snoopy
Snoopy is a lightweight C library that logs all command executions on Linux/BSD systems at the OS level. It captures execution context (user, session, working directory) and writes logs to standard syslog destinations, making it useful for audit and compliance purposes.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | a2o/snoopy |
| Owner | a2o |
| Primary language | C |
| License | GPL-2.0 — OSI-approved |
| Stars | 1.3k |
| Forks | 159 |
| Open issues | 10 |
| Latest release | snoopy-2.5.2 (2024-10-24) |
| Last updated | 2026-03-07 |
| Source | https://github.com/a2o/snoopy |
What snoopy is
Snoopy operates as a preloaded shared library (LD_PRELOAD) that intercepts execve() syscalls to capture program execution events with metadata. Thread-safe as of v2.5.0, configurable via /etc/snoopy.ini, and published under GPL-2.0 with active CI/CD coverage (Coverity, SonarCloud, Valgrind).
Get the snoopy source
Clone the repository and explore it locally.
git clone https://github.com/a2o/snoopy.gitcd snoopy# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- LD_PRELOAD mechanism requires careful ordering in /etc/ld.so.preload or shell initialization; conflicts with other preloaded libraries must be evaluated.
- Relies on syslog infrastructure for output; ensure rsyslog/syslog-ng is configured and persistent storage is available to prevent log loss.
- Thread safety enabled by default (v2.5.0+), but test with your application stack to verify no edge cases around signal handling or exec variants.
- Configuration via /etc/snoopy.ini allows filtering and output format customization; review filters to balance audit coverage vs. log volume.
- Binary packages available for major distros (Ubuntu, CentOS, etc.) since v2.5.0; source installation still supported but requires build toolchain.
When to avoid it — and what to weigh
- High-performance, latency-sensitive workloads — Snoopy intercepts system calls; overhead depends on command frequency. Not suitable for systems where microsecond-level latencies are critical.
- Closed-source or proprietary license required — GPL-2.0 copyleft license requires any modifications or derivative distributions to remain open-source. Proprietary use requires legal review.
- Windows/macOS primary platforms — Limited to Linux and BSD. Not an option for Windows-only or macOS-only infrastructure.
- Complex multi-tenant containerized environments — Container escape and namespacing interactions with LD_PRELOAD are non-trivial; requires careful testing in Kubernetes/Docker deployments.
License & commercial use
Released under GNU General Public License v2.0 (GPL-2.0), a copyleft license. Source code is freely available and modifiable, but any distributed modifications or derivative works must remain open-source under the same license.
Commercial use of the unmodified binary is permitted (running Snoopy on your systems). However, if you modify the code or bundle it into a proprietary product for distribution, legal review is strongly recommended due to GPL-2.0 copyleft obligations. Static linking or redistribution requires compliance consultation.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Snoopy logs sensitive data: command-line arguments may include passwords, API keys, or PII—configure syslog destination permissions and retention carefully. LD_PRELOAD mechanism itself can be subverted by processes with root privilege or via LD_PRELOAD environment hijacking; assume audit logs are only trustworthy if system is already compromised. README includes explicit security disclaimer. No known CVEs mentioned in data, but C-based preload library warrants regular dependency updates and fuzz testing.
Alternatives to consider
auditd (Linux audit framework)
Kernel-level audit daemon with configurable rules, more robust against tampering, produces structured logs, but steeper learning curve and higher overhead in some scenarios.
osquery
Cross-platform (Linux, macOS, Windows), provides structured audit logs and real-time process monitoring via SQL queries, but heavier footprint and external dependency.
Runtime security tool that captures system calls and generates alerts based on rules; more suitable for threat detection than pure logging, but overkill for simple audit-only use cases.
Build on snoopy with DEV.co software developers
If you need system-wide command logging for compliance or forensics, test Snoopy in a staging environment first. Review syslog configuration, LD_PRELOAD interactions, and log retention policy. For mission-critical deployments, compare with auditd or osquery.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
snoopy FAQ
Does Snoopy log my shell history or interactive commands?
Will Snoopy slow down my system?
Can Snoopy be disabled by unprivileged users?
Is Snoopy safe to run in containers?
Software development & web development with DEV.co
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If snoopy is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate Snoopy for your audit infrastructure
If you need system-wide command logging for compliance or forensics, test Snoopy in a staging environment first. Review syslog configuration, LD_PRELOAD interactions, and log retention policy. For mission-critical deployments, compare with auditd or osquery.