How to Monitor Managed Services

Portal Home > Knowledgebase > Articles Database > How to Monitor Managed Services

Posted by DXHosting, 06-05-2009, 12:12 PM
what is the best practice to monitor when they login and work in the server. beside setting email alerts for each root login
Posted by wb-Jay, 06-05-2009, 03:57 PM
You can create individual logins for your staff and have them su for root. This way you can monitor logs to see what was done.
Posted by hiabhilash, 06-06-2009, 09:53 AM
Enable bash with mysql patch and do remote shell logging
Posted by ServerManagement, 06-06-2009, 07:04 PM
The provider should tell you what they do in each ticket, not necessarily line by line commands but they should tell you generally what was done if you want. Also, the history of all ssh commands, ssh logins, and whm/cpanel activity is all logged automatically on your server. Unless you don't trust them, this should not really be necessary, and if you don't trust them they should not be in your server.
Posted by SA-ChrisM, 06-22-2009, 06:59 PM
One of the coolest things I've run into and that we use internally for all of our techs is based on an application called 'sudosh'. To the best of my knowledge I don't think it's really well known or used in most production services, however what it does is something I personally consider mandatory for audit logging. Sudosh sits itself between the shell and the users pty, and replaces the existing shell. So, in your case you'd add a user named 'support' and update it's shell to point to sudosh. Now, the cool stuff. Whenever someone logs in as support, sudosh is activated and immediately begins logging *every* keystroke, the time signatures of the traffic, everything and sends that to a per-user logfile. You can then use the 'sudosh-replay' utility which replays the log in realtime. It's about the same thing as having a camera recorder hanging over their shoulder when they type. =) If they SU to other accounts, the data is still logged. If they sit there and run 'top' for 5 minutes, you see exactly what they saw updating in realtime. It's a great tool for figuring out if the tech working on your server knows what he's doing, or if he's copy and pasting commands based on *how* they type. Every single step they do is logged, recorded and put away for future reference. There have been a few times in the past where we've had to look into customer issues regarding work a tech did, and there's simply nothing more clean and concise as this method of logging. We use this on our shell server that all of our techs use so all work on every customers machine is logged and recorded in this fashion. Sure, you can spend your time piecing together logs and trying to recreate everything that happened, but that has way too many holes in it. If a tech changes shells, then your .bash_history or history files aren't of any use. If you've had multiple techs working on a project, you have no clue who did what. Anyway, sudosh, good stuff. Just don't replace roots shell with sudosh, force them to come in through a non-priv'd account and then sudo to root. Changing roots shell can do some funky stuff depending on your OS.
Posted by Scott.Mc, 06-22-2009, 07:29 PM
I second sudosh, ttyrpld is another to consider.
Posted by NetLine-James, 06-22-2009, 08:44 PM
Sounds like I need to learn about sudosh, seems like a nifty tool to use.
Posted by ferdy, 06-25-2009, 09:24 AM
Check out the tool ezeelogin. Its got extended ssh logging similar to sudosh or ttyrpld