Find the answer to your Linux question:
Results 1 to 8 of 8
Is there any way to monitor user movements or log them? For eg. I got an ssh server and i want to know when some user connects, what does he ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2006
    Posts
    3

    Loggin Users Movements


    Is there any way to monitor user movements or log them? For eg.

    I got an ssh server and i want to know when some user connects, what does he do, if he download files or delete them... etc

    Is there any way, program or something like that to do so?

    Thanks

  2. #2
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Have you tried increasing the level of sshd logging in sshd.conf?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  3. #3
    Linux Newbie burntfuse's Avatar
    Join Date
    Nov 2006
    Location
    Laurel, MD
    Posts
    158
    If they don't delete or modify it, you can look at the .bash_history file in their home directory.
    I have sold my soul to the penguin

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    I got an ssh server and i want to know when some user connects
    Try
    Code:
    # grep 'sshd' /var/log/secure
    You might want to pipe the output to the less pager.

    =============

    what does he do
    That's not the easiest thing to track. As was mentioned, the ~/.bash_history file is available, but it's trivial for a user to clear that. You might want to look into Process Accounting.

    Here's an intro to it: http://www.linuxjournal.com/article/6144

    It's not exactly for the faint of heart.

    =============

    if he download files or delete them
    You can determine that easily using a home-made (or prebuilt) file integrity checker. For GNU/Linux I highly recommend aide (I hear it's very similar to tripwire).

  5. #5
    Just Joined!
    Join Date
    Dec 2006
    Posts
    3
    For some strange reason /var/log/secure doesn't exist =|

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    It's ok. I just made a wrong assumption. (Not all GNU/Linuxes are the same.) What distro are you using?

    Also, it would help if you posted the results of ls /var/log. I should be able to give you a different answer based on that.

  7. #7
    Just Joined!
    Join Date
    Dec 2006
    Posts
    3
    I got Ubuntu Edgy

    root@rophierr:/etc/init.d# ls /var/log
    acpid btmp.1 debug.3.gz evms-engine.4.log kdm.log.3.gz mail.err scrollkeeper.log user.log.0
    acpid.1.gz cups debug.4.gz evms-engine.5.log kdm.log.4.gz mail.info scrollkeeper.log.1 user.log.1.gz
    acpid.2.gz daemon.log debug.5.gz evms-engine.6.log kdm.log.5.gz mail.log scrollkeeper.log.2 user.log.2.gz
    acpid.3.gz daemon.log.0 dmesg evms-engine.7.log kdm.log.6.gz mail.warn sshblacklisting user.log.3.gz
    aptitude daemon.log.1.gz dmesg.0 evms-engine.8.log kdm.log.7.gz messages syslog uucp.log
    aptitude.1.gz daemon.log.2.gz dmesg.1.gz evms-engine.9.log kern.log messages.0 syslog.0 wtmp
    auth.log daemon.log.3.gz dmesg.2.gz evms-engine.log kern.log.0 messages.1.gz syslog.1.gz wtmp.1
    auth.log.0 daemon.log.4.gz dmesg.3.gz faillog kern.log.1.gz messages.2.gz syslog.2.gz wvdialconf.log
    auth.log.1.gz daemon.log.5.gz dmesg.4.gz fontconfig.log kern.log.2.gz messages.3.gz syslog.3.gz Xorg.0.log
    auth.log.2.gz daemon.log.6.gz dpkg.log fsck kern.log.3.gz messages.4.gz syslog.4.gz Xorg.0.log.old
    auth.log.3.gz debug dpkg.log.1 installer kern.log.4.gz messages.5.gz syslog.5.gz Xorg.1.log
    boot debug.0 evms-engine.1.log kdm.log kern.log.5.gz news syslog.6.gz
    bootstrap.log debug.1.gz evms-engine.2.log kdm.log.1 lastlog pycentral.log udev
    btmp debug.2.gz evms-engine.3.log kdm.log.2.gz lpr.log samba user.log

    Thanks

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    I'd imagine you can get similar information from the /var/log/auth.log file.

    Unfortunately I'm not well versed in the debian-based distros.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •