Linux OS Logging (snoopy)
;;; REQUIRED Section
[snoopy]
;;; Log Message Format
; Security-enriched format: covers identity, session, process tree, and command context
; message_format = "datetime=%{datetime} hostname=%{hostname} user=%{username} uid=%{uid} euser=%{eusername} euid=%{euid} login=%{login} tty=%{tty} tty_user=%{tty_username} sid=%{sid} pid=%{pid} ppid=%{ppid} cwd=%{cwd} filename=%{filename} cmdline=%{cmdline}"
message_format = "user=%{username} %{datetime} cmdline=%{cmdline} loginuser=%{login} tty=%{tty}"
;;; Filter Chain
; Exclude high-noise system UIDs (0=root daemon activity, 1-999 = typical system accounts)
; Adjust UID ranges to match your system's service account allocation
; Keep only_tty if you want interactive-session-only logging (remove for full coverage)
filter_chain = "exclude_spawns_of:cron,sshd,systemd;exclude_uid:1,2,3,4,5,6,7,8,9,10"
;;; Output
output = file:/var/log/snoopy.log
;;; Error Logging
; Disable in production - enable only for troubleshooting
error_logging = no
;;; Syslog settings (relevant if switching output to devlog/syslog)
syslog_facility = LOG_AUTHPRIV
syslog_ident = snoopy
syslog_level = LOG_INFO
Additional Recommendations (outside this file)
- Add a logrotate entry for /var/log/snoopy.log with compress, dateext, and postrotate to avoid unbounded growth.
- If you’re forwarding to a SIEM, consider switching output to socket:/var/run/your-siem-socket.sock instead of file.
- Periodically audit the exclude_uid list against /etc/passwd as service accounts are added.
# /etc/logrotate.d/snoopy
#
# Logrotate configuration for Snoopy command-line logger
# Place this file at: /etc/logrotate.d/snoopy
#
# Rotation strategy:
# - Daily rotation with 90-day retention (adjust to meet your compliance requirements)
# - Compressed archives to minimize disk usage
# - Delayed compression to allow last-written log to remain readable
# - Missing log is not an error (handles first-run and output gaps gracefully)
/var/log/snoopy.log {
# Rotate daily; change to 'weekly' or 'monthly' if volume is low
daily
# Keep 90 days of history; align with your audit retention policy (e.g. 365 for ISO 27001)
rotate 90
# Compress rotated logs using gzip
compress
# Delay compression by one cycle — keeps yesterday's log uncompressed for easy access
delaycompress
# Do not error if log file is missing (e.g. snoopy not yet started)
missingok
# Do not rotate if log file is empty
notifempty
# Use date-based suffix instead of numeric (e.g. snoopy.log-20260217)
dateext
dateformat -%Y%m%d
# Create new log file with strict permissions after rotation
# Owner: root, Group: adm (change to syslog or your SIEM agent group if needed)
create 0640 root adm
# Rotate only this specific file, not any matching glob
nosharedscripts
postrotate
# Signal rsyslog to reopen log files if you are also forwarding via syslog
# Uncomment if rsyslog is in use:
# /usr/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
# If you have a SIEM agent tailing the file, signal it here, for example for Filebeat:
# /usr/bin/systemctl reload filebeat > /dev/null 2>&1 || true
# Snoopy writes directly to file via LD_PRELOAD — no daemon to signal.
# New file is created automatically by the 'create' directive above.
/bin/true
endscript
# Optional: send alert if log exceeds 500MB before scheduled rotation
# Uncomment and adjust threshold to suit your environment
# size 500M
}
logrotate -d /etc/logrotate.d/snoopy # dry run, shows what would happen logrotate -f /etc/logrotate.d/snoopy # force rotation now to verify it works
# recommended
Login
0 Comments
Oldest