Log all users activity on server
-
I want to enable logging all users activity on servers and rotate the logs on a weekly/monthly basis. Found below link which explains this, or is there a better way to do this, may be via ELK?
http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html
@scottalanmiller While searching for posts related to logging & logs found an old post where you mentioned you using loggly at that time, moved to ELK i believe or is loggly still being used on some way?
-
ELK is local (potentially) and free - Loggly I think was a paid service, right?
-
@Dashrender said:
ELK is local (potentially) and free - Loggly I think was a paid service, right?
Logg.ly is paid but has a free tier, good for roughly three servers (on average.)
-
Yes, we use ELK and my ELK How To has been in the works all day today. Hoping to have it tonight but boy is it a lot of work to prep.
-
@scottalanmiller said:
@Dashrender said:
ELK is local (potentially) and free - Loggly I think was a paid service, right?
Logg.ly is paid but has a free tier, good for roughly three servers (on average.)
three windows server with file access logging turned on?
I recall there was a data input limit, wasn't there? With windows it was pretty easy to drive over the limit with just one server depending on what logging you enable.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
ELK is local (potentially) and free - Loggly I think was a paid service, right?
Logg.ly is paid but has a free tier, good for roughly three servers (on average.)
three windows server with file access logging turned on?
I recall there was a data input limit, wasn't there? With windows it was pretty easy to drive over the limit with just one server depending on what logging you enable.
Yeah, three AVERAGE VMs. If you do anything crazy like file access logging or Asterisk logs, you are going to blow through that limit in minutes.
-
OK I just looked at the OPs link about auditing - that article talks about auditing changes made on a Linux box.
I think something similar can be done in windows, but it's a lot harder.
-
So wanted to know if this is the best way to log all activities or can this be pushed to ELK to have a better view or an alternate solution/method?
-
@Ambarishrh said:
So wanted to know if this is the best way to log all activities or can this be pushed to ELK to have a better view or an alternate solution/method?
ELK is almost certainly best. The range of functionality is just too good to pass up.
-
@Ambarishrh
For Linux, logging will give you what you want - and you can push the information to a ELK box or use Logg.ly or others.But again, there is no way to do this in windows, at least not like a command line logging in Linux.
In the link, you're recording all of the commands they are typing at the command line, but users don't do this in Windows, they live inside apps.What is your end goal?
-
Yeah, GUIs can't be logged so cleanly. Do you want Windows desktop logging? You pretty much need a screen recorder to get the level that Linux tends to get.
-
@Dashrender My end goal is to log all activity on our Linux Servers, no Windows
-
@Ambarishrh said:
@Dashrender My end goal is to log all activity on our Linux Servers, no Windows
Oh okay, ELK and process accounting is pretty good. There is no simple way of getting everything at a user level. Do you have Linux GUIs or text only?
-
I know places that have required this and the complexity gets crazy.
-
We don't have Linux GUI, it has cPanel but we manage servers using command majority of the time. Bringing in Ansible to automate the whole setup process and this way I am even getting the GUI configuration using cPanel commands and scripts.
So ELK + the logging using the link on my first post does the trick!
I am also checking https://www.graylog.org/ as this seems to be pretty famous and looks like a good alternative to ELK if anyone else looking at it.
-
What people tend to do for what you want is something like a forced screen session to log commands as typed or to use a jump box that captures all activity.
-
@Ambarishrh said:
I am also checking https://www.graylog.org/ as this seems to be pretty famous and looks like a good alternative to ELK if anyone else looking at it.
Graylog is built on the same foundation as ELK. They are both log ingesting and interfaces applied on top of Elasticsearch.
-
@scottalanmiller said:
@Ambarishrh said:
I am also checking https://www.graylog.org/ as this seems to be pretty famous and looks like a good alternative to ELK if anyone else looking at it.
Graylog is built on the same foundation as ELK. They are both log ingesting and interfaces applied on top of Elasticsearch.
Have you tried Graylog?
-
@Ambarishrh said:
@scottalanmiller said:
@Ambarishrh said:
I am also checking https://www.graylog.org/ as this seems to be pretty famous and looks like a good alternative to ELK if anyone else looking at it.
Graylog is built on the same foundation as ELK. They are both log ingesting and interfaces applied on top of Elasticsearch.
Have you tried Graylog?
No, on my long list of things to build.
