yum install gcc socat
wget http://source.a2o.si/download/snoopy/snoopy-2.4.6.tar.gz
tar -zxf snoopy-2.4.6.tar.gz
cd snoopy-2.4.6
./configure
make
make install
make enable
--
vim /usr/local/etc/snoopy.ini(#不是注释)
[snoopy]
message_format = "%{datetime} %{hostname} %{pid} %{eusername} %{tty_username} %{tty} %{cwd} %{filename} # %{cmdline}"
filter_chain = "exclude_spawns_of:cron"
output = file:/var/log/.snoopy.log
--
/usr/local/sbin/snoopy-disable 关闭snoopy
/usr/local/sbin/snoopy-enable 开启snoopy
重新登陆后即可记录操作日志
/var/log/.snoopy.log 进行logstash grok匹配
SNOOPYLOG %{TIMESTAMP_ISO8601:datetime} %{USERNAME:hostname} %{INT:pid} %{USER:eusername} %{USER:tty_username} %{NOTSPACE:tty} %{UNIXPATH:pwd} %{UNIXPATH:cmd_name} # %{GREEDYDATA:cmdline}