System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Monitor commands executed from remote machine

Murugan07
Occasional Visitor

Monitor commands executed from remote machine

Hi All,

I have a linux machine with RHEL4 and I need to monitor commands which are executed from other machines. How can I achieve this?

Is it ok to configure syslog for this?

Thank you,
6 REPLIES
Alzhy
Honored Contributor

Re: Monitor commands executed from remote machine

It depends HOW the commands are executed remotely.

As you likely know -- there are MANY ways commands can be issued remotely and "monitoring" each will depend on the HOW.

And the methods are as follows as far as I can remember:

ssh
rexec
remsh
rsh
sockets (inetd/services model)
telnet
job control via - Maestro, Autosys, CTRL-M, etc.

Cheers.


Hakuna Matata.
Murugan07
Occasional Visitor

Re: Monitor commands executed from remote machine

Here in my case, I am sure other systems are using either ssh or remsh.
We had a bad script which deletes files from home directory instead of home/archive. The smae has been corrected now. Still I get cases like files getting deleted from home directory and I feel that script is run from some other machine as we had pushed this script to numerous machines.
Thomas Callahan
Valued Contributor

Re: Monitor commands executed from remote machine

Check the /var/log/secure file. if it's a remote connection, it will show up as a login in that file.
Murugan07
Occasional Visitor

Re: Monitor commands executed from remote machine

Hi Thomas,
Thanks for your response.

I could see the login information from /var/log/secure file but could not see who deletes (through script, etc) the files which are under home directory.
Number of login/logout on this server is more than 10/min.
Viktor Balogh
Honored Contributor

Re: Monitor commands executed from remote machine

The permission of the files/dirs might give you a clue who could delete it, i suppose not everyone has access to those files. filter those users from /var/log/secure and you'll get closer to the solution.
****
Unix operates with beer.
Ivan Ferreira
Honored Contributor

Re: Monitor commands executed from remote machine

You can use Linux audit to identify who and how is deleting your files.

A quick howto here:

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?