; snoopy config for the PVE host (192.168.1.127) — logs every execve() to journald.
;
; Install to /etc/snoopy.ini. Enable globally by adding the lib to /etc/ld.so.preload:
;   apt-get install -y snoopy
;   echo /usr/lib/x86_64-linux-gnu/libsnoopy.so > /etc/ld.so.preload   # enable (no snoopy-enable in the Debian pkg)
;   # disable/rollback: truncate -s 0 /etc/ld.so.preload   (or remove the line)
;
; output=devlog writes directly to /dev/log -> journald (identifier "snoopy").
; DO NOT use output=syslog on a systemd host — snoopy's own docs warn it can hang the system on boot.
;
; Shipped to Loki by promtail as {job="pve-journal", identifier="snoopy"} (scripts/pve-promtail.yaml).
; Attribution note: all sessions run as root (shared root key), so uid/login are always root;
; correlate a command's sid/time with the matching {job="sshd-pve"} "Accepted publickey ... SHA256:<fp>"
; line to attribute it to a person (e.g. emo's agent key fp SHA256:Wd+m0EABlm4RDDykDh85PIYSqe0Al8Hr9AZ+7Ksy4HQ).
[snoopy]
output = devlog
message_format = "snoopy uid=%{uid} login=%{login} tty=%{tty} sid=%{sid} cwd=%{cwd} : %{cmdline}"
syslog_ident = snoopy
syslog_facility = LOG_AUTHPRIV
syslog_level = LOG_INFO
filter_chain = ""