server1 snoopy[6298]: [uid:502 sid:6497 tty:(none) cwd:

You can find the user using uid using the following command or from the /etc/passwd file.

root@serverxxx [~]# getent passwd 99
root@serverxxx [~]# getent passwd 1002
root@serverxxx [~]# getent passwd 1006



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s