I am having 18 servers which 50 users are accessing,from some days we are facing issues such as somebody deleting few files from server.Is there any way that i can figure out who is login from which machine and what he is doing on server or is there any way by which i can know that somebody login on server and what exactly he is doing.
I have disabled rm command from server so that only root can use this command
can somebody help me since the data is very much critical
I have never run a server, but what about your log files? They should be under /var/log and should tell who is logged in on which machines & at what times. If it is sabotage of some kind, whoever it was probably covered their tracks by changing log files, but if it was stupidity you should be able to trace it.
If it seems like it was from outside the network, I would have all logs copied(real time, as they are created) by a script to another machine behind another firewall with no remote access. This way if there are any changes done to logs, you will have the original and the changed version, and hopefully a record of who did it.