The sys admin's daily grind: Snoopy
Guide Dog

Sometimes sys admin Charly needs to know when exactly he did something ingenious on one of his servers. Finding an infallible memory aid is difficult, you might think. "Peanuts!" says Charly.
At work, I'm sometimes plagued by annoying gaps in my memory: What exactly was the name of that neat tool that I used to flash the LEDs on a specific network adapter to help me find the NIC in the rack? Or: How exactly did I delete all files that were more than a week old in a directory? The answer to all of these questions is in the Bash history, but Murphy's Law dictates that the history is always a little bit too short. And, in my case, there's another degree of uncertainty: Which server did I do this on?
Snoopy potentially offers a solution. The small library with the dog's name, wraps around execve()
and always wakes up when the computer runs a command. Many distributions have Snoopy in the pen, but if not, GitHub [1] will help you out. To enable Snoopy at boot time, you need an entry in /etc/ld.so.preload
. I added the following line: /<path>/snoopy.so
. The path is typically lib
. If you are building Snoopy yourself, the library is likely to be found in /usr/local/lib/
or something similar.
Building Snoopy yourself does offer some benefits. For example, you can edit the snoopy.h
header file in the source up front. If you enter
#define ROOT_ONLY 1
Snoopy only logs commands that run with root privileges, but if you install the tool from the distribution repositories, this option is not set, and it logs any old command no matter who ran it.
Unless configured to do otherwise, Snoopy writes to /var/log/auth.log
. Figure 1 shows the log for some simple commands. The structure always stays the same; each entry starts with the user ID, followed by the session ID and the TTY you use. This is then followed by the working directory, which is important because Snoopy does not log commands like cd /etc
. Navigating the system is not the same for this dog as executing a file.
This information is followed by the full path to the executed file and, finally, the expanded command (e.g., aliases can cause an expansion). Many distributions run ls --color=auto
, so, in this case, if you only type ls
, Snoopy reveals all.
Collection Point
Now you just need to consolidate the logs centrally. I configured one server to accept the log messages from other machines. If the server runs rsyslog, you can just pass in the -r
parameter at boot time to switch rsyslog to receive mode. Next, you can tell your other servers also to send entries in /var/log/auth.log
to the newly configured syslog server. To do this, you just need to add one line to the syslog configuration:
auth,authpriv.* @<192.168.2.80>
The auth log tends not to grow drastically, which means you can rotate on a weekly or even monthly basis. Snoopy fills a substantial log of my heroic deeds of administration day after day – including typos and similar peanuts.
Charly Kühnast
Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.
Infos
- Snoopy: https://github.com/a2o/snoopy
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
KDE Plasma 5.27 Beta is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.
-
Critical Linux Vulnerability Found to Impact SMB Servers
A Linux vulnerability with a CVSS score of 10 has been found to affect SMB servers and can lead to remote code execution.
-
Linux Mint 21.1 Now Available with Plenty of Look and Feel Changes
Vera has arrived and although it is still using kernel 5.15, there are plenty of improvements sure to please everyone.