Logging user commands and activities

Hi All!
As you know some users can damage the system intentional or not, especially when they have a shell access. I am pursuing some approach to log forward all user history or commands typed by users on Linux Servers to New Relic Logging. For example, If an user removed a folder “rm -rf /db/dbscripts” would be very useful we quickly identify on NR Log Portal who performed the command with username and date information.

In the mean time I will try install psacct package that contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa and check if it’s possible log forward data to NR.
Appreciate any help. Mauricio

Hi @borgesm, great question.

First off, while you may not be able to track detailed usage for each user working in New Relic, one thing you can do is check the login history for each of your users. Under the Users and Roles page of your account, you can actually see the most recent login date for each user. This can help you to tell who’s logging in on at least a daily basis.

You can review more about the functionality of our Audit logging on our shared documentation below: https://docs.newrelic.com/docs/insights/use-insights-ui/manage-account-data/query-account-audit-logs-nrauditevent

I would be very interested to hear how the psacct package works out for you.

Thanks @nmcnamara!
I have installed psacct package and tested command lastcomm , sa, last. However, not brings me what I am really expecting, lastcomm just report the command used, not the entire command typed by used. I believe we would need some automation to send all .bash_history from users to a human readable format log, and then forward to NR Logging.
The main idea would be track or audit user’s activities that can impact OS System or any Middleware application, such as rm -rf an entire path or changed some file or directory permission etc.

So it seems the psactt package was not what you hoped it would be. Unfortunately I do not know of any way to pull that precise level of user action data you’re looking for but hopefully someone else on our community has come across this issue before and can share how the approached it.

1 Like