As you know some users can damage the system intentional or not, especially when they have a shell access. I am pursuing some approach to log forward all user history or commands typed by users on Linux Servers to New Relic Logging. For example, If an user removed a folder “rm -rf /db/dbscripts” would be very useful we quickly identify on NR Log Portal who performed the command with username and date information.
In the mean time I will try install psacct package that contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa and check if it’s possible log forward data to NR.
Appreciate any help. Mauricio