Greetings, How does one monitor if a site is being accessed using browser? IOW, I just want to know if a user has launched a session thru Firefox. I basically want to know if a user has tried to access the webserver and unable to reach it and log such instances. I am using cron and curl to seperately monitor the link. Any clues? Centos 5.2/Gnome/Firefox 3.0.16 Regards Rajagopal
On Fri, Jan 29, 2010 at 3:12 AM, Rajagopal Swaminathan <raju.rajsand at gmail.com> wrote:> Greetings, > > How does one monitor if a site is being accessed using browser? > > IOW, I just want to know if a user has launched a session thru Firefox. > > I basically want to know if a user has tried to access the webserver > and unable to reach it and log such instances. > > I am using cron and curl to seperately monitor the link. > > Any clues?It is possible using the auditd subsysted. You'd need to define a rule to match that user and firefox. I don't have the exact syntax, but the rule I use for root in audit.rules is: -a entry,always -S open -S close -S read -S write -S link -S unlink -S chmod -S chown -S execve -F uid=root -k root_activity If you do a man on auditctl it can show the options. You could, for example, generate a rule whenever a particular user launches firefox, etc..
On Fri, Jan 29, 2010 at 12:12 AM, Rajagopal Swaminathan <raju.rajsand at gmail.com> wrote:> Greetings, > > How does one monitor if a site is being accessed using browser? > > IOW, I just want to know if a user has launched a session thru Firefox. > > I basically want to know if a user has tried to access the webserver > and unable to reach it and log such instances. > > I am using cron and curl to seperately monitor the link. > > Any clues? > > Centos 5.2/Gnome/Firefox 3.0.16It's clear what it is you're trying to do, but If you're running Apache, turn on CustomLog "logs/access_log" combined The default is CustomLog "logs/access_log" common It will not only log the browser type, it will also log the OS in the access_log file. For errors accessing files, see the error_log. If the client can't reach the site, then it should be clear the server won't be able to log the attempt. -- Enjoy global warming while it lasts.
Greetings, On Sat, Jan 30, 2010 at 11:28 AM, John R Pierce <pierce at hogranch.com> wrote:> > if you have control over the internet gateway, you can force -all- web > traffic to transparently be routed to the squid proxy, and then process > the squid access and error logs, perhaps with a perl script (perl really > rocks for this sort of thing). >Thanks John for the reply and suggestion. It seems increasingly certain that I will have setup proxy. Regards Rajagopal
On Fri, Jan 29, 2010 at 10:12 AM, Rajagopal Swaminathan <raju.rajsand at gmail.com> wrote:> Greetings, > > How does one monitor if a site is being accessed using browser? > > IOW, I just want to know if a user has launched a session thru Firefox. > > I basically want to know if a user has tried to access the webserver > and unable to reach it and log such instances. > > I am using cron and curl to seperately monitor the link. > > Any clues? > > Centos 5.2/Gnome/Firefox 3.0.16 > > Regards > > Rajagopalwhy not to try do this with iptables with combination with inotify from man iptables --uid-owner userid Matches if the packet was created by a process with the given effective user id. --gid-owner groupid Matches if the packet was created by a process with the given effective group id. --cmd-owner name Matches if the packet was created by a process with the given command name. (this option is present only if iptables was compiled under a kernel supporting this feature) then adding in iptables rule -j LOG --log-level 4 --log-prefix "some_prefix " secondly you can watch connection states with commands: -m state --state NEW SYN packet was sent -m state --state ESTABLISHED,RELATED you are getting response and then in syslog.conf kern.warning /var/log/iptables.log you then can watch with inotify /var/log/iptables.log file and do whatever you should Also i would watch not only trafiic to external tcp 80 port, but also and tcp/udp 53 port. browser can even don't try to load page if it doesn'i resolve dns name, or entered domain does not exist.