How to: Log connections made by user for any service under Linux
Q. I'd like to log information about selected incoming and outgoing TCP/IP connections to a log file. For example, log connection made by user "tom" for the service ftp or ssh? How do I configure Linux to log connections?
A. You can write a perl or shell script to monitor and log all connection. However, there is an easy way out. Use the tool called tcpspy. As name suggest it can spy on users. tcpspy logs information about selected incoming and outgoing TCP/IP connections to syslog. The following information is logged:
a) Username
b) Local address and port
c) Remote address, port, and optionally the filename of the executable
It only support the IPv4 protocol.
Install tcpspy
Use apt-get or yup or ports collection:
apt-get install tcpspy
Configuration file
The default configuration file is located at /etc/tcpspy.rules.
Sample configuration
Open /etc/tcpspy.rules file:
# vi /etc/tcpspy.rules
To log connections made by user "tom" for the service "ssh", enter:
user "jom" and rport "ssh"
You can also enter above rule at command prompt:
# tcpspy -e 'user "tom" and rport "ssh"'
Log connections made by user "tom" for the service "ftp", enter:
# tcpspy -e 'user "tom" and rport "ftp"'
Following will log connections made by users "vivek" and "tom" to remote port 25 (SMTP) on machines not on a "intranet" 10.0.0.0/24:
# tcpspy -e 'not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "vivek" or user "tom")'
Log connections made by /usr/bin/ftp:
# tcpspy -e 'exe "/usr/bin/ftp"'
OR combine monitoring for ftp and telnet binary:
# tcpspy -e 'exe "/usr/bin/ftp and /usr/bin/telnet"'
The -e option is used to set a rule. It can be used to log information about connections matching this rule, overriding the default of logging all connections.
tcpspy rules
- user "username" - True if the local username / user initiating or accepting the connection has the effective user id uid.
- rport "port" - It Compares the port number of the remote end of the connection i.e outgoing connections
- lport "port" - True if the local end of the connection has port number port.
- exe "pattern" - True if the full filename (including directory) of the executable that created/accepted the connection matches pattern, a UNIX (glob) style wildcard pattern.
- or - Define logical or (expr1 or expr2)
- and - Define logical and (expr1 and expr2)
- not - Define logical not (not user "vivek")
Refer to tcpspy man page for more syntax option.
$ man tcpspy
Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
Related Other Helpful FAQs:
- Analog Input: Cannot display this video mode error and solution
- Redhat Enterprise Linux 5 / CentOS 5 monitor and track TCP connections on the network (eth0)
- Monitor Linux user activity in real time
- Monitor or sniff Apache http packets
- Linux port scanning with netcat (nc) command
Discussion on This FAQ
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: /etc/tcpspy.rules, configuration file, ip connections, ipv4 protocol, log connection, monitor linux connection, syslog, TCP/IP Connection Monitor, tcpspy, tcpspy rules
December 4th, 2007 at 8:34 pm
You start your answer with “write a perl or shell script to monitor and log all connection”. How is it possible to monitor all connexions?