How to use properly to monitor user activity
21 views
Skip to first unread message
Don Wolfe
Jan 18, 2023, 2:43:48 PM1/18/23
to sysdig
Hi Group,
I am trying to use Sysdig to monitor user activity on an ongoing basis on one of my RHEL7 VMs (no containers). I tried two approaches, have issues with both, but don't know if either are reasonable, or if there is something else to try.
App team wants to know "who logged on to the system when and what they did". More or less this seems like what the spy_users chisel is for, and when I run that, it gathers info just fine, but I want to run it all the time, and send periodic "reports" with details. I tried:
1) Running sysdig -M 86400 -c spy_users every 24 hours at midnight in crontab and redirecting output to a temporary file, then mailing the file to the user. The issue there is that the temp file does not have a whole day's output. The processes seem to be running all day, but no output after 11:38 AM one day, and 13:38 the next.
I am trying to use Sysdig to monitor user activity on an ongoing basis on one of my RHEL7 VMs (no containers). I tried two approaches, have issues with both, but don't know if either are reasonable, or if there is something else to try.
App team wants to know "who logged on to the system when and what they did". More or less this seems like what the spy_users chisel is for, and when I run that, it gathers info just fine, but I want to run it all the time, and send periodic "reports" with details. I tried:
1) Running sysdig -M 86400 -c spy_users every 24 hours at midnight in crontab and redirecting output to a temporary file, then mailing the file to the user. The issue there is that the temp file does not have a whole day's output. The processes seem to be running all day, but no output after 11:38 AM one day, and 13:38 the next.
2)I tried running sysdig
-M seconds, and using -o somefile, and at the end of the run, using sysdig -r somefile -c spy_users and redirecting the output to email which seems to work, but the temp file is HUGE, so with the space I have could only keep an hour or so of data.
I would very much appreciate if someone could give me some direction/advise.
Thank you very much for your consideration!
I would very much appreciate if someone could give me some direction/advise.
Thank you very much for your consideration!
Best regards,
Don
Don Wolfe
Jan 19, 2023, 9:47:01 AM1/19/23
to sysdig
Am using a script run from cron every midnight, which does this:
sysdig -M 86400 -c spy_users \
| head -n -1 \
> $temp
echo "See attached $(wc -c $temp | cut -d' ' -f1) byte file: $temp" \
| mailx -a $temp -s "$subject" $email
| head -n -1 \
> $temp
echo "See attached $(wc -c $temp | cut -d' ' -f1) byte file: $temp" \
| mailx -a $temp -s "$subject" $email
The "head -n -1" was an attempt to remove the control characters at the end, and I suspect it may be contributing to or causing the problem.
The main question here isn't about specifics though but about the approach. How best to tackle the challenge of tracking all user activity?
Thank you again for your consideration.
Don
Reply all
Reply to author
Forward
0 new messages