Excerpts from Jorge Salamero Sanz's message of Thu Jul 21 07:50:26 -0700 2011:
> Hi all,
> I would like to ask what other sysadmins on this list use to keep an eye
> on what's going on the servers where you share admin privileges with
> other sysadmins and what good practices do you suggest:
> * sudo to restrict what others can run
> * etckeeper to track configuration changes
> * does anybody use auditd to log all commands?
> * anything else?
I like to have syslogs sent to a central log server, and then use swatch
for realtime monitoring (on a big monitor, or a shared screen that
everybody watches). It colorizes things based on patterns, so usually
there's some custom work to classify things. Its really just a poor man's
Splunk. At one organization, swatch would print sudo commands out with
blinking red text. That was interesting on days where all 100 machines
had to be updated for some security vulnerability.
There's also logwatch, which does something similar but via email (I
find it a bit too verbose in its default configuration though).
Also check out Dustin's new utility in oneiric, bootmail.. kind of cool,
emails you when the system reboots.
ubuntu-server mailing list
More info: https://wiki.ubuntu.com/ServerTeam